Skip to:

Public Vulnerability notification – false alarm?

  • douglasconetix


    Hi there,

    I’ve been notified by an anti-malware service that BuddyPress is using a vulnerable version of PHP Mailer, indicating the below file:


    and referencing the below CVE’s:
    RCE : CVE-2016-10045, CVE-2016-10031

    Can you confirm if this is a false alarm so I can bring this to the attention of the anti-malware developers.

Viewing 4 replies - 1 through 4 (of 4 total)

  • computermobil


    Hi there, same here from Immunify AV in plesk.
    Thank you for looking after us

    Appears to be a false alarm.

    We are using the PHPMailer class that is included in WordPress. In WP latest stable release (5.2.4) the version of PHPMailer is 5.2.22 and in 5.3 it’s 5.2.27. The problematic PHPMailer versions are < 5.2.20.



    Hi there.
    Thank you for your reply but i can not confirm.
    I am running the latest WP version by now (5.2.4) and also the latest BP version (5.0) on diffrent servers and all of them showing a vulnerable warning for the php mailer.
    This is only on WordPress installations where BP is installed.
    Maybe an idea?

    Thank you in advance!

    Hi, feel free to look at the source code where BP calls PHPMailer:

    As you can see, unless you are using a plugin that is injecting an older version of PHPMailer on the bp_phpmailer_object filter, BP is using the PHPMailer class included in the WP includes folder. BP isn’t including a copy of the PHPMailer class at all.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.
Skip to toolbar