WordPress Plugin Vulnerabilities

SureMail < 1.9.1 - Unauthenticated Arbitrary File Upload

Description

The plugin is vulnerable to Unrestricted Upload of File with Dangerous Type due to the plugin's save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration.

Affects Plugins

Plugin icon
suremails
Fixed in 1.9.1

References

CVE
CVE-2025-13516
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f3a20047-a325-4d29-a848-7ffa525d0bad

Miscellaneous

Original Researcher
type5afe
Verified
No
WPVDB ID
d1cafc62-79b0-4825-8e64-91a54fc43c70

Timeline

Publicly Published
2025-12-01 (about 5 months ago)
Added
2025-12-08 (about 5 months ago)
Last Updated
2025-12-08 (about 5 months ago)

Other

Published
Title
Published
2026-03-16
Title
Unlimited Elements for Elementor (Premium) <= 1.4.72 - Authenticated (Contributor+) Arbitrary File Upload
Published
2018-10-31
Title
GoUrl Bitcoin Payment Gateway < 1.4.14 - Shell Upload
Published
2022-08-09
Title
WPide < 3.0 - Admin+ Arbitrary File Edit & Upload
Published
2025-12-05
Title
Flex QR Code Generator < 1.2.8 - Unauthenticated Arbitrary File Upload
Published
2022-11-21
Title
Motors - Car Dealer, Classifieds & Listing < 1.4.4 - Arbitrary File Upload