On the 25th of December 2016, a security researcher disclosed a critical remote code execution flaw within a popular programme used to send emails from websites and web applications. The PHPMailer library is used by more than 9 million websites worldwide and is bundled with popular content management systems such as WordPress and Drupal.
At worst this is a flaw that could be used to run malicious commands on the affected system. We’re taking it very seriously as this would allow the remote attacker to take complete control of the application and launch further attacks against the system and internal network.
If you are unfamiliar with security vulnerabilities a RCE, or remote code execution vulnerability is the worst-case-scenario. All of the worst, and most damaging, vulnerabilities in the history of WordPress have been remote code execution vulnerabilities. They allow an attacker to execute their own code on a victim website and thereby take control of the website.
Secure your website
A secure version of PHPMailer has now been released (as of the 11th January 2017) and updated versions of WordPress, and affected Drupal modules, have been made available and we are asking all customers who do not have support agreements in place to ensure that these updates are installed as soon as possible to ensure that your website remains secure.
If you need assistance installing these updates on your WordPress or Drupal based website please email [email protected] with your website details. If you have a monthly support agreement in place we will be installing the relevant updates on the 12th January 2017 and will issue confirmation emails once updates have been installed.