So nearly 3 weeks ago, we started hearing about the vulnerability within the PHP Mailer library that’s also used within the WordPress Core.
And everyone ran for the hills with their hair on fire (again).
Was this a critical security vulnerability? Yes.
Was WordPress susceptible? Actually, no.
So was it necessary to lose the plot and wet ourselves? No.
Anybody that pays attention to WordPress core security releases will know that when there’s a serious security vulnerability in the core, it gets patched pretty damn quick. There’s no messing around.
But isn’t it odd that WordPress didn’t get patched immediately following the announcement of this php mailer vulnerability? Why haven’t the Core team released a security patch already?!
When something in life is weird, it’s probably not weird – you likely just don’t know all pertinent information, yet.
So it’s not odd. Why? Because, from WordPress themselves:
The Security Team has spent some time analysing this vulnerability, and how it applies to WordPress. This vulnerability does not appear to be directly exploitable in WordPress Core, or any major plugins in the plugin directory. The wp_mail() function, which WordPress Core and most plugins use for sending email, blocks this vulnerability from being exploited.
Unfortunately when a “security” expert posts on Facebook, or any where for that matter, it doesn’t mean it’s worth getting upset about. Now they may say “we’re not trying to alarm you” and other nice stuff, but unless there is a reason that goes beyond “making you aware”, it’s probably not going to help you at all. Read More