Back to CVE Browser

CVE-2016-10033

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score91.7380%

EPSS Percentile94.64th

PublishedDec 30, 2016

Last ModifiedApr 21, 2026

Vulnerability Description

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Affected Platforms (CPE)

📦

Phpmailer Project

Phpmailer

< 5.2.18

📦

Wordpress

Wordpress

<= 4.7

📦

Joomla

Joomla\!

>= 1.5.0 and <= 3.6.5

References & Advisories

🔗 http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html

🔗 http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html

🔗 http://seclists.org/fulldisclosure/2016/Dec/78

🔗 http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection

🔗 http://www.securityfocus.com/archive/1/539963/100/0/threaded

🔗 http://www.securityfocus.com/bid/95108

🔗 http://www.securitytracker.com/id/1037533

🔗 https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html

Related Vulnerabilities

CVE-2008-561910.0

html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alp...

CVE-2016-100459.8

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and cons...

CVE-2020-363269.8

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: th...

CVE-2018-192968.8

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.