// For flags

CVE-2016-10033

WordPress Core 4.6 - Remote Code Execution

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

38
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

La función mailSend en el transporte isMail en PHPMailer en versiones anteriores a 5.2.18 podrían permitir a atacantes remotos pasar parámetros extra al comando mail y consecuentemente ejecutar código arbitrario a través de una \" (barra invertida comillas dobles) en una propiedad Sender manipulada.

Dawid Golunski discovered that PHPMailer was not properly escaping user input data used as arguments to functions executed by the system shell. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. It was discovered that PHPMailer was not properly escaping characters in certain fields of the code_generator.php example code. An attacker could possibly use this issue to conduct cross-site scripting attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-12-22 CVE Reserved
  • 2016-12-26 CVE Published
  • 2016-12-26 First Exploit
  • 2024-08-06 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CAPEC
References (48)
URL Tag Source
http://www.securityfocus.com/archive/1/539963/100/0/threaded Broken Link
http://www.securitytracker.com/id/1037533 Broken Link
https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html Third Party Advisory
https://www.drupal.org/psa-2016-004 Third Party Advisory
https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html
https://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions
URL Date SRC
https://packetstorm.news/files/id/142486 2017-05-12
https://packetstorm.news/files/id/140283 2016-12-27
https://packetstorm.news/files/id/140286 2016-12-28
https://packetstorm.news/files/id/142390 2017-05-05
https://packetstorm.news/files/id/142547 2017-05-17
https://packetstorm.news/files/id/140349 2017-01-03
https://packetstorm.news/files/id/140291 2016-12-29
https://packetstorm.news/files/id/140280 2016-12-26
https://packetstorm.news/files/id/140350 2017-01-04
https://www.exploit-db.com/exploits/41962 2024-08-06
https://www.exploit-db.com/exploits/42024 2024-08-06
https://www.exploit-db.com/exploits/41996 2024-08-06
https://www.exploit-db.com/exploits/40974 2024-08-06
https://www.exploit-db.com/exploits/42221 2024-08-06
https://www.exploit-db.com/exploits/40970 2024-08-06
https://www.exploit-db.com/exploits/40968 2024-08-06
https://www.exploit-db.com/exploits/40969 2024-08-06
https://www.exploit-db.com/exploits/40986 2024-08-06
https://github.com/opsxcq/exploit-CVE-2016-10033 2019-10-13
https://github.com/GeneralTesler/CVE-2016-10033 2017-05-10
https://github.com/chipironcin/CVE-2016-10033 2017-06-12
https://github.com/0x00-0x00/CVE-2016-10033 2018-02-09
https://github.com/ElnurBDa/CVE-2016-10033 2024-05-16
https://github.com/Bajunan/CVE-2016-10033 2017-05-19
https://github.com/j4k0m/CVE-2016-10033 2021-08-31
https://github.com/Astrowmist/POC-CVE-2016-10033 2024-06-06
https://github.com/zeeshanbhattined/exploit-CVE-2016-10033 2019-10-13
https://github.com/liusec/WP-CVE-2016-10033 2017-07-22
https://github.com/Zenexer/safeshell 2020-03-26
https://github.com/pedro823/cve-2016-10033-45 2018-09-29
https://github.com/awidardi/opsxcq-cve-2016-10033 2018-12-06
https://github.com/cved-sources/cve-2016-10033 2021-04-15
https://github.com/eb613819/CTF_CVE-2016-10033 2022-12-09
http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html 2024-08-06
http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html 2024-08-06
http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection 2024-08-06
http://www.securityfocus.com/bid/95108 2024-08-06
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html 2024-08-06
URL Date SRC
http://seclists.org/fulldisclosure/2016/Dec/78 2024-02-14
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18 2024-02-14
https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities 2024-02-14
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Phpmailer Project
Search vendor "Phpmailer Project"
 Phpmailer
Search vendor "Phpmailer Project" for product "Phpmailer"
 < 5.2.18
Search vendor "Phpmailer Project" for product "Phpmailer" and version " < 5.2.18"
-
Affected
Wordpress
Search vendor "Wordpress"
 Wordpress
Search vendor "Wordpress" for product "Wordpress"
 <= 4.7
Search vendor "Wordpress" for product "Wordpress" and version " <= 4.7"
-
Affected
Joomla
Search vendor "Joomla"
 Joomla\!
Search vendor "Joomla" for product "Joomla\!"
 >= 1.5.0 <= 3.6.5
Search vendor "Joomla" for product "Joomla\!" and version " >= 1.5.0 <= 3.6.5"
-
Affected