Description
PHPMailer before 5.2.18 allows remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code. It is possible to execute remote OS commands using the Host header in WordPress.
Recommendation
Updgrade WordPress to the latest stable version.
References
- OWASP: Command Injection
- WordPress
- CVE-2016-10033
- CWE-20
- CWE-78
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Blind OS Command Execution - Vulnerability
- OS Command Execution - Vulnerability
- WordPress Plugin Wpfilemanager 6.8 RCE - CVE-2020-25213
- Joomla! 1.5 < 3.4.5 RCE - CVE-2015-8562
- Tags:
- Wordpress
- RCE
- PHPMailer
- Command Injection
- Input Validation
- Injection
Anything's wrong? Let us know Last updated on May 13, 2024