{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13062", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-12T12:49:25.016Z", "datePublished": "2026-01-15T13:23:24.756Z", "dateUpdated": "2026-04-08T16:37:34.753Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:34.753Z"}, "affected": [{"vendor": "divisupreme", "product": "Supreme Modules Lite \u2013 Divi Theme, Extra Theme and Divi Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.62", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Supreme Modules Lite <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3423427/supreme-modules-for-divi"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-11-15T17:26:22.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-15T01:09:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T15:34:16.671403Z", "id": "CVE-2025-13062", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T15:34:53.346Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13062", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T15:34:16.671403Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T15:34:22.939Z"}}], "cna": {"title": "Supreme Modules Lite <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "divisupreme", "product": "Supreme Modules Lite \u2013 Divi Theme, Extra Theme and Divi Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.62"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-15T17:26:22.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-15T01:09:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3423427/supreme-modules-for-divi"}], "descriptions": [{"lang": "en", "value": "The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:34.753Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13062", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:34.753Z", "dateReserved": "2025-11-12T12:49:25.016Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-15T13:23:24.756Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin Supreme Modules Lite para WordPress es vulnerable a la carga arbitraria de archivos en todas las versiones hasta la 2.5.62, inclusive. Esto se debe a una validaci\u00f3n insuficiente del tipo de archivo que detecta archivos JSON, lo que permite que los archivos de doble extensi\u00f3n eludan la sanitizaci\u00f3n mientras son aceptados como un archivo JSON v\u00e1lido. Esto hace posible que atacantes autenticados, con acceso de nivel de autor y superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-13062", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-15T14:16:25.710", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3423427/supreme-modules-for-divi"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:40:08.188494+00:00", "value": {"mitigation_remediation": ["Upgrade Supreme Modules Lite to the latest released version above 2.5.62.", "If upgrading is not feasible, disable the plugin\u2019s upload feature or restrict upload capability to the minimum necessary user roles.", "Consider removing the Supreme Modules Lite plugin entirely or replacing it with a vetted alternative that implements proper file type validation.", "Monitor server logs and file system changes for any unauthorized uploaded files or execution attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Supreme Modules Lite, a plugin used in WordPress sites that employ Divi Theme, Extra Theme, or Divi Builder. All released versions up to and including 2.5.62 are impacted.", "description_and_impact": "The Supreme Modules Lite plugin for WordPress suffers from an insufficient file type validation that permits JSON files with double extensions to bypass sanitization. This flaw allows authenticated users with author-level or higher privileges to upload arbitrary files to the web server, potentially leading to remote code execution. The vulnerability is classified as CWE-434, indicating an improper file upload mechanism.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.8, reflecting high severity, while the EPSS score of less than 1% indicates a low probability of observed exploitation. It is not listed in CISA\u2019s KEV catalog. The attack requires authenticated access, typically author-level or higher, and involves uploading a malicious file such as a PHP script to achieve remote code execution."}}}}, "created": "2026-01-16T13:43:17.295817+00:00", "updated": "2026-04-22T15:45:20.872985+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}