Untitled Document
View RSS Feed

The ShipRush Product Management Blog

Using WordPress, CS-Cart, Magento, Zen Cart X-Cart or other PHP cart? CRITICAL ISSUE

Rate this Entry
This is a red alert.

This is not a test.

** If you updated PHPMailer when this issue first surfaced, on or prior to December 29, you may need to update again, as PHPMailer was last updated, with a critical fix, on December 29, 2016. The version required is 5.2.21 or higher.

A commonly used part of the PHP world was found to have a critical security flaw. This component, PHPMailer, is used in millions of web sites based on PHP, including WordPress, Zen Cart and other systems.

PC World wrote an overview of the issue here.

A survey shows this component is used in Woocommerce, WordPress based systems, Zen Cart, and other PHP based cart systems.

This flaw can let a hacker damage, abuse, or take over your whole web server. The risk to your ecommerce site includes data theft, system taken off line, implantation of hidden spyware, and worse.

The ShipRush team urges you to contact your web master now, to have the PHPMailer on your server upgraded or disabled.

This is a critical issue. Take care of it immediately. (By "immediately" we mean within the next few HOURS. Days is not fast enough.)

PHP based cart systems that may be vulnerable to this issue (note, even if the system itself does not use PHPMailer, you may have a plugin, add on, or customization that does. The only way to know is to have your webmaster review your system.):
  • Magento (potential plugin vulnerability)
  • Woocommerce
  • Cubecart
  • X-Cart
  • PrestaShop
  • OpenCart
  • OSCommerce
  • Drupal
  • Joomla
  • JMarket
  • CS-Cart
  • CRE-Loaded
  • Loaded Commerce
  • Craft Commerce
  • JigoShop
  • WPeCommerce

WordPress Update
WordPress uses PHPMailer, and most deployed WordPress systems (that means WooCommerce and WPeCommerce systems also) use a vulnerable version of PHPMailer. Further, many WordPress plugins also PHPMailer. The WordPress community has posted: "If you are using PHPMailer older than 5.2.18 in your own PHP applications, themes or plugins, please upgrade to PHPMailer 5.2.18 or newer immediately."

CS-Cart Update:
The CS-Cart technical team confirms by email that ALL CS-CART VERSIONS are at risk. From the CS-Cart email: "Secure Your CS-Cart ASAP. Vulnerability in PHPMailer Found." The only fixed version of CS-Cart, at this time, is 4.4.2-SP2. There is a patch available for earlier versions (all the way down to CS-Cart 1.x). Contact CS-Cart support.

X-Cart uses PHPMailer
X-Cart has multiple email options, some of which use PHPMailer. It is the ShipRush team's consideration that X-Cart sites, if using PHPMailer older than 5.2.18 please upgrade to PHPMailer 5.2.18 or newer immediately.

OpenCart PHPMailer often is used
Some email options in OpenCart use PHPMailer. if using PHPMailer older than 5.2.18 please upgrade to PHPMailer 5.2.18 or newer immediately.

OsCommerce: Addons use PHPMailer
It is clear that many OsCommerce add ons are based on PHPMailer, including this one.

Joomla (includes JMarket, JigoShop, other Joomla based ecommerce) IS VULNERABLE
The Joomla team has acknowledged that all Joomla, versions 1.5.0 through 3.6.5 (3.6.5 is the current version as of 2016-12-28) are vulnerable.

Magento Update:
The core Magento system appears not to use PHPMail. However, plugins and addons to Magento may use PHPMail. A webmaster should review your system to check if PHPMail is in use.

It is interesting to note that this is not the first critical flaw to surface in PHPMailer. In 2007 a serious issue arose as well.

We apologize that we do not have exact resolution steps for each cart system. As more information is discovered by the ShipRush team, we will update this page.

Last updated at: 8:20 AM Pacific Time, 2016-12-30

Updated 12-30-2016 at 08:21 AM by Rafael Zimberoff

Tags: None Add / Edit Tags
ShipRush , Ecommerce