The SureMail plugin's save_file() function duplicates email attachments to wp-content/uploads/suremails/attachments/ without validating file extensions or content types. Files are named using MD5 hashes of their content, making filenames predictable. The plugin attempts to block PHP execution in this directory using an Apache .htaccess file, but this measure is ineffective on non-Apache or misconfigured servers. Consequently, attackers can upload malicious PHP files through any public form that sends email attachments, then access these files directly to achieve remote code execution on vulnerable WordPress sites.

Successful exploitation results in remote code execution with no authentication required, allowing attackers to execute arbitrary code on the affected server. This can lead to full site compromise, data theft, or further network penetration. The vulnerability is critical due to the ability to execute code remotely and the lack of required privileges or user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should verify their web server configuration to ensure that execution of PHP files is disabled in the wp-content/uploads/suremails/attachments/ directory. On non-Apache servers or misconfigured Apache servers, additional manual restrictions should be applied to prevent execution of uploaded files. Consider disabling or restricting the plugin's file upload features if possible until an official fix is released.