WordPress has released WordPress 5.7.2 security and maintenance update that includes fixes for two PHPMailer security vulnerabilities. All WordPress versions between 3.7 and 5.7 are affected.
According to the WordPress 5.7.2 security release, the following 2 security issues have been fixed:
- CVE-2020-36326: Object injection in PHPMailer (CVSS score 9.8, Critical severity)
- CVE-2018-19296: Object injection in PHPMailer (CVSS score 8.8, High severity)
According to NIST, the Critical CVE-2020-36326 is similar to an older object injection vulnerability that also affected PHPMailer:
“PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.”
Moreover, additional information on the third party vulnerability fixes has been posted on the Fedora Project and GitHub sites.
This is the second security update since WordPress released WordPress 5.7 “Esperanza” back on March 9, 2021.