The SureMail – SMTP and Email Logs Plugin for WordPress, used to facilitate SMTP email sending and logging with providers like Amazon SES and Postmark, contains a critical vulnerability (CVE-2025-13516) classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The root cause lies in the plugin's save_file() function located in inc/emails/handler/uploads.php, which duplicates all email attachments into a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating the file extension or content type. This means any file type, including executable PHP scripts, can be uploaded. The plugin attempts to mitigate risk by placing an Apache .htaccess file in the directory to disable PHP execution. However, this mitigation is ineffective on web servers that do not process .htaccess files, such as nginx, IIS, Lighttpd, or on Apache servers with improper configuration. Since the filenames are derived predictably from the MD5 hash of the file content, an attacker can upload a malicious PHP payload via any public form that accepts email attachments, compute the expected filename, and then directly access the file URL to execute arbitrary code on the server. This results in unauthenticated remote code execution (RCE), compromising confidentiality, integrity, and availability of the affected system. The vulnerability affects all versions up to and including 1.9.0. The CVSS v3.1 score is 8.1, indicating high severity with network attack vector, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the ease of exploitation and potential impact make this a critical threat to WordPress sites using this plugin, especially those on non-Apache or misconfigured Apache servers.

For European organizations, this vulnerability poses a significant risk, particularly for those running WordPress sites with the SureMail plugin on web servers other than properly configured Apache. Successful exploitation can lead to full remote code execution, allowing attackers to take over affected web servers, steal sensitive data, modify or delete content, deploy malware, or use compromised servers as pivot points for further network intrusion. This can result in data breaches, service disruptions, reputational damage, and regulatory non-compliance under GDPR. Organizations relying on email logging and SMTP integration via this plugin are at risk of having their email systems compromised, potentially impacting business communications and customer trust. The threat is amplified for entities with public-facing WordPress sites that accept email attachments, such as e-commerce, media, and government portals. Given the widespread use of WordPress across Europe and the popularity of SMTP plugins, the potential attack surface is substantial. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation if unmitigated.

1. Immediate update or patching: Check for and apply any official patches or updates from Brainstormforce addressing this vulnerability. If no patch is available, consider disabling the SureMail plugin until a fix is released. 2. Server configuration hardening: Ensure that the web server properly restricts execution of PHP or other executable files in the uploads directory. For non-Apache servers like nginx, IIS, or Lighttpd, explicitly configure rules to deny execution of scripts in the wp-content/uploads/suremails/attachments/ directory. 3. Input validation: Implement additional validation on file uploads to restrict allowed file types and verify content types before saving attachments. 4. File storage isolation: Consider storing email attachments outside the web root or in locations inaccessible via direct URL to prevent direct access. 5. Monitoring and detection: Deploy file integrity monitoring and web application firewalls (WAF) to detect suspicious uploads or access patterns targeting the attachments directory. 6. Access controls: Restrict public access to the attachments directory where feasible, using authentication or IP whitelisting. 7. Incident response readiness: Prepare to investigate and remediate potential compromises by reviewing logs and scanning for web shells or unauthorized files. 8. Educate site administrators about the risks of using plugins that handle file uploads without proper validation and encourage regular security audits.