Description
PHPMailer before 5.2.18 allows remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code. It is possible to execute remote OS commands using the Host header in WordPress.
Recommendation
Updgrade WordPress to the latest stable version.
References
- OWASP: Command Injection
- WordPress
- CVE-2016-10033
- CWE-20
- CWE-78
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6