Skip to:
Content
Pages
Categories
Search
Top
Bottom

Public Vulnerability notification – false alarm?


  • douglasconetix
    Participant

    @douglasconetix

    4 years, 6 months ago

    Hi there,

    I’ve been notified by an anti-malware service that BuddyPress is using a vulnerable version of PHP Mailer, indicating the below file:

    /wp-content/plugins/buddypress/bp-core/classes/class-bp-phpmailer.php

    and referencing the below CVE’s:
    RCE : CVE-2016-10045, CVE-2016-10031

    Can you confirm if this is a false alarm so I can bring this to the attention of the anti-malware developers.

Viewing 4 replies - 1 through 4 (of 4 total)

  • computermobil
    Participant

    @computermobil

    4 years, 6 months ago

    Hi there, same here from Immunify AV in plesk.
    Thank you for looking after us


    David Cavins
    Keymaster

    @dcavins

    4 years, 6 months ago

    Appears to be a false alarm.

    We are using the PHPMailer class that is included in WordPress. In WP latest stable release (5.2.4) the version of PHPMailer is 5.2.22 and in 5.3 it’s 5.2.27. The problematic PHPMailer versions are < 5.2.20.


    computermobil
    Participant

    @computermobil

    4 years, 6 months ago

    Hi there.
    Thank you for your reply but i can not confirm.
    I am running the latest WP version by now (5.2.4) and also the latest BP version (5.0) on diffrent servers and all of them showing a vulnerable warning for the php mailer.
    This is only on WordPress installations where BP is installed.
    Maybe an idea?

    Thank you in advance!


    David Cavins
    Keymaster

    @dcavins

    4 years, 6 months ago

    Hi, feel free to look at the source code where BP calls PHPMailer:
    https://github.com/buddypress/BuddyPress/blob/5.0.0/src/bp-core/classes/class-bp-phpmailer.php#L19

    As you can see, unless you are using a plugin that is injecting an older version of PHPMailer on the bp_phpmailer_object filter, BP is using the PHPMailer class included in the WP includes folder. BP isn’t including a copy of the PHPMailer class at all.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Topic Info

Topic Tags

Skip to toolbar