CVE-2025-13062 Overview
CVE-2025-13062 is an arbitrary file upload vulnerability affecting the Supreme Modules Lite plugin for WordPress in all versions up to and including 2.5.62. The vulnerability exists due to insufficient file type validation when detecting JSON files, which allows attackers to use double extension files to bypass sanitization while the application still accepts them as valid JSON files. Authenticated attackers with author-level access or above can exploit this flaw to upload arbitrary files to the affected site's server, potentially leading to remote code execution.
Critical Impact
Authenticated attackers with author-level privileges can upload malicious files to WordPress servers, potentially achieving remote code execution and full site compromise.
Affected Products
- Supreme Modules Lite plugin for WordPress versions up to and including 2.5.62
- WordPress sites using the Supreme Modules for Divi plugin
Discovery Timeline
- 2026-01-15 - CVE-2025-13062 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-13062
Vulnerability Analysis
This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue lies in the plugin's file upload validation logic, which fails to properly enforce file type restrictions. The validation mechanism attempts to identify JSON files but can be bypassed through the use of double extension filenames (e.g., malicious.php.json).
When a file with a double extension is uploaded, the sanitization routine identifies it as a valid JSON file based on the final extension, while the web server may execute it based on the first extension. This discrepancy between validation and execution creates a dangerous gap that attackers can exploit to upload executable code.
Root Cause
The root cause is insufficient file type validation in the plugin's upload handling functionality. The validation logic relies solely on file extension checking without properly inspecting file contents (magic bytes) or implementing a strict whitelist approach. The JSON file detection mechanism is particularly flawed, as it accepts files with double extensions where the last extension is .json, regardless of what precedes it.
Attack Vector
The attack requires network access and authentication with at least author-level privileges on the WordPress installation. Once authenticated, an attacker can craft a malicious file with a double extension (such as webshell.php.json) and upload it through the vulnerable plugin functionality. The plugin's file validation accepts this file as JSON, but when accessed directly on the server, the PHP interpreter executes the malicious code embedded within.
The attack flow involves:
- Authenticating to WordPress with author-level or higher privileges
- Crafting a malicious PHP file with a .php.json double extension
- Uploading the file through the Supreme Modules Lite plugin's upload functionality
- Accessing the uploaded file directly to trigger code execution
Detection Methods for CVE-2025-13062
Indicators of Compromise
- Unusual file uploads in WordPress upload directories with double extensions (e.g., .php.json, .phtml.json)
- Web server access logs showing direct access to suspicious files in plugin upload directories
- Unexpected PHP files or webshells appearing in the wp-content/uploads/ directory structure
- WordPress user accounts with author privileges exhibiting unusual upload activity
Detection Strategies
- Monitor file upload events in WordPress for files with double extensions or suspicious naming patterns
- Implement file integrity monitoring on WordPress upload directories to detect unauthorized file additions
- Review web server access logs for requests to unusual file paths within plugin directories
- Deploy web application firewall (WAF) rules to detect and block double extension file upload attempts
Monitoring Recommendations
- Enable detailed logging for WordPress file upload operations and review regularly
- Configure alerts for new files created in WordPress upload directories with executable extensions
- Monitor for outbound connections from the web server that may indicate successful compromise
- Implement real-time file system monitoring on critical WordPress directories
How to Mitigate CVE-2025-13062
Immediate Actions Required
- Update the Supreme Modules Lite plugin to a patched version immediately
- Review all files in WordPress upload directories for suspicious double-extension files
- Audit WordPress user accounts with author-level or higher privileges for unauthorized activity
- Temporarily disable the Supreme Modules Lite plugin if an update is not immediately available
Patch Information
A security patch has been released to address this vulnerability. The patch details can be reviewed in the WordPress Changeset Update. Additional vulnerability information is available in the Wordfence Vulnerability Report.
Site administrators should update to the latest version of the Supreme Modules Lite plugin through the WordPress admin dashboard or by manually downloading and installing the patched version from the WordPress plugin repository.
Workarounds
- Restrict file upload capabilities by limiting author-level permissions until the patch is applied
- Configure web server rules to deny execution of files with double extensions in upload directories
- Implement server-level file type validation that inspects file contents rather than relying solely on extensions
- Use a Web Application Firewall (WAF) to block requests containing suspicious file upload patterns
# Apache .htaccess example to prevent execution of files with double extensions
# Add to wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi)\.">
Require all denied
</FilesMatch>
# Alternatively, deny all PHP execution in uploads directory
<Files *.php>
Require all denied
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
