For our final release of 2016 we bring you ExpressionEngine 3.4.7 and 2.11.5. While this is a patch release it is also our response to the recent PHPMailer remote code execution exploit, which is symptomatic of a broader issue in PHP’s architecture.
ExpressionEngine itself was not vulnerable, but we hardened our email library so it’s not dependent on other aspects of the application to remain protected. This also protects third-party add-ons that are using our email library. We have noticed that some add-ons ship with their own PHP email libraries like PHPMailer, Swift Mailer, etc., so if you are running any add-ons that use those you will need to make sure that you update them to ensure your site is safe.