CVE-2025-13516 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the SureMail – SMTP and Email Logs Plugin for WordPress, versions up to and including 1.9.0. The root cause lies in the plugin's save_file() function located in inc/emails/handler/uploads.php, which duplicates all email attachments into a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or MIME types. Files are saved with predictable filenames generated from MD5 hashes of their content, enabling attackers to calculate the exact URL of uploaded files. While the plugin attempts to mitigate risk by placing an Apache .htaccess file to disable PHP execution in this directory, this protection is ineffective on web servers such as nginx, IIS, Lighttpd, or on Apache servers with misconfigurations that ignore .htaccess directives. Consequently, an unauthenticated attacker can upload a malicious PHP file through any public form that sends email attachments, then access the file directly to execute arbitrary PHP code on the server. This results in remote code execution (RCE) with full control over the affected system. The vulnerability requires no authentication or user interaction, making it highly exploitable. The CVSS v3.1 base score is 8.1 (High), reflecting the network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a severe risk to WordPress sites using this plugin, especially those hosted on non-Apache or improperly configured servers. The lack of patch links indicates that a fix may not yet be available, underscoring the urgency for mitigations or vendor updates.

This vulnerability allows unauthenticated remote attackers to achieve full remote code execution on affected WordPress sites running the SureMail plugin. Successful exploitation compromises the confidentiality, integrity, and availability of the web server and potentially the entire hosting environment. Attackers can execute arbitrary commands, deploy malware, pivot within the network, steal sensitive data, or deface websites. The predictable filename scheme and lack of file type validation significantly lower the barrier to exploitation. Organizations relying on SureMail for email logging and SMTP integration face risks of service disruption, data breaches, and reputational damage. The impact is exacerbated on servers running nginx, IIS, Lighttpd, or misconfigured Apache, where the protective .htaccess file is ineffective. Given WordPress's widespread use globally, this vulnerability could be leveraged in large-scale attacks targeting websites, especially those with public-facing forms that accept attachments. The absence of authentication and user interaction requirements increases the likelihood of automated exploitation attempts. Overall, this vulnerability represents a critical threat to organizations using the affected plugin, potentially leading to full system compromise and downstream impacts on business operations.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict or disable public forms that accept email attachments to prevent malicious file uploads. 2) Configure web servers to explicitly deny execution of PHP or other script files in the wp-content/uploads/suremails/attachments/ directory, using server-specific directives (e.g., nginx 'location' blocks with 'deny all' or 'return 403', IIS request filtering rules, or Lighttpd configuration). 3) Implement web application firewall (WAF) rules to detect and block requests attempting to upload or access suspicious files in the attachments directory. 4) Monitor the uploads directory for unexpected or executable files and remove any suspicious content immediately. 5) Limit file upload types and enforce strict validation on any forms that handle attachments, ideally blocking executable file extensions and verifying MIME types. 6) Harden WordPress installations by restricting file permissions and disabling PHP execution in upload directories globally where possible. 7) Maintain comprehensive logging and alerting to detect exploitation attempts. 8) Plan for rapid deployment of vendor patches once available and test updates in staging environments before production rollout. These targeted mitigations address the specific weaknesses exploited by this vulnerability and reduce the attack surface effectively.