A critical vulnerability in PHPMailer has been discovered by Polish security researcher Dawid Golunski. The critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application. PHPMailer is one of the most popular open source PHP libraries to send emails used by WordPress, Drupal, Yii, Joomla, SugarCRM, etc. Currently, more than 9 Million websites worldwide.

"To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class," - Golunski

All versions of PHPMailer before the critical release of PHPMailer 5.2.18 are affected. Golunski responsibly reported the vulnerability to the developers, who have patched the vulnerability in 5.2.18. Web administrators and developers are strongly recommended to update to the patched release.

Notice (29-Dec-16): Currently, there are some hackers found that the PHPMailer 5.2.18 still allow to remotely execute arbitrary code as a report on CVE-2016-10045. PHPMailer's team release a new patch on 5.2.20. We recommended updating the PHPMailer immediately.

Update: In the past weeks, since this bug was first revealed, PHPMailer has already issued updates numbered 5.2.18, 5.2.19, 5.2.20 and 5.2.21, although the .21 update was admittedly only published to correct a typographic error. [Version numbers correct at 2017-01-03T17:15Z]