Description
The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2026-01-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Supreme Modules Lite plugin for WordPress suffers from an insufficient file type validation that permits JSON files with double extensions to bypass sanitization. This flaw allows authenticated users with author-level or higher privileges to upload arbitrary files to the web server, potentially leading to remote code execution. The vulnerability is classified as CWE-434, indicating an improper file upload mechanism.

Affected Systems

The affected product is Supreme Modules Lite, a plugin used in WordPress sites that employ Divi Theme, Extra Theme, or Divi Builder. All released versions up to and including 2.5.62 are impacted.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, reflecting high severity, while the EPSS score of less than 1% indicates a low probability of observed exploitation. It is not listed in CISA’s KEV catalog. The attack requires authenticated access, typically author-level or higher, and involves uploading a malicious file such as a PHP script to achieve remote code execution.

Generated by OpenCVE AI on April 22, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Supreme Modules Lite to the latest released version above 2.5.62.
  • If upgrading is not feasible, disable the plugin’s upload feature or restrict upload capability to the minimum necessary user roles.
  • Consider removing the Supreme Modules Lite plugin entirely or replacing it with a vetted alternative that implements proper file type validation.
  • Monitor server logs and file system changes for any unauthorized uploaded files or execution attempts.

Generated by OpenCVE AI on April 22, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 15 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Supreme Modules Lite <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:34.753Z

Reserved: 2025-11-12T12:49:25.016Z

Link: CVE-2025-13062

cve-icon Vulnrichment

Updated: 2026-01-15T15:34:22.939Z

cve-icon NVD

Status : Deferred

Published: 2026-01-15T14:16:25.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:45:20Z

Weaknesses