An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.
To exploit the vulnerability, an attacker could target common website components, such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.
Note: Roundcube, Horde and Mailman are not affected by this vulnerability.
This vulnerability has been patched in PHPMailer 5.2.18. All versions of PHPMailer before the critical release of PHPMailer 5.2.18 are affected, it is strongly recommended to update to the patched release.
Plesk itslef does not use PHPMailer, however, many web-applications, like WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla use PHPMailer library for sending emails.
Here are vulnerability statuses for the most popular applications:
WordPress 4.7.1 with security fixes is released.
APS package provided by Plesk was updated to 4.7.1: https://dev.apsstandard.org/apps/1.2/wordpress.org/WordPress/Plesk/.
Drupal core is not affected. If PHPMailer is not being used as a 3rd-party library, there is nothing to do.
However, if there are Drupal modules installed which use PHPMailer, update it to version 5.2.18 or higher as soon as possible. Please check PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004 for the details.
No action is required for Joomla users. The updated library will be included to the next scheduled release and additional mechanisms exist in Joomla core to prevent triggering the vulnerability.
If Joomla extensions are using PHPMailer, it has to be updated to version 5.2.18 or higher.
Check  - PHPMailer Security Advisory for the details.
Moodle contains vulnerable PHPMailer 5.2.14 (in Moodle 3.1.3-83 packaged by Plesk) or 5.2.16 (in Moodle 3.2) - PHPMailer vulnerability has been reported - [CVE-2016-10033] PHPMailer < 5.2.18 Remote Code Execution.
Moodle 3.2.1 and 3.1.4 with security fixes is released.
APS package provided by Plesk was updated to 3.1.4: https://dev.apsstandard.org/apps/1.2/moodle.org/moodle/Plesk/