CVE-2025-13516
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-02

Last updated on: 2025-12-02

Assigner: Wordfence

Description
The SureMail – SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-02
Last Modified
2025-12-02
Generated
2026-05-07
AI Q&A
2025-12-02
EPSS Evaluated
2026-05-05
NVD
CVE-2025-13516
EUVD
EUVD-2025-200208
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordpress wordpress *
wordfence suremails *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the SureMail – SMTP and Email Logs Plugin for WordPress (versions up to 1.9.0). It allows unauthenticated attackers to upload files with dangerous types, such as malicious PHP scripts, because the plugin saves email attachments to a web-accessible directory without validating file extensions or content types. Although the plugin tries to block PHP execution via an Apache .htaccess file, this protection fails on servers like nginx, IIS, Lighttpd, or misconfigured Apache servers. Attackers can upload a malicious file, predict its filename (based on an MD5 hash of the content), and then execute arbitrary code remotely by accessing the file directly.


How can this vulnerability impact me? :

This vulnerability can lead to Remote Code Execution (RCE) on the affected server, allowing attackers to run arbitrary code without authentication. This can compromise the entire website and server, potentially leading to data theft, site defacement, malware distribution, or complete server takeover.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the SureMail – SMTP and Email Logs Plugin for WordPress to a version later than 1.9.0 where the issue is fixed. Additionally, ensure that the web server is properly configured to prevent execution of PHP files in the wp-content/uploads/suremails/attachments/ directory. For Apache servers, verify that the .htaccess file disabling PHP execution is effective. For nginx, IIS, Lighttpd, or misconfigured Apache servers, implement equivalent restrictions to block PHP execution in that directory. As a temporary measure, restrict public access to the upload directory or disable the plugin until a fix is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart