CVE-2025-13062
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: Wordfence

Description
The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13062
EUVD
EUVD-2026-2808
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor supreme_modules_lite to 2.5.62 (inc)
unknown_vendor supreme_modules_for_divi 2.5.63
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Supreme Modules Lite WordPress plugin (up to version 2.5.62) is due to insufficient validation of file types during uploads. Specifically, the plugin fails to properly detect JSON files, allowing attackers with author-level access or higher to upload files with double extensions that bypass sanitization. This arbitrary file upload flaw can enable attackers to place malicious files on the server, potentially leading to remote code execution. [1]

Impact Analysis

This vulnerability can allow an authenticated attacker with author-level access or above to upload arbitrary files to the affected WordPress site. Such file uploads can lead to remote code execution on the server, compromising the site's security, potentially allowing data theft, site defacement, or full server takeover. [1]

Detection Guidance

To detect this vulnerability, you can check if your WordPress site is running the Supreme Modules Lite plugin version 2.5.62 or earlier. Additionally, monitoring for suspicious file uploads with double extensions (e.g., file.php.json) or unexpected JSON file uploads by authenticated users with author-level access or higher can help identify exploitation attempts. Specific commands depend on your environment, but for example, on the server you can run commands to find suspicious files: `find /path/to/wordpress/wp-content/uploads/ -type f -regex '.*\.php\.json$'` to locate files with double extensions. Also, reviewing web server logs for POST requests to upload endpoints by author-level users may help. However, no explicit commands are provided in the resources. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Supreme Modules Lite plugin to version 2.5.63 or later, which includes fixes improving JSON file handling and file type validation to prevent arbitrary file uploads. This update addresses the vulnerability by correctly identifying JSON files and preventing bypass of sanitization checks. Until the update is applied, restrict author-level user permissions if possible and monitor for suspicious file uploads. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart