"Given the extreme criticality of this issue and the timing of its release we are issuing a Public Service Announcement to alert potentially affected Drupal site maintainers," the team said.
Because the initial fix can be bypassed and public exploit code is available, the vulnerability has zero-day status -- it is publicly known and unpatched. Furthermore, because the impact varies from website to website, depending on how PHPMailer is used, there's not easy way for webmasters to mitigate the problem without a thorough evaluation.
If they use PHPMailer directly in their website's code, they should upgrade the library to the latest patched version as soon as it's released. They should also determine if any of their site's contact, feedback, registration, email reset and other forms send out emails with the help of a vulnerable version of PHPMailer and if a potential attacker can input the sender email address.
If they use a content management system they should check its support website to determine if it's affected in its default configuration. Then they should asses the impact for any any third-party plug-ins or modules that they have installed and which might use PHPMailer on their own.
Sign up for Computerworld eNewsletters.