CVE-2025-13516

Name of the Vulnerable Software and Affected Versions SureMail – SMTP and Email Logs Plugin for WordPress versions up to and including 1.9.0

Description The plugin allows for unrestricted file uploads due to the save file() function in the inc/emails/handler/uploads.php file. This function copies email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved using predictable names based on MD5 hashes of their content. While an Apache .htaccess file attempts to prevent PHP execution, this protection is ineffective on nginx, IIS, Lighttpd servers, or improperly configured Apache installations. This can lead to Remote Code Execution by uploading malicious PHP files through public forms that accept attachments, determining the filename, and directly accessing the file on a vulnerable web server.

Recommendations Versions prior to and including 1.9.0 should be updated. As a temporary workaround, consider restricting file upload functionality or carefully validating file types and content before saving them to the web-accessible directory. Ensure the web server configuration correctly prevents PHP execution within the attachments directory.