The SureMail – SMTP and Email Logs Plugin for WordPress, up to version 1.9.0, contains a critical vulnerability (CVE-2025-13516) classified under CWE-434: Unrestricted Upload of File with Dangerous Type. The root cause lies in the plugin's save_file() function located in inc/emails/handler/uploads.php, which duplicates all email attachments into a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating the file extensions or content types. The files are saved with predictable names generated from MD5 hashes of their content, enabling attackers to calculate the exact filename of any uploaded file. While the plugin attempts to mitigate risk by placing an Apache .htaccess file to disable PHP execution in this directory, this protection is ineffective on web servers such as nginx, IIS, Lighttpd, or on Apache servers that are misconfigured or do not honor .htaccess files. Consequently, an unauthenticated attacker can upload a malicious PHP file through any public form that sends email attachments, predict the filename, and access the file directly to execute arbitrary code on the server. This leads to remote code execution (RCE) without requiring authentication or user interaction. The vulnerability has a CVSS 3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting a high severity with network attack vector, high impact on confidentiality, integrity, and availability, and a requirement for high attack complexity. No known exploits are currently reported in the wild, but the risk remains significant due to the ease of exploitation on vulnerable server configurations. The vulnerability affects all versions up to and including 1.9.0 of the SureMail plugin, widely used in WordPress environments integrating Amazon SES, Postmark, and other email providers.

For European organizations, this vulnerability poses a serious threat as it allows unauthenticated remote attackers to execute arbitrary code on web servers running the vulnerable SureMail plugin. This can lead to full system compromise, data theft, defacement, or use of the compromised server as a pivot point for further attacks within the network. The impact on confidentiality is critical as attackers can access sensitive email attachments and potentially other data on the server. Integrity is compromised because attackers can modify or inject malicious content, and availability can be disrupted by attackers executing destructive payloads or ransomware. Organizations relying on WordPress for their web presence and using SureMail to handle email logs and SMTP integration are at risk, especially if their infrastructure uses nginx, IIS, Lighttpd, or misconfigured Apache servers that do not enforce .htaccess restrictions. This vulnerability could also facilitate lateral movement and persistence within corporate networks. The lack of authentication and user interaction requirements increases the attack surface, making automated exploitation feasible. Given the widespread use of WordPress and the plugin’s integration with popular email providers, the threat is significant for European businesses, particularly those in sectors with high regulatory requirements for data protection such as finance, healthcare, and government.

1. Immediately update the SureMail plugin to a patched version once available from the vendor to ensure proper validation and secure file handling. 2. If patching is not immediately possible, restrict file uploads by implementing server-side validation to allow only safe file types and reject executable or script files. 3. Harden the web server configuration to prevent execution of PHP or other scripts in the uploads directory regardless of .htaccess presence, including explicit configuration for nginx, IIS, and Lighttpd. 4. Employ web application firewalls (WAFs) to detect and block suspicious file upload attempts and access to known malicious filenames. 5. Monitor the uploads directory for unexpected or suspicious files and implement alerting mechanisms for anomalous activity. 6. Limit public forms that accept email attachments or disable attachment uploads if not strictly necessary. 7. Conduct regular security audits and penetration tests focusing on file upload functionalities. 8. Educate development and operations teams about secure file handling practices and the risks of relying solely on .htaccess for security. 9. Implement strict access controls and segmentation on web servers to limit the impact of potential compromises. 10. Backup critical data regularly and ensure recovery plans are in place in case of compromise.