Supreme Modules Lite < 2.5.63 – Author+ Arbitrary File Upload via JSON Upload Bypass | CVE 2025-13062 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file upload due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

supreme-modules-for-divi

Fixed in 2.5.63

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

2da0516b-20fd-4a79-a47c-437a9e1d9e63

Timeline

Publicly Published

2026-01-15 (about 2 months ago)

Added

2026-01-15 (about 2 months ago)

Last Updated

2026-01-15 (about 2 months ago)

Other

Published

Title

Published

2025-05-14

Title

百度站长SEO合集(支持百度/神马/Bing/头条推送) < 2.0.7 - Unauthenticated Arbitrary File Upload

Published

2024-05-10

Title

Z-Downloads < 1.11.4 - Authenticated (Admin+) Arbitrary File Upload

Published

2025-10-29

Title

WavePlayer < 3.8.0 - Unauthenticated Arbitrary File Upload

Published

2014-09-17

Title

Slideshow Gallery < 1.4.7 - Arbitrary File Upload

Published

2023-12-27

Title

WP Mail Log Plugin < 1.1.3 - Contributor+ Arbitrary File Upload