CVE-2025-13516
📋 TL;DR
The SureMail WordPress plugin allows unauthenticated attackers to upload malicious PHP files through public forms that email attachments, leading to remote code execution. This affects WordPress sites using SureMail plugin versions up to 1.9.0 on web servers without proper .htaccess protection.
💻 Affected Systems
- SureMail – SMTP and Email Logs Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary code, steal data, install backdoors, or pivot to other systems.
Likely Case
Attackers upload web shells to gain persistent access, deface websites, or deploy malware.
If Mitigated
If proper web server configuration blocks PHP execution in upload directories, impact is limited to file storage abuse.
🎯 Exploit Status
Attack requires calculating MD5 hash of malicious file to predict filename, which is trivial with known content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3403145/suremails/trunk?contextall=1&old=3389326&old_path=%2Fsuremails%2Ftrunk
Restart Required: No
Instructions:
1. Update SureMail plugin to version 1.9.1 or later via WordPress admin panel. 2. Verify update completes successfully. 3. Clear any cached malicious files from wp-content/uploads/suremails/attachments/ directory.
🔧 Temporary Workarounds
Block PHP execution in upload directory
allConfigure web server to prevent PHP file execution in the vulnerable directory
For nginx: location ~* /wp-content/uploads/suremails/attachments/.*\.php$ { deny all; }
For Apache: Add 'php_flag engine off' to .htaccess in the directory
Disable plugin
linuxTemporarily disable SureMail plugin until patched
wp plugin deactivate suremails
🧯 If You Can't Patch
- Remove or restrict public forms that email attachments through SureMail
- Implement web application firewall rules to block uploads of PHP files to the vulnerable path
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for SureMail plugin version. If version is 1.9.0 or lower, site is vulnerable.Check Version:
wp plugin list --name=suremails --field=versionVerify Fix Applied:
Verify SureMail plugin version is 1.9.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/suremails/attachments/
- HTTP requests to PHP files in the suremails attachments directory
- Multiple failed upload attempts with PHP extensions
Network Indicators:
- POST requests to forms with PHP file attachments
- GET requests to predictable MD5-named PHP files in uploads directory
SIEM Query:
web.access WHERE url CONTAINS '/wp-content/uploads/suremails/attachments/' AND (method = 'POST' AND file_extension = 'php' OR method = 'GET' AND url LIKE '%.php')🔗 References
- https://cwe.mitre.org/data/definitions/434.html
- https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/admin/plugin.php#L407
- https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/emails/handler/uploads.php#L113
- https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/emails/handler/uploads.php#L231
- https://plugins.trac.wordpress.org/changeset/3403145/suremails/trunk?contextall=1&old=3389326&old_path=%2Fsuremails%2Ftrunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f3a20047-a325-4d29-a848-7ffa525d0bad?source=cve
