Reported a vulnerability in PHPMailer where a function could run unexpectedly while sending a mail leading to untrusted code execution.

validateAddress function used to validate email addresses, uses call_user_func to call the callable from the name of callable provided to the function as an argument $patternselect. But if no argument is passed, the function sets "php" as default value to $patternselect variable on line 1337 (ironically). If a callable (function) named php is present in the scope, the function gets executed.

References:

• https://huntr.com/bounties/1-PHPMailer/PHPMailer/

• https://github.com/advisories/GHSA-77mr-wc79-m8j3

• https://nvd.nist.gov/vuln/detail/CVE-2021-3603