CVE-2025-13516 HIGH

CVE-2025-13516: SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers <= 1.9.0 - Unauthenticated Arbitrary File Upload

Vendor Brainstormforce
Product SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers
Weakness CWE-434 · Unrestricted file upload
Published December 2, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The SureMail – SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration.

Explanation of Vulnerability in Simple Terms

02Summary

SureMail versions up to 1.9.0 contain an unrestricted file upload vulnerability that allows attackers to upload arbitrary files to the server without authentication. An attacker can exploit this by sending a crafted request to upload malicious files, potentially leading to remote code execution. This affects all installations of the plugin and requires no user interaction.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files to the server and execute malicious code without authentication.

Potential impact on your site

04Site Impact

Attackers can gain full control of your site by uploading and executing malicious PHP files.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication or user interaction required.

Key dates

06Disclosure timeline

December 2, 2025 CVE published
April 8, 2026 Record updated