Hi Pondus beaten me to it by a sec
N.B.
Big zero-day hole in WordPress PHP Mailer:
https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/Critical Vulnerability in PHPMailer. Affects WP Core [1]
Millions and millions of websites vulnerable.A critical remote code execution vulnerability in PHPMailer has been discovered by Polish researcher Dawid Golunski. The vulnerability was announced on legalhackers.com yesterday but proof of concept exploit details were not included.
Unfortunately someone posted a proof of concept to exploit-db and to github a few hours ago demonstrating how the vulnerability can be exploited in the PHPMailer library, but not targeting any web application that is in use.
We are publishing this unscheduled update to give PHP developers and our community advance warning of this issue. We expect this story to continue to evolve rapidly as more developers and malicious actors look at this code.
An issue in WP core was opened about 4 hours ago that included a patch to fix this issue. It updates WP core from using PHPMailer 5.2.14 to 5.2.19. This is just a proposed patch,
not the final fix.polonus
