phpmailerproject phpmailer CVE-2016-10033 vulnerability in Phpmailerproject and Other Products
Published on December 30, 2016

product logo product logo product logo product logo
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Github Repository NVD

Known Exploited Vulnerability

This PHPMailer Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.

The following remediation steps are recommended / required by July 28, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2016-10033 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2016-10033 has been classified to as an Argument Injection vulnerability or weakness.


Products Associated with CVE-2016-10033

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2016-10033 are published in these products:

Phpmailerproject Phpmailer
 
WordPress
 
Joomla
 
Canonical Ubuntu Linux
 

Vulnerable Packages

The following package name and versions may be associated with CVE-2016-10033

Package Manager Vulnerable Package Versions Fixed In
composer phpmailer/phpmailer >= 5.0.0, < 5.2.20 5.2.20
composer phpmailer/phpmailer >= 5.0.0, < 5.2.18 5.2.18

Exploit Probability

EPSS
94.47%
Percentile
100.00%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.