WordPress has fixed eight security issues in its core content management platform, including a critical remote execution bug in PHPMailer, a tool for sending email to users.
WordPress is probably the largest of several widely-used open source web applications that use PHPMailer, which researcher David Golunski in December reported contained a critical flaw that could allow web sites to be remotely compromised.
As Golunski noted then, an attacker could hack a web server hosting a application that used that version of PHPMailer. The flaw could be exploited by targeting contact or feedback forms, registration forms, password email reset and other website components.
“No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release,” WordPress core contributor Aaron Campbell noted an advisory on Wednesday, which urged users to update their installations immediately.
The update also contains a fix for the REST API, two cross-site scripting flaws, two cross-site forgery request forgery flaws, and several other flaws.
WordPress-focussed security firm WordFence noted in December that no known exploit for the PHPMailer issue had been published for WordPress core or any themes and plugins.
Nonetheless, it probably would be wise for WordPress users to update, given that proof of concept exploits for the bug were published shortly after Golunski reported the issue. Golunski has also promised to disclose more exploits for the flaw at a later date.
Besides this, WordPress remains a huge target for hackers due to the sheer number of websites built on it. Security firm Securi recently reported that 74 percent of 8,000 websites it cleaned up in the third-quarter of 2016 were built on WordPress, with 61 percent of these running an outdated version of WordPress at the time of infection. However, outdated versions of Joomla, Magento and Drupal were far higher than for WordPress.