On May 13, 2021 01:00 UTC, WordPress core released a security patch for a Critical Object Injection vulnerability in PHPMailer, the component that WordPress uses to send emails by default. If your site is set to allow auto updating of minor point releases, your site has probably already updated to WordPress 5.7.2.
While we do recommend updating WordPress immediately if you haven’t already, at this time we do not believe that most WordPress sites are likely to be exploitable by this vulnerability.
The vulnerability in question is an Object Injection flaw present in multiple versions of PHPMailer which has been given an identifier of CVE-2020-36326. It is similar to another vulnerability, CVE-2018-19296, that had been patched in an earlier version of PHPMailer.
We’ve written about Object Injection vulnerabilities in the past, and while they should be taken seriously, all Object Injection vulnerabilities require a “POP Chain” in order to cause additional damage. In order to exploit this vulnerability, additional software with a vulnerable magic method would need to be running on the site.
Assuming the presence of a POP chain, there are still more obstacles that would need to be bypassed in order to exploit this vulnerability. Although anyone with direct access to PHPMailer might be able to inject a PHP object, warranting a critical severity rating in the PHPMailer component itself, WordPress does not allow users this type of direct access. Instead, all access occurs through functionality exposed in core and in various plugins.
In order to exploit this, an attacker would need to find a way to send a message using PHPMailer and add an attachment to that message. Additionally, the attacker would need to find a way to completely control the path to the attachment. This automatically rules out built-in WordPress functionality and the functionality of most plugins, as even contact form plugins that allow file uploads and send attachments typically use the location of the uploaded file as the attachment and don’t allow users to directly control the attachment path.
In our assessment, successfully exploiting this vulnerability would require a large number of factors to line up, including the presence of at least one additional vulnerability in a plugin or other component installed on the site as well as the presence of a vulnerable magic method. We are also currently unaware of any plugins that could be used to exploit this vulnerability even as a site administrator.
This is unlikely to be used as an intrusion vector, though it is possible that it could be used by attackers who have already gained some level of access to escalate their privileges
Nonetheless, we do strongly recommend updating to the latest version of WordPress as soon as possible, as the sheer number of WordPress installations in existence means that exploitable sites likely exist. Additionally, the vulnerability may be easier to exploit than originally anticipated, or the original researchers or other actors may release more detailed proof of concept code sometime in the future.
The Wordfence firewall’s Built-In PHAR Deserialization protection should protect all of our users, including Wordfence Premium customers as well as those still using the free version, against any attempts to exploit this vulnerability.
In today’s article, we covered an Object Injection vulnerability in PHPMailer, a software component used by WordPress to send email. We recommend updating WordPress core if you haven’t already, but we do not currently believe there is cause for alarm, and do not expect to see this vulnerability attacked at scale as it is dependent on a number of other factors to successfully exploit.
Special thanks to Wordfence Lead Developer Matt Barry and QA Lead Matt Rusnak for their assistance with this article.