Overview
A critical security vulnerability, identified as CVE-2025-13516, has been discovered in the SureMail – SMTP and Email Logs plugin for WordPress. This vulnerability allows unauthenticated attackers to achieve Remote Code Execution (RCE) on vulnerable systems. The flaw stems from unrestricted file uploads of dangerous file types within the plugin. Specifically, versions up to and including 1.9.0 are affected. It is highly recommended that all users of this plugin take immediate action to mitigate this risk.
Technical Details
The vulnerability resides in the save_file() function within the inc/emails/handler/uploads.php file of the SureMail plugin. This function duplicates all email attachments to a publicly accessible directory: wp-content/uploads/suremails/attachments/. Critically, the function lacks proper validation of file extensions and content types.
Files are saved with predictable names generated using MD5 hashes of their content. While the plugin attempts to protect this directory using an Apache .htaccess file to disable PHP execution, this protection is easily bypassed on other web server configurations such as nginx, IIS, and Lighttpd, or on misconfigured Apache installations.
Therefore, an attacker can exploit this vulnerability by uploading a malicious PHP file as an email attachment through any public form that processes emails, calculating the predictable filename based on the file’s content, and then directly accessing the uploaded file through a web browser to execute arbitrary code on the server.
CVSS Analysis
- CVE ID: CVE-2025-13516
- Severity: HIGH
- CVSS Score: 8.1
A CVSS score of 8.1 signifies a high-severity vulnerability. The exploit requires no authentication, and successful exploitation leads to complete compromise of the vulnerable system, including data confidentiality, integrity, and availability.
Possible Impact
Successful exploitation of CVE-2025-13516 can have severe consequences, including:
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the affected server, allowing them to gain full control of the WordPress site.
- Website Defacement: Attackers can modify the website’s content, redirect users to malicious sites, or inject malicious code into the site’s files.
- Data Theft: Attackers can access sensitive data stored on the server, including user credentials, database information, and other confidential information.
- Malware Distribution: Attackers can use the compromised server to host and distribute malware.
- Backdoor Installation: Install persistent backdoors allowing continued access even after the initial vulnerability is patched.
Mitigation or Patch Steps
The primary mitigation step is to immediately update the SureMail plugin to the latest version. Check the WordPress plugin repository or the plugin’s website for available updates. If an update is not yet available, consider temporarily disabling the plugin until a patch is released.
References
CWE-434: Unrestricted Upload of File with Dangerous Type
SureMail Plugin File: inc/admin/plugin.php
SureMail Plugin File: inc/emails/handler/uploads.php (save_file function)
SureMail Plugin File: inc/emails/handler/uploads.php (MD5 Hash Filename Generation)
SureMail Plugin Changeset 3403145
Wordfence Threat Intelligence Report – CVE-2025-13516
