I searched, but see no mention of this. I am curious as to whether there will be -- or if there even needs to be -- an update to the existing PHPMailer in Web Form Builder (and/or possibly RED?) to PHPMailer 5.2.18 because of the recent security bug discovery: https://www.bleepingcomputer.com/news/s … hp-script/

Thanks! And as I've said many time, I love the products!

Agree - I've been contacted by the server company that host a charity web-site I am responsible for and they have requested that the 'Web Form Builder' files are removed immediately.
Appreciate some thought be given to the problem.
Thanks.

Form Builder does not come bundled with PHPMailer. It uses what is installed on the server. All your hosting provider has to do is patch their system and you will be good to go.

Press your hosting provider hard to get their systems patched if they have not already done so. Just to say once more, Web Form Builder does not have any security holes in this regards. It is the server itself that needs to address this issue.

Many thanks for the quick reply and apologies for the confusion caused.
I've contacted the hosting company requesting that, hopefully, they sort the PHPmailer upgrade on their server.

Hi Scott,
Further to my previous post, I've received the following query from the server host:-
File in question is 'cartapp_v1/phppro/class.phpmailer.php
As you can see, the filename includes phpmailer but is NOT the usual class.phpmailer.php. So it is possible they just used a very similar name for something that does the same thing but isn’t actually phpmailer. If so, that’s great and you can put them back if need be.'

Appreciate your confirmation on the question raised.

Thanks

That is only a configuration file in which is calls PPHMailer. Open the file in any text editor and you can view the contents.

Form Builder does not come bundled with PHPMailer. It uses what is installed on the server. All your hosting provider has to do is patch their system and you will be good to go.

Unfortunately I'm getting the following response from the hosting company:-
'That attached file (phpmailer.cls.php) is most definitely phpmailer version 5.1 and is vulnerable.
So we are back to square one here. I’m confused.
There were three files in all:
1. contact form/fbapp/php/phpmailer.cls.php
2. /fbapp/php/phpmailer.cls.php
3. paypal/cartapp_v1/phppro/class.phpmailer.php

Number 3) was most definitely phpmailer. Note the name is class.phpmailer.php – that’s the “standard” name for the phpmailer file.
But 1) and 2) - and the file you attached - was called phpmailer.cls.php which is different. But the content is most definitely phpmailer and most definitely vulnerable.'

Ok, so had to do a bit more digging. The phpmailer.cls.php (and class.phpmailer.php) files are only used if you are using custom SMTP server settings. So if you are not using them, this file is not used and instead PHPMailer that is installed on the server is. You can even delete that file if you wish as it serves no other function.

Hi Scott,

So is phpmailer.cls.php just a configuration file and not an issue for those using a custom SMTP server setting?

Thanks!

Tim

It is the PHPMailer script (v 5.1). If you are not using custom SMTP settings, this file is not being used and can even be deleted. It is only used when custom SMTP settings are enabled.

Since this impacts only a small percentage of our user base, we most likely will not have any patch as we are already working on an update to WFB. More info on that will be posted as we get closer to the release.

If you do fall in the small bracket of users that need custom SMTP settings, our recommendation would be to switch to hosting your forms on S-Drive where this would not be a problem.