SureMail WordPress Plugin CVE-2025-13516: Brief Summary of Unrestricted File Upload Vulnerability

Introduction

Attackers can gain remote code execution on WordPress sites by simply uploading a malicious file through any public form. CVE-2025-13516 in the SureMail SMTP and Email Logs plugin for WordPress exposes over 200,000 sites to this risk, with exploitation requiring no authentication or user interaction beyond a form submission. This vulnerability is especially significant due to its ease of exploitation and the widespread use of the plugin in the WordPress ecosystem.

About SureMail and Brainstorm Force: SureMail is a widely used WordPress plugin developed by Brainstorm Force, a vendor with a strong presence in the WordPress plugin market and a portfolio of products used by hundreds of thousands of sites. SureMail provides SMTP email delivery and logging, making it a critical infrastructure component for many organizations relying on WordPress for business operations.

Technical Information

CVE-2025-13516 is caused by a lack of file extension and content type validation in the SureMail plugin's file handling logic. Specifically, the vulnerability resides in the save_file() function in inc/emails/handler/uploads.php. When a user submits a form with an attachment (such as through WPForms or Contact Form 7), SureMail saves a copy of the attachment to wp-content/uploads/suremails/attachments/.

Key technical points:

• No file extension or MIME type validation: Any file type, including .php, can be uploaded.
• Predictable file naming: The filename is generated using the MD5 hash of the file content, so an attacker can precompute the name of their payload.
• Web-accessible storage: Files are saved in a directory that is publicly accessible via the web server.
• Ineffective mitigation: The plugin attempts to prevent PHP execution in this directory using an Apache .htaccess file. This is not honored by nginx, IIS, Lighttpd, or misconfigured Apache servers.

This means an attacker can upload a PHP payload through any public form that sends attachments, calculate the resulting filename, and access the file directly to execute arbitrary code on the server.

Relevant public code references:

• uploads.php#L113
• uploads.php#L231

Affected Systems and Versions

• SureMail SMTP and Email Logs WordPress plugin
• Affected versions: Up to and including 1.9.0
• Vulnerable configurations: Any WordPress site running SureMail ≤ 1.9.0, especially on nginx, IIS, Lighttpd, or misconfigured Apache servers where .htaccess protections are ineffective

Vendor Security History

Brainstorm Force, the developer of SureMail, has a history of addressing security vulnerabilities in their plugins. The vendor patched this issue in version 1.9.1 after responsible disclosure. However, the presence of such a basic file upload flaw indicates gaps in secure development practices. Similar unrestricted file upload vulnerabilities have affected other plugins in the WordPress ecosystem, and Brainstorm Force has previously issued security updates for SureMail and other products.

References

• NVD entry for CVE-2025-13516
• CWE-434: Unrestricted Upload of File with Dangerous Type
• SureMail uploads.php#L113
• SureMail uploads.php#L231
• SureMail plugin changelog and patch
• Wordfence Threat Intelligence