CVE-2025-13062 is a vulnerability classified under CWE-434, relating to unrestricted file upload with dangerous file types in the Supreme Modules Lite plugin for WordPress, which integrates with Divi Theme, Extra Theme, and Divi Builder. The root cause is insufficient validation of uploaded file types, specifically the failure to correctly detect and block files with double extensions that include JSON as the final extension. This allows an authenticated attacker with author-level or higher privileges to upload arbitrary files to the server. Because the plugin treats files with a .json extension as safe, attackers can craft files with names like malicious.php.json, which bypass sanitization but may be interpreted or executed by the server if improperly handled. This can lead to remote code execution (RCE), compromising the confidentiality, integrity, and availability of the affected website and potentially the underlying server. The vulnerability affects all versions up to and including 2.5.62. The CVSS v3.1 base score is 8.8, reflecting network exploitability (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently known, the vulnerability poses a significant risk due to the widespread use of Divi themes and the common presence of author-level users on WordPress sites. The vulnerability was reserved in November 2025 and published in January 2026. No official patches or mitigations have been linked yet, but the issue is recognized by Wordfence and the CVE database.

For European organizations, this vulnerability poses a serious risk to websites running WordPress with the Supreme Modules Lite plugin and Divi-related themes. Successful exploitation can lead to remote code execution, allowing attackers to take full control of the web server, steal sensitive data, deface websites, or use the compromised server as a pivot point for further attacks within the corporate network. This can result in data breaches, service outages, reputational damage, and regulatory penalties under GDPR. Organizations with public-facing WordPress sites that allow author-level user access are particularly vulnerable. The impact extends beyond the website itself, potentially affecting backend systems if the attacker escalates privileges or moves laterally. Given the high CVSS score and the common use of these themes in Europe, the threat is significant. The lack of known exploits currently provides a window for proactive mitigation, but the ease of exploitation and the high privileges required mean that insider threats or compromised accounts increase risk.

1. Immediately audit all WordPress sites for the presence of Supreme Modules Lite plugin versions up to 2.5.62 and Divi-related themes. 2. Restrict file upload permissions strictly to trusted users; reduce author-level privileges where possible. 3. Implement additional server-side file validation to detect and block files with double extensions or suspicious MIME types, not relying solely on client-side or plugin validation. 4. Use web application firewalls (WAFs) with custom rules to detect and block attempts to upload files with dangerous extensions or patterns. 5. Monitor logs for unusual file upload activity or execution of unexpected scripts. 6. Isolate WordPress environments from critical backend systems to limit lateral movement. 7. Apply vendor patches promptly once released; if no patch is available, consider disabling the vulnerable plugin or theme temporarily. 8. Educate site administrators on the risks of granting author-level access and enforce strong authentication mechanisms. 9. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 10. Conduct penetration testing focused on file upload functionalities to identify residual risks.