You may have noticed that CVE-2020-10033 came out yesterday, which discloses an Remote Code Execution (RCE) vulnerability in the PHPMailer library which is used by popular contrib plugins like SMTP or PHPMailer.This is a highly critical vulnerability because Remote Code Execution means an attacker can run arbitrary code on your server!The WordPress maintenance support plans Security team just made a PSA today: DRUPAL-PSA-2020-004The real, full fix is to update the PHPMailer library to version 5.2.19 or later, or if you use the SMTP plugin version 7.x-1.5 or lower, to update to SMTP 7.x-1.6 (because SMTP 7.x-1.x embeds the library in the plugin).However, if you’re using WordPress maintenance support plans 6, you probably have an old version of PHPMailer (5.1 or lower), and newer versions may not be compatible with the code on your site (either custom or contrib). Attempting an update in the middle of the holidays when not everyone is available to test or deal with follow-up issues might not be the best idea.So, what we’re recommending (and what we’ve already done for our customers) is removing the vulnerable feature from the PHPMailer library.The vulnerability is in PHPMailer support for sending mail via the ‘sendmail’ command-line application. However, odds are you using PHPMailer exclusively for sending via SMTP (like the SMTP and PHPMailer plugins do). So, you can just delete the code for that feature!Here’s how… Open the class.phpmailer.php file, and delete:
Source: New feed
Cheap WordPress maintenance support plans 6 workaround for the highly critical vulnerability in PHPMailer
