The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJoomla Joomla\!
APPJoomla1.5.0 – 3.6.5Phpmailer Project Phpmailer
APPPhpmailer Project< 5.2.18WordPress
APPWordpress≤ 4.7
CISA KEV — detailsi
- Vendori
- PHP
- Producti
- PHPMailer
- Added to KEVi
- July 7, 2025
- Remediation deadline (US Federal)i
- July 28, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Related vulnerabilities
Joomla! — degradacja szyfrowania transportu w linkach resetowania hasła i nazwy użytkownika
SQL injection w metodzie quoteNameStr pakietu bazy danych Joomla Framework
Joomla! — cache poisoning przez dowolne parametry w paginacji
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-s...
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the sel...