There's a lot of noise going around at the moment regarding a vulnerability in PHPMailer and SwiftMailer too.
There an attacker can control the from address
a script uses they can pass arbitrary arguments to the sendmail binary. The vulnerability does not touch the SMTP transport.
Today we published the newest release from the vendor packet of PHPMailer v.5.2.21. You can download it from WebsiteBaker Wiki
Please install this packet as soon as possible.