Unrestricted File Upload Vulnerability in SureMail SMTP and Email Logs Plugin for WordPress
CVE-2025-13516

8.1HIGH

Key Information:

Vendor

WordPress
Status
Suremail – Smtp And Email Logs Plugin With Amazon Ses, Postmark, And Other Providers
Vendor
CVE Published:
2 December 2025

What is CVE-2025-13516?

The SureMail – SMTP and Email Logs Plugin for WordPress has a vulnerability that enables attackers to upload and execute malicious files. In versions up to and including 1.9.0, the plugin's save_file() function allows email attachments to be stored in a web-accessible directory without proper validation of file types. Even though an attempt is made to protect this directory using an Apache .htaccess file, such protection is ineffective on servers like nginx, IIS, and Lighttpd, or in poorly configured Apache installations. This flaw permits unauthenticated attackers to upload PHP files through public forms, predictably naming them based on MD5 hashes of their content, and then executing arbitrary code by accessing these files directly.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers * <= 1.9.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/suremails/trun...
https://plugins.trac.wordpress.org/browser/suremails/trun...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

M Indra Purnama
JSON
.