SureMail WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability
Vulnerability
A vulnerability exists in the SureMail SMTP and Email Logs WordPress plugin, specifically in versions through 1.9.0. The issue arises from the plugin's save_file function, which improperly handles email attachments by saving them to a publicly accessible directory without adequate validation of file types. This flaw allows unauthenticated users to upload malicious files, such as PHP scripts, which could then be executed on the server, particularly if the site is using a vulnerable web server configuration.
Impact
Exploitation of this vulnerability could lead to remote code execution on the server.
Reproduction
To reproduce this vulnerability, upload a file through any public form that allows email attachments. The file will be saved in a web-accessible directory with a name based on the MD5 hash of its content. If the uploaded file is a PHP script, it can be executed by accessing the file directly via its URL.
Remediation
Users are advised to update the SureMail WordPress plugin to version 1.9.1 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.