No details on what the actual issue was, but I think it's fixed in this commit[1]. Seems like the escapeshellargs addition is the important bit.
Sigh
It seems a bit... odd... to try and embargo/withhold information about a vulnerability when the fix is publicly available on their github for anybody to see.
That added call to escapeshellarg sanitizes the "From" address before passing it to PHP's mail() function as an additional parameter. That function will invoke a preconfigured executable (sendmail or a compatible wrapper) and pass that parameter to it along with the rest of the email data. It is worth noting that:
1) PHPMailer can be configured to send mail through raw SMTP, by directly invoking sendmail, or by calling PHP's mail() function. The changes in this commit only affect the last mode.
2) The "From" address is typically chosen by the site operator/server administrator, not customizable by a site visitor. I have built sites with "share this page with a friend" functionality that sent email from one given email address to another, but this practice seems to have fallen out of favour when SPF became popular.
Perhaps "limited advisories" are always damaging because they can lead users to think not everyone "knows" about the vuln and thus that they have extra time to patch, whereas most people who understand the issues generally won't have much trouble finding the exploit once they have a clue of where to look (especially in code like this).
But, if something comes into the mail server via SMTP, it's gonna be protected by the mail servers own defenses. Unless the MTA also has a similar vulnerability, it wouldn't be dangerous in the SMTP case. Right? Or are you saying just the PHP mail() function is similarly exploitable?
Sigh
It seems a bit... odd... to try and embargo/withhold information about a vulnerability when the fix is publicly available on their github for anybody to see.
1. https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fb...