[wp-trac] [WordPress Trac] #54739: Upgrade PHPMailer to 5.2.27 for WordPress < 5.3 (and to 6.5.3 for above 5.4)

WordPress Trac noreply at wordpress.org
Tue Jan 4 16:59:57 UTC 2022 

#54739: Upgrade PHPMailer to 5.2.27 for WordPress < 5.3  (and to 6.5.3 for above
5.4)
--------------------------------+--------------------------------------
 Reporter:  zodiac1978          |      Owner:  (none)
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  External Libraries  |    Version:
 Severity:  normal              |   Keywords:  needs-patch dev-feedback
  Focuses:                      |
--------------------------------+--------------------------------------
 In WordPress 5.3 the PHP Mailer library was updated to the latest version
 from the 5.2-branch. See #40472

 In WordPress 5.5 the PHP Mailer library was updated to the new version 6.
 See #41750

 As background updates are available from 3.7 on we could update the PHP
 mailer library down to version 3.7 to protect those installations from
 being abused for spamming.

 I checked https://wordpress.org/about/stats/ and WordPress installations
 with version smaller than 5.3. These sum up to 24.15 %.

 We only can background update from 3.7, so we need to look at WordPress
 3.7 to 5.2 which shows us 18,52 % of all installation which are
 unprotected.

 This would at least close two from those three known security problems
 with this version:
 https://www.cybersecurity-
 help.cz/vdb/phpmailer_sourceforge_net/phpmailer/5.2.22/

 Quoted from https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27:
 > Note that the 5.2 branch is deprecated and will not receive security
 updates after 31st December 2018.

 The same goes for WP 5.5 to 5.8
 -> WordPress 5.5 (PHP Mailer 6.1.6)
 -> WordPress 5.6 (PHP Mailer 6.2)
 -> WordPress 5.7 (PHP Mailer 6.3)
 -> WordPress 5.7.2 (PHP Mailer 6.4)
 -> WordPress 5.7.3 (PHP Mailer 6.5.0)

 WordPress 5.9 will contain PHP Mailer 6.5.3 as the latest version.

 As version 6.4.1 and 6.5 are security releases this could be relevant too:
 https://github.com/PHPMailer/PHPMailer/releases?q=security&expanded=true

 Although this is related to security it seems that the other tickets about
 updating this library are handled in public so I created this one here
 too.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54739>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list