CVE-2016-10033

Published Dec 30, 2016

Last updated 23 days ago

PHPMailer

Overview

AI description

Automated description summarized from trusted sources.

CVE-2016-10033 is a remote code execution vulnerability that exists in PHPMailer, a widely used PHP library for sending emails. The vulnerability is located in the `mailSend` function of the isMail transport method. It occurs because the `Sender` property is not properly sanitized. By injecting a backslash followed by a double quote (\") in a crafted `Sender` property, a remote attacker can pass extra parameters to the mail command. This can lead to the execution of arbitrary code on the affected server. The vulnerability was patched in PHPMailer version 5.2.18.

Description: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Source: cve@mitre.org
NVD status: Deferred

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P

Known exploits

Data from CISA

Vulnerability name: PHPMailer Command Injection Vulnerability
Exploit added on: Jul 7, 2025
Exploit action due: Jul 28, 2025
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov: CWE-88
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-88

Hype score: Not currently trending

CISA added 5 vulns to its Known Exploited Vulnerabilities (KEV) catalog this week: CitrixBleed 2 (CVE-2025-5777) – OOB read in NetScaler ADC. 4 older vulns added July 7: ▪ Zimbra ZCS (CVE-2019-9621) ▪ Rails (CVE-2019-5418) ▪ PHPMailer (CVE-2016-10033) ▪ MRLG (CVE-2014-3
@cyber_sec_raj
13 Jul 2025
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9CFF1E1E-0F95-442C-B121-B438985E64C8",
            "versionEndExcluding": "5.2.18"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5C55F44C-4A71-4C47-9908-071A23D46939",
            "versionEndIncluding": "4.7"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0CD26A61-1228-43AC-AEAF-20BF83345F2D",
            "versionEndIncluding": "3.6.5",
            "versionStartIncluding": "1.5.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.