CVE-2016-10033

What Is PHPMailer?

PHPMailer is the most widely used PHP library for sending email — installed in over 9 million PHP projects and used by major web applications including WordPress, Drupal, Joomla, and countless custom PHP applications. PHPMailer provides a wrapper around PHP's mail() function and SMTP sending, handling email composition, MIME encoding, attachment handling, and delivery. Any PHP web application with contact forms, user registration, password reset, or notification emails likely uses PHPMailer or a framework that depends on it. The near-universal deployment of PHPMailer makes vulnerabilities in it have exceptionally broad impact across the web.

Overview

CVE-2016-10033 is a command injection vulnerability in PHPMailer that allows remote code execution on any PHP server running a vulnerable PHPMailer version where user-supplied email addresses are passed to PHPMailer without sufficient sanitization. The vulnerability exploits PHPMailer's use of PHP's mail() function, which passes the sender address to the system's sendmail binary as a command-line argument. An attacker can inject additional sendmail command-line flags via a crafted sender email address, directing sendmail to write a PHP webshell to a web-accessible directory. Discovered by Dawid Golunski of Legal Hackers in December 2016; patched in PHPMailer 5.2.18 (December 26, 2016). CISA added CVE-2016-10033 to the KEV catalog in July 2025.

Affected Versions

Note: PHPMailer 5.2.18 fixed CVE-2016-10033 but the fix was bypassed by CVE-2016-10045 (published same week). Upgrading to 5.2.20+ or PHPMailer 6.x is the correct remediation.

Technical Details

Root Cause: Sendmail Argument Injection via Email Address

CVE-2016-10033 is an argument injection vulnerability (CWE-88) in PHPMailer's use of PHP's mail() function. PHP's mail() function signature is:

mail(string $to, string $subject, string $message, string $additional_headers, string $additional_params)

The additional_params argument is appended to the sendmail command invocation as command-line flags:

/usr/sbin/sendmail -t -i <additional_params>

PHPMailer uses the sender address (Sender property) as the additional_params value, passing it as -f [email protected] to set the envelope sender. PHPMailer attempted to sanitize the sender address using escapeshellcmd(), but this function does not properly escape all characters needed to prevent argument injection.

Exploitation payload:

An attacker submits a crafted sender email address containing embedded sendmail flags — specifically using a closing quote and flags like -oQ (queue directory) and -X (debug log path) — to a vulnerable web application's contact or registration form.

This causes PHPMailer to pass the injected flags through to the underlying sendmail invocation. The -X flag directs sendmail to write its debug log (which contains the full SMTP transaction, including the email body) to an attacker-specified file path such as a web-accessible directory. By including a PHP webshell payload in the email body, the attacker arranges for sendmail to write an executable PHP file to the web root, creating a persistent backdoor accessible via HTTP.

Exploitation Prerequisites

• PHPMailer < 5.2.18 configured to use PHP mail() function (not SMTP directly)
• The web application uses user-supplied input (e.g., a contact form's "From" email field) as the PHPMailer From or Sender property
• The web server process has write permission to a web-accessible directory (e.g., /var/www/html/)
• sendmail or a compatible MTA is installed on the server

CVE-2016-10045: Bypass of the Initial Fix

PHPMailer 5.2.18's fix used escapeshellarg() instead of escapeshellcmd(). Dawid Golunski immediately discovered that this fix was bypassable via a different injection technique (CVE-2016-10045). PHPMailer 5.2.20 contains the complete fix for both vulnerabilities.

Attack Characteristics

Discovery

Discovered by Dawid Golunski of Legal Hackers on December 25, 2016. Golunski disclosed to PHPMailer maintainers the same day; PHPMailer 5.2.18 was released one day later on December 26, 2016 — an unusually fast patch turnaround reflecting the severity. Golunski published the full technical advisory on December 30, 2016.

Exploitation Context

• Mass PHP application exposure: PHPMailer's near-universal use in PHP web applications means CVE-2016-10033 affected a significant fraction of all PHP-based websites; WordPress, Drupal, Joomla, and thousands of custom applications shipped with vulnerable PHPMailer versions, making mass scanning and exploitation tractable
• Contact form weaponization: The typical exploitation path targets contact form "From" or "Reply-To" email fields — fields that applications commonly pass to PHPMailer; these forms are publicly accessible without authentication, explaining the PR:N CVSS rating
• Rapid exploitation post-disclosure: Proof-of-concept exploit code was publicly available within hours of Golunski's December 30 disclosure; mass scanning for vulnerable applications began immediately; attackers automated the contact form injection to deploy webshells across thousands of PHP sites
• Persistence through webshells: The sendmail log injection technique writes a persistent PHP webshell to the web root; this provides durable remote code execution surviving server reboots and application updates until the webshell file is removed
• CISA KEV (2025): Added July 2025 — confirming that despite the 2016 patch, CVE-2016-10033 continues to be exploited against unpatched legacy PHP applications nearly a decade later

Remediation

1. Upgrade PHPMailer to 6.x — update PHPMailer to the current 6.x branch, which includes the complete fix for CVE-2016-10033 and CVE-2016-10045 plus all subsequent security improvements. PHPMailer 5.x is no longer supported.

2. If PHPMailer 5.x cannot be immediately replaced, update to 5.2.20 minimum — 5.2.20 fixes both CVE-2016-10033 and the CVE-2016-10045 bypass.

3. Use SMTP delivery instead of mail() — configure PHPMailer to use an SMTP server ($mail->isSMTP()) instead of PHP's mail() function; the vulnerability only exists when using the mail() transport, which invokes sendmail directly.

4. Validate email addresses before passing to PHPMailer — use PHP's filter_var($email, FILTER_VALIDATE_EMAIL) to validate user-supplied email addresses before using them as PHPMailer sender or recipient values.

5. Audit applications for user-controlled PHPMailer sender values — review all web application code that instantiates PHPMailer and trace whether user-supplied input flows to $mail->From, $mail->Sender, $mail->AddAddress(), or similar fields; any such flow in unpatched PHPMailer is potentially exploitable.

6. Scan for webshell indicators — audit PHP files in web-accessible directories for unexpected .php files created around the exploitation window; review web server access logs for POST requests to contact or registration forms followed by GET requests to newly created PHP files.