CVE-2016-10033 is a critical remote code execution vulnerability in PHPMailer, a widely used PHP library for sending emails. The flaw lies in the mailSend function of the isMail transport method, where unsanitized user input, specifically the Sender property, can be abused to inject extra parameters into the mail() command. This allows attackers to execute arbitrary code on affected servers.
Originally discovered in 2016, the vulnerability was patched in version 5.2.18. However, it has regained relevance after being added to the CISA KEV catalog in on July 7th, 2025, indicating active exploitation in the wild despite its age.
Key Details:
- CVE ID: CVE-2016-10033
- CVSS Score: 9.8 (Critical)
- Exploitability: Public exploit code available
- Date Added to CISA KEV Catalog: July 7, 2025
- Vendor Patch Available: Yes (PHPMailer v5.2.18+)
- Associated CVE: CVE-2016-10045 (Patch Bypass)
Technical Details:
The vulnerability lies in the mailSend() function within the class.phpmailer.php file of PHPMailer. Specifically, the issue arises when a maliciously crafted Sender or From property is passed into this function.
If the attacker includes a backslash followed by a double quote (\”) in the input, PHPMailer fails to properly sanitize it before passing it to the underlying sendmail command.
As a result, the attacker is able to inject additional parameters into the sendmail execution, effectively altering its behavior.
This manipulation can lead to command injection, allowing the attacker to execute arbitrary code on the server.
Exploitation Flow:
- Attacker submits a specially crafted Sender field (e.g., “attacker\” -oQ/tmp/ -X/tmp/evil.php”@example.com)
- PHPMailer passes this directly to the mail() function.
- The injected parameters are interpreted by sendmail, writing attacker-controlled content to a file in the webroot.
- The attacker accesses the file to execute arbitrary PHP code on the server.
Proof of Concept (PoC):
Several public PoCs exist, including:
Risk & Impact:
| Vector | CVSS v3.1 Score |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Base Score | 9.8 (Critical) |
Mitigation Steps:
Immediately upgrade PHPMailer to version 5.2.18 or higher
This vulnerability is fully patched in PHPMailer v5.2.18. If your application uses PHPMailer directly or indirectly (e.g., via WordPress, Joomla, or another CMS), update the library to the latest version. Confirm the version explicitly within your codebase or dependency manager.
Also apply the patch for CVE-2016-10045
The initial patch for CVE-2016-10033 was incomplete and introduced a bypass vulnerability (CVE-2016-10045). Ensure both patches are in place to fully eliminate the risk of exploitation.
Audit your codebase for direct or bundled use of PHPMailer
PHPMailer is often embedded manually or through third-party plugins. Search your codebase for references to PHPMailer, class.phpmailer.php, or older copies of the library that may not be automatically updated through package managers.
If using a CMS, verify plugin and theme security
CMS platforms like WordPress, Joomla, and Drupal may include PHPMailer through plugins or templates. Ensure all plugins and themes are up to date and maintained. Remove abandoned or unused components.
Implement strict input validation and sanitization
Even with patched software, validate all email-related fields (From, To, Sender) on the server side. Avoid allowing user input to be directly passed to mail functions without proper filtering.
Switch to a safer mail transport if possible
Consider switching from isMail (which relies on the vulnerable mail() function) to a more secure transport method like SMTP with authentication, which is not affected by this vulnerability.
Note: If you are a U.S. federal agency or fall under the CISA BOD 22-01 directive, remediation is required by July 28, 2025. Non-compliance may expose your organization to unnecessary risk and regulatory issues.
Report compiled by OP Innovate’s Research Team
