CVE-2016-10033: WordPress 4.6 RCE Vulnerability

WordPress (WP) is a free and open source CMS for managing a website, blog, and other content on the Internet that was first released on May 27, 2003. Today, WordPress is used on over 75 million sites and is still based on PHP and MySQL and can either be installed on a web server or used though a WordPress hosting service like
One of the biggest attractions is the ease of creating new posts after WordPress has been installed without having to know a lot about HTML. Also, WordPress has a great community and thousands of themes, plugins, and is available in many languages.

This advisory reveals details of exploitation of the PHPMailer vulnerability (CVE-2016-10033) in WordPress Core which (contrary to what was believed and announced by WordPress security team) was affected by the vulnerability.

The Remote Code Execution attack could be used by unauthenticated remote attackers to gain instant access to the target server on which a vulnerable WordPress core version was installed in its default configuration which could lead to a full compromise of the target application server. No plugins or non-standard settings are required to exploit the vulnerability.

This advisory reveals new exploitation vectors for PHP mail() function discovered by the author that allow to exploit the vulnerability on a most popular MTA (Mail Transfer Agent) – Exim which can be found installed by default on many system such as Debian or Ubuntu, as opposed to rarely used Sendmail MTA that has been thought to be a requirement for mail() injection attacks to date.

Due to critical severity of this vulnerability, the disclosure of new exploitation vectors that increase the range of this type of attacks, and the ease of mass exploitation, the release of this advisory was delayed by an extended period of time to allow WordPress and other potentially affected software vendors enough time to update affected mail libraries. The release was also delayed to allow WordPress team more time for patching another WordPress vulnerability (CVE-2017-8295) which will be described in detail in a separate advisory shortly.


Exploit :


More info, visit here.

Update 5/17/2017

Now, you can use Metasploit to exploit this vulnerability.

  1. Update your Metasploit Framework
    apt-get update && apt-get upgrade


  2.   Use /exploits/unix/webapp/wp_phpmailer_host_header module
    msf exploit(wp_phpmailer_host_header) > info

    Name: WordPress PHPMailer Host Header Command Injection
    Module: exploit/unix/webapp/wp_phpmailer_host_header
    Platform: Linux
    Privileged: No
    License: Metasploit Framework License (BSD)
    Rank: Average
    Disclosed: 2017-05-03

    Provided by:
    Dawid Golunski
    wvu <>

    Available targets:
    Id Name
    -- ----
    0 WordPress 4.6 / Exim

    Basic options:
    Name Current Setting Required Description
    ---- --------------- -------- -----------
    Proxies no A proxy chain of format type:host:port[,type:host:port][...]
    RHOST yes The target address
    RPORT 80 yes The target port (TCP)
    SRVHOST yes The local host to listen on. This must be an address on the local machine or
    SRVPORT 8080 yes The local port to listen on.
    SSL false no Negotiate SSL/TLS for outgoing connections
    SSLCert no Path to a custom SSL certificate (default is randomly generated)
    TARGETURI / yes The base path to the wordpress application
    USERNAME admin yes WordPress username

    Payload information:

    This module exploits a command injection vulnerability in WordPress
    version 4.6 with Exim as an MTA via a spoofed Host header to
    PHPMailer, a mail-sending library that is bundled with WordPress. A
    valid WordPress username is required to exploit the vulnerability.
    Additionally, due to the altered Host header, exploitation is
    limited to the default virtual host, assuming the header isn't
    mangled in transit. If the target is running Apache 2.2.32 or 2.4.24
    and later, the server may have HttpProtocolOptions set to Strict,
    preventing a Host header containing parens from passing through,
    making exploitation unlikely.


    msf exploit(wp_phpmailer_host_header) >