Featured image for WordPress 5.7.2 Security Patch

WordPress 5.7.2 Security Release: What You Need to Know

On May 13, 2021 01:00 UTC, WordPress core released a security patch for a Critical Object Injection vulnerability in PHPMailer, the component that WordPress uses to send emails by default. If your site is set to allow auto updating of minor point releases, your site has probably already updated to WordPress 5.7.2.

While we do recommend updating WordPress immediately if you haven’t already, at this time we do not believe that most WordPress sites are likely to be exploitable by this vulnerability.

Don’t Panic

The vulnerability in question is an Object Injection flaw present in multiple versions of PHPMailer which has been given an identifier of CVE-2020-36326. It is similar to another vulnerability, CVE-2018-19296, that had been patched in an earlier version of PHPMailer.

We’ve written about Object Injection vulnerabilities in the past, and while they should be taken seriously, all Object Injection vulnerabilities require a “POP Chain” in order to cause additional damage. In order to exploit this vulnerability, additional software with a vulnerable magic method would need to be running on the site.

Assuming the presence of a POP chain, there are still more obstacles that would need to be bypassed in order to exploit this vulnerability. Although anyone with direct access to PHPMailer might be able to inject a PHP object, warranting a critical severity rating in the PHPMailer component itself, WordPress does not allow users this type of direct access. Instead, all access occurs through functionality exposed in core and in various plugins.

In order to exploit this, an attacker would need to find a way to send a message using PHPMailer and add an attachment to that message. Additionally, the attacker would need to find a way to completely control the path to the attachment. This automatically rules out built-in WordPress functionality and the functionality of most plugins, as even contact form plugins that allow file uploads and send attachments typically use the location of the uploaded file as the attachment and don’t allow users to directly control the attachment path.

In our assessment, successfully exploiting this vulnerability would require a large number of factors to line up, including the presence of at least one additional vulnerability in a plugin or other component installed on the site as well as the presence of a vulnerable magic method. We are also currently unaware of any plugins that could be used to exploit this vulnerability even as a site administrator.

This is unlikely to be used as an intrusion vector, though it is possible that it could be used by attackers who have already gained some level of access to escalate their privileges

Nonetheless, we do strongly recommend updating to the latest version of WordPress as soon as possible, as the sheer number of WordPress installations in existence means that exploitable sites likely exist. Additionally, the vulnerability may be easier to exploit than originally anticipated, or the original researchers or other actors may release more detailed proof of concept code sometime in the future.

The Wordfence firewall’s Built-In PHAR Deserialization protection should protect all of our users, including Wordfence Premium customers as well as those still using the free version, against any attempts to exploit this vulnerability.

Conclusion

In today’s article, we covered an Object Injection vulnerability in PHPMailer, a software component used by WordPress to send email. We recommend updating WordPress core if you haven’t already, but we do not currently believe there is cause for alarm, and do not expect to see this vulnerability attacked at scale as it is dependent on a number of other factors to successfully exploit.

Special thanks to Wordfence Lead Developer Matt Barry and QA Lead Matt Rusnak for their assistance with this article.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

10 Comments
  • Thanks. What a world.

  • Thank you so much as always for securing our sites and giving us relevant information on security.

  • thank you so much

  • Thank you for the best security service to our site

  • hello sir. thank you for explaining it in simple language! appreciated it.

  • Thank you for these great insights and details. We update always our systems. So if the core is updated, nothing can happen, right?!

    • Hi Ralf,

      It's still important to keep your plugins and themes updated as well, but yes, if WordPress core is updated then this particular vulnerability cannot be exploited.

  • I using SMTP plugin to send email since this function is not working well with all email services.
    I just need to update the WordPress even I don't use it?

    • Hi,

      Yes, even if you don't directly use this library, it may still be possible for an attacker to find a way to access it. You should still update WordPress.

  • Thanks! This is good info. 👍