The developers of PHPMailer have patched a critical vulnerability that can be exploited by a remote attacker for arbitrary code execution, a researcher said on Sunday.