PHP Mailer Vulnerability. Action Needed?

I believe that out of the box, Trellis does not use PHPMailer. Is there anything that needs to be done to address the recent vulnerability for Trellis-based sites?

From what I understand the only way this is an issue is if someone can configure the sender email address. If they are able to configure the sender email address they can pass shell scripts along as well and do a little remote code execution.

So if you don’t let users configure the sender address you should be fine, correct me if I’m wrong on this.

Obviously update WP and any themes or plugins that use PHPMailer as soon as they are released.

1 Like

There’s nothing Trellis or Bedrock specific about the vulnerability. Anything that uses phpmailer (such as WordPress) is vulnerable to the attack, but only if you allow users to configure the from email address without sanitisation.

If you sanitise the input (which you really should even when using a library) or don’t allow users to configure the sender’s email, you’ll be fine until the updates roll out.

1 Like