Changelog 2016-12-27 --SECURITY BULLETIN--
• PHPMailer -Updated PHPMailer library from 5.2.16 to version 5.2.19
To exploit this vulnerability, an attacker would need to be able to pass user input to a message’s “from” address. UBB.threads is not affected by this issue since email is only ever sent from the configured Forum Email Address and does not allow for user input to be set elsewhere.
In addition, the send-to addresses are always checked that sendmail path exists and validated as correct email format, as well as being escaped, prior to being stored in the database or passed on to PHPMailer. Emailing a post/message goes through several steps of validation prior to being sent, and will not be passed to PHPMailer if the validation does not pass.
NOTES: All versions of the third-party PHPMailer library distributed with UBB.threads versions within the 7.5.x series and prior, are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.18 which will be included with UBB.threads 7.6.0.
If you are using the PHPMailer library included within your UBB.threads package to handle any additional or custom (unsupported) scripts, you should manually update your PHPMailer library to version 5.2.18 or newer. https://github.com/PHPMailer/PHPMailer
For reference, UBB.threads 7.5.x uses PHPMailer 2.0.2.