Double quote vulnerability in PHPMailer can allow any malware to be uploaded


CVE-2020-13625: Flaw in PHPMailer causes insufficient validation of attachments with a double quote character and allows the download of malware and ransomware

A security flaw has been revealed in PHPMailer which allows any malicious payload to be sent within double quotes to the victim. The flaw could be exploited by potential hackers to bypass security restrictions on affected systems, which would eventually lead to further attacks, such as malware and ransomware infection, among others.

PHPMailer is the code library for sending emails safely and easily via PHP code from a web server. The PHPMailer library is used directly or indirectly by many content management systems (CMSs) including WordPress, Joomla, and Drupal. Where the library is not included in their core code, it is likely available as a separate module or can be bundled with third-party add-ons. It was first released way back in 2001, and since then it has become a PHP developer’s favorite way of sending emails programmatically,

The double-quote vulnerability exists in PHPMailer versions 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, and 6.1.5 and has been given the identifier, CVE-2020-13625 with a score of 5/10 with medium severity. The PHPMailer CVE-2020-13625 vulnerability exists due to insufficient validation of user-provided attachments within a double quote character, which would allow remote hackers to avoid security restrictions enabled by PHPMailer users.

Potential hackers could abuse this vulnerability to pass on specially crafted malware or other payloads through the application by evading security tools. Mitre says that “PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.”

PHPMailer vulnerability mitigation

The most simple workaround for this vulnerability is rejecting or filtering names and filenames containing double quote (“) characters before passing them to attachment functions such as addAttachment().

PHPMailer developers have already released an update to fix this bug, so it is recommended that affected deployment administrators install the patches as soon as possible. The PHPMailer devs have already fixed this vulnerability and have advised every PHPMailer user to upgrade their software to the latest PHPMailer version 6.1.6. The dev team has released the source code for PHPMailer version 6.1.6 here.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments