The fragile PHP ecosystem continues to break down with holes like this. To be fair, this is a PHPMailer vulnerability. However this is likely to affect a large chunk of PHP sites as “PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide”.
An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.
Source: PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass