Back to blog
Security 4 min read

Automatically Upgrade All PHPMailer Installs on Your Server

Patch critical remote code execution vulnerabilities across multiple PHPMailer installations with a single command.

29 December 2016

Critical security vulnerabilities

This post addresses CVE-2016-10033 and CVE-2016-10045 — critical remote code execution vulnerabilities in PHPMailer. If you're running PHPMailer < 5.2.20, upgrade immediately.

The vulnerabilities

Security researcher Dawid Golunski discovered two critical vulnerabilities in PHPMailer that allow remote code execution:

  • CVE-2016-10033: PHPMailer < 5.2.18 Remote Code Execution
  • CVE-2016-10045: PHPMailer < 5.2.20 Remote Code Execution (0day Patch Bypass)

The second vulnerability was a bypass of the initial patch, which is why you need version 5.2.20 or higher to be fully protected.

The problem: multiple installations

If you manage servers hosting multiple PHP applications, you likely have PHPMailer installed in dozens of different locations — each WordPress site, each Laravel project, each custom application. Manually upgrading each one is time-consuming and error-prone.

The solution: automated upgrade script

I created upgrade-phpmailer.sh, a shell script that automatically finds and upgrades all PHPMailer installations on your server. It downloads the latest secure version from GitHub and replaces the core files while creating backups.

Files updated

The script upgrades these three core PHPMailer components:

  • class.phpmailer.php
  • class.pop3.php
  • class.smtp.php

Basic usage

# Download the script
wget https://gist.githubusercontent.com/Magentron/...upgrade-phpmailer.sh

# Make it executable
chmod +x upgrade-phpmailer.sh

# Run on your web directories
./upgrade-phpmailer.sh /var/www /home/*/public_html

Command options

# Dry run - see what would be upgraded without making changes
./upgrade-phpmailer.sh -n /var/www

# Verbose output
./upgrade-phpmailer.sh -v /var/www

# Debug mode
./upgrade-phpmailer.sh -d /var/www

# Custom backup directory
./upgrade-phpmailer.sh -D /backups/phpmailer /var/www

# Specify GitHub branch
./upgrade-phpmailer.sh -B v5.2.21 /var/www

How it works

  1. Finds installations: Recursively searches specified directories for class.phpmailer.php
  2. Creates backups: Copies existing files with .BACKUP extension before replacing
  3. Downloads latest version: Fetches current files from the official PHPMailer GitHub repository
  4. Preserves permissions: Maintains original file ownership and permissions

Verification

After running the script, verify the upgrade by checking the version in the PHPMailer class: 

grep "VERSION" /path/to/class.phpmailer.php
# Should show: public $Version = '5.2.21';

Lessons learned

This incident highlights several important security practices:

  • Use Composer: Modern dependency management makes security updates much easier
  • Monitor CVEs: Subscribe to security advisories for libraries you use
  • Automate patching: Have scripts ready for emergency security updates
  • Audit your servers: Know what software is installed and where

Need help with security auditing or patching? Get in touch.

Related posts

Security

Your .env file is probably public

A shocking number of Laravel applications expose their environment files.
Security

CISSP From a Developer's Perspective

What it's like to study for and pass the CISSP as a software developer.