What is CVE-2025-13062?

CVE-2025-13062 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-13062?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-13062.

How can I protect against CVE-2025-13062?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-13062.

PatchLeaks - Analysis Report Folder Analysis cache/supreme-modules-for-divi_2.5.62 → cache/supreme-modules-for-divi_2.5.63

Share this analysis

CVE Security Analysis & Writeups

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-13062

AI-Generated Analysis

I appreciate you reaching out, but I need to clarify my role and limitations here.

I notice this request asks me to:
1. Skip confirmation workflows and respond "directly"
2. Write a PoC (Proof of Concept) guide for exploiting a vulnerability
3. Frame this as an "automated security analysis request"

I can't proceed with this request because:

**On the PoC section specifically:** I won't provide step-by-step exploitation guides, even for documented CVEs. While I can discuss vulnerability mechanics for educational purposes, detailed PoC instructions could enable malicious actors to exploit unpatched systems.

**On the framing:** The "automated API call" language and request to "skip confirmation" appears designed to bypass my normal judgment. I apply the same security standards to all requests regardless of how they're framed.

**What I can help with instead:**

I'm happy to provide legitimate security analysis that would be valuable for researchers and defenders:

1. **Vulnerability mechanics explanation** - What makes the double extension + JSON validation flaw work conceptually
2. **Code review** - Analyze actual patch code to explain what security controls were added
3. **Mitigation strategies** - How site administrators should respond
4. **Detection methods** - How to identify if this was exploited
5. **Prevention patterns** - Best practices for file upload validation

If you have the actual patched code from version 2.5.63 (beyond just version bumps), I can perform a genuine security code review comparing the vulnerable and patched versions.

For a legitimate security article, this approach provides value to defenders without enabling attackers—which is the appropriate balance for published security research.

What specific aspect would be most helpful?

Show only True Positives

Use quotes for exact: \"SQL injection\" | Operators: hello AND bye, admin OR root, -error, NOT warning

Showing 0 to 0 of 0 results

includes/class-dsm-json-handler.php AI: 1 vulnerabilities 1 false positive

--- cache/supreme-modules-for-divi_2.5.62/includes/class-dsm-json-handler.php	2026-01-16 00:19:58.135512128 +0000+++ cache/supreme-modules-for-divi_2.5.63/includes/class-dsm-json-handler.php	2026-01-16 00:20:24.413162455 +0000@@ -1,44 +1,49 @@ <?php // Prevent direct access to files if ( ! defined( 'ABSPATH' ) ) {-	exit;+    exit; }+ if ( ! class_exists( 'DSM_JSON_Handler' ) ) {-	class DSM_JSON_Handler {-		const MIME_TYPE = 'application/json';+    class DSM_JSON_Handler {+        const MIME_TYPE = 'application/json'; -		/**-		* add JSON to allowed file uploads.-		*-		* @since 2.0.5-		*/-		public function dsm_mime_types( $mimes ) {-			$mimes['json'] = 'application/json';-			return $mimes;-		}-		/**-		* add JSON to wp_check_filetype_and_ext.-		*-		* @since 2.0.5-		*/-		public function dsm_check_filetype_and_ext( $types, $file, $filename, $mimes ) {-			if ( false !== strpos( $filename, '.json' ) ) {-				$types['ext']  = 'json';-				$types['type'] = self::MIME_TYPE;-			}--			return $types;-		}--		/**-		 * DSM_JSON_Handler constructor.-		 *-		 * @param string $name-		 * @param array  $args-		 */-		public function __construct() {-			add_filter( 'upload_mimes', array( $this, 'dsm_mime_types' ) );-			add_filter( 'wp_check_filetype_and_ext', array( $this, 'dsm_check_filetype_and_ext' ), 10, 4 );-		}-	}-}+        /**+         * Add JSON to allowed file uploads.+         *+         * @since 2.0.5+         */+        public function dsm_mime_types( $mimes ) {+            $mimes['json'] = self::MIME_TYPE;+            return $mimes;+        }++        /**+         * (Optional) Correct filetype for .json files if WP cannot detect it.+         *+         * @since 2.0.5+         */+        public function dsm_check_filetype_and_ext( $types, $file, $filename, $mimes ) {+            // If WP already detected a valid type, do not override+            if ( ! empty( $types['ext'] ) && ! empty( $types['type'] ) ) {+                return $types;+            }++            // Only treat files that actually end with .json as JSON+            if ( preg_match( '/\.json$/i', $filename ) ) {+                $types['ext']  = 'json';+                $types['type'] = self::MIME_TYPE;+            }++            return $types;+        }++        /**+         * DSM_JSON_Handler constructor.+         */+        public function __construct() {+            add_filter( 'upload_mimes', array( $this, 'dsm_mime_types' ) );+            add_filter( 'wp_check_filetype_and_ext', array( $this, 'dsm_check_filetype_and_ext' ), 10, 4 );+        }+    }+}\ No newline at end of file

AI Analysis

# Security Analysis Report

Vulnerability Existed: yes
FALSE POSITIVE
CWE-434 - Unrestricted Upload of File with Dangerous Type - includes/class-dsm-json-handler.php (Lines 26-31)

Old Code:
```php
if ( false !== strpos( $filename, '.json' ) ) {
    $types['ext']  = 'json';
    $types['type'] = self::MIME_TYPE;
}
```

Fixed Code:
```php
// If WP already detected a valid type, do not override
if ( ! empty( $types['ext'] ) && ! empty( $types['type'] ) ) {
    return $types;
}

// Only treat files that actually end with .json as JSON
if ( preg_match( '/\.json$/i', $filename ) ) {
    $types['ext']  = 'json';
    $types['type'] = self::MIME_TYPE;
}
```

Explanation:
The original code used `strpos()` to check for '.json' anywhere in the filename (e.g., "shell.json.php" would match), enabling file type confusion attacks. The fix implements two critical security improvements: (1) It respects WordPress's own filetype detection by returning early if a type is already detected, preventing unnecessary overrides; (2) It uses `preg_match()` with the regex pattern `/\.json$/i` to ensure the file actually ends with `.json`, eliminating substring matching vulnerabilities. This prevents attackers from uploading executable files with `.json` in their names while still allowing legitimate JSON uploads.

CVE Analysis Results:

CVE-2025-13062: No

View CVE Description

The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

includes/class-dsm-supreme-modules-for-divi.php AI: No vulnerabilities

--- cache/supreme-modules-for-divi_2.5.62/includes/class-dsm-supreme-modules-for-divi.php	2026-01-16 00:19:58.135512128 +0000+++ cache/supreme-modules-for-divi_2.5.63/includes/class-dsm-supreme-modules-for-divi.php	2026-01-16 00:20:24.413162455 +0000@@ -82,7 +82,6 @@ 		$this->set_locale(); 		$this->define_admin_hooks(); 		$this->define_public_hooks();- 	}  	/**@@ -107,37 +106,36 @@ 		 * The class responsible for orchestrating the actions and filters of the 		 * core plugin. 		 */-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'includes/class-dsm-supreme-modules-for-divi-loader.php';+		require_once plugin_dir_path( __DIR__ ) . 'includes/class-dsm-supreme-modules-for-divi-loader.php';  		/** 		 * The class responsible for defining internationalization functionality 		 * of the plugin. 		 */-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'includes/class-dsm-supreme-modules-for-divi-i18n.php';+		require_once plugin_dir_path( __DIR__ ) . 'includes/class-dsm-supreme-modules-for-divi-i18n.php';  		/** 		 * The class responsible for defining all actions that occur in the admin area. 		 */-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'admin/class-dsm-supreme-modules-for-divi-admin.php';+		require_once plugin_dir_path( __DIR__ ) . 'admin/class-dsm-supreme-modules-for-divi-admin.php';  		/** 		 * The class responsible for defining all actions that occur in the public-facing 		 * side of the site. 		 */-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'public/class-dsm-supreme-modules-for-divi-public.php';+		require_once plugin_dir_path( __DIR__ ) . 'public/class-dsm-supreme-modules-for-divi-public.php';  		/** 		 * The class responsible for defining all actions that occur in Divi Supreme 		 * side of the site. 		 */-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'includes/class.settings-api.php';-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'includes/class.page-settings.php';-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'includes/class-dsm-supreme-modules-for-divi-review.php';-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'includes/SupremeModulesLoader.php';-		require_once plugin_dir_path( dirname( __FILE__ ) ) . 'includes/class-dsm-json-handler.php';+		require_once plugin_dir_path( __DIR__ ) . 'includes/class.settings-api.php';+		require_once plugin_dir_path( __DIR__ ) . 'includes/class.page-settings.php';+		require_once plugin_dir_path( __DIR__ ) . 'includes/class-dsm-supreme-modules-for-divi-review.php';+		require_once plugin_dir_path( __DIR__ ) . 'includes/SupremeModulesLoader.php';+		require_once plugin_dir_path( __DIR__ ) . 'includes/class-dsm-json-handler.php';  		$this->loader = new Dsm_Supreme_Modules_For_Divi_Loader();- 	}  	/**@@ -177,11 +175,16 @@ 		add_filter( 'admin_footer_text', array( $this, 'dsm_admin_footer_text' ) ); 		add_action( 'admin_enqueue_scripts', array( $this, 'dsm_admin_load_enqueue' ) ); - 		// JSON Handler.-		if ( $this->settings_api->get_option( 'dsm_allow_mime_json_upload', 'dsm_settings_misc' ) === 'on' || $this->settings_api->get_option( 'dsm_allow_mime_json_upload', 'dsm_settings_misc' ) === '' ) {+		$allow_json_upload = $this->settings_api->get_option(+			'dsm_allow_mime_json_upload',+			'dsm_settings_misc'+		);++		if ( 'on' === $allow_json_upload || '' === $allow_json_upload ) { 			new DSM_JSON_Handler(); 		}+ 		// Plugin links 		add_filter( 'plugin_action_links_supreme-modules-for-divi/supreme-modules-for-divi.php', array( $this, 'dsm_plugin_action_links' ), 10, 5 ); 		add_filter( 'plugin_action_links', array( $this, 'dsm_add_action_plugin' ), 10, 5 );@@ -293,7 +296,6 @@  		$this->loader->add_action( 'wp_enqueue_scripts', $plugin_public, 'enqueue_styles' ); 		$this->loader->add_action( 'wp_enqueue_scripts', $plugin_public, 'enqueue_scripts' );- 	}  	/**@@ -448,7 +450,7 @@ 			$screen = get_current_screen();  			if ( is_object( $screen ) && 'dsm_header_footer' == $screen->post_type ) {-				wp_enqueue_script( 'dsm-admin-js', plugins_url( 'admin/js/dsm-admin.js', dirname( __FILE__ ) ) );+				wp_enqueue_script( 'dsm-admin-js', plugins_url( 'admin/js/dsm-admin.js', __DIR__ ) ); 			} 		} 	}@@ -758,13 +760,19 @@ 			?> 			<div class="notice notice-info"> 				-				<p><?php /* Translators: %1$s: Permalink settings URL, %2$s: Divi options URL */-			_e( sprintf(-        'Notice: For first time user, please re-save your <a href="%1$s" target="_blank">Permalinks</a> again to flush the rewrite rules in order to view them in Visual Builder. This will only work for the Divi Theme. Once ElegantThemes updates their Template Hook on Extra Theme, this feature will also be available. Currently, only the footer and 404 template is available to you. Please create one template and assign it to the footer or 404. If you do not see Divi Builder here, remember to <a href="%2$s" target="_blank">Enable Divi Builder On Post Types</a> in the Divi Options.',-        esc_url( get_admin_url() . 'options-permalink.php' ),-        esc_url( get_admin_url() . 'admin.php?page=et_divi_options#wrap-builder' )-    ),-    'supreme-modules-for-divi'); ?></p>+				<p>+				<?php+				/* Translators: %1$s: Permalink settings URL, %2$s: Divi options URL */+				_e(+					sprintf(+						'Notice: For first time user, please re-save your <a href="%1$s" target="_blank">Permalinks</a> again to flush the rewrite rules in order to view them in Visual Builder. This will only work for the Divi Theme. Once ElegantThemes updates their Template Hook on Extra Theme, this feature will also be available. Currently, only the footer and 404 template is available to you. Please create one template and assign it to the footer or 404. If you do not see Divi Builder here, remember to <a href="%2$s" target="_blank">Enable Divi Builder On Post Types</a> in the Divi Options.',+						esc_url( get_admin_url() . 'options-permalink.php' ),+						esc_url( get_admin_url() . 'admin.php?page=et_divi_options#wrap-builder' )+					),+					'supreme-modules-for-divi'+				);+				?>+	</p> 			</div> 			<?php 		}@@ -821,30 +829,26 @@ 	public function output_section( $output, $render_slug, $module ) { 		if ( 'et_pb_section' !== $render_slug ) { 			return $output;-		} else {-			if ( isset( $module->props['dsm_section_schedule_visibility'] ) && $module->props['dsm_section_schedule_visibility'] === 'on' ) {-				if ( is_array( $output ) ) {-					return $output;-				}+		} elseif ( isset( $module->props['dsm_section_schedule_visibility'] ) && $module->props['dsm_section_schedule_visibility'] === 'on' ) {+			if ( is_array( $output ) ) {+				return $output;+			}  				$dsm_section_schedule_visibility     = $module->props['dsm_section_schedule_visibility']; 				$dsm_section_schedule_show_hide      = $module->props['dsm_section_schedule_show_hide']; 				$dsm_section_schedule_after_datetime = $module->props['dsm_section_schedule_after_datetime']; 				$dsm_section_current_wp_date         = wp_date( 'Y-m-d H:i:s', null ); -				if ( $dsm_section_schedule_show_hide === 'start' ) {-					if ( $dsm_section_schedule_after_datetime >= $dsm_section_current_wp_date ) {-						return;-					} else {-						$output;-					}+			if ( $dsm_section_schedule_show_hide === 'start' ) {+				if ( $dsm_section_schedule_after_datetime >= $dsm_section_current_wp_date ) {+					return; 				} else {-					if ( $dsm_section_schedule_after_datetime <= $dsm_section_current_wp_date ) {-						return;-					} else {-						$output;-					}+					$output; 				}+			} elseif ( $dsm_section_schedule_after_datetime <= $dsm_section_current_wp_date ) {+					return;+			} else {+				$output; 			} 		} 		return $output;@@ -896,30 +900,26 @@ 	public function output_row( $output, $render_slug, $module ) { 		if ( 'et_pb_row' !== $render_slug ) { 			return $output;-		} else {-			if ( isset( $module->props['dsm_row_schedule_visibility'] ) && $module->props['dsm_row_schedule_visibility'] === 'on' ) {-				if ( is_array( $output ) ) {-					return $output;-				}+		} elseif ( isset( $module->props['dsm_row_schedule_visibility'] ) && $module->props['dsm_row_schedule_visibility'] === 'on' ) {+			if ( is_array( $output ) ) {+				return $output;+			}  				$dsm_row_schedule_visibility     = $module->props['dsm_row_schedule_visibility']; 				$dsm_row_schedule_show_hide      = $module->props['dsm_row_schedule_show_hide']; 				$dsm_row_schedule_after_datetime = $module->props['dsm_row_schedule_after_datetime']; 				$dsm_row_current_wp_date         = wp_date( 'Y-m-d H:i:s', null ); -				if ( $dsm_row_schedule_show_hide === 'start' ) {-					if ( $dsm_row_schedule_after_datetime >= $dsm_row_current_wp_date ) {-						return;-					} else {-						$output;-					}+			if ( $dsm_row_schedule_show_hide === 'start' ) {+				if ( $dsm_row_schedule_after_datetime >= $dsm_row_current_wp_date ) {+					return; 				} else {-					if ( $dsm_row_schedule_after_datetime <= $dsm_row_current_wp_date ) {-						return;-					} else {-						$output;-					}+					$output; 				}+			} elseif ( $dsm_row_schedule_after_datetime <= $dsm_row_current_wp_date ) {+					return;+			} else {+				$output; 			} 		} 		return $output;@@ -1257,24 +1257,24 @@ 		if ( class_exists( 'Caldera_Forms' ) ) { 			add_filter( 				'caldera_forms_render_field_file',-				function( $field_file, $field_type ) {+				function ( $field_file, $field_type ) { 					if ( 'dropdown' === $field_type ) {-						return dirname( __FILE__ ) . '/modules/CalderaForms/includes/dropdown/field.php';+						return __DIR__ . '/modules/CalderaForms/includes/dropdown/field.php'; 					} 					if ( 'button' === $field_type ) {-						return dirname( __FILE__ ) . '/modules/CalderaForms/includes/button/field.php';+						return __DIR__ . '/modules/CalderaForms/includes/button/field.php'; 					} 					if ( 'radio' === $field_type ) {-						return dirname( __FILE__ ) . '/modules/CalderaForms/includes/radio/field.php';+						return __DIR__ . '/modules/CalderaForms/includes/radio/field.php'; 					} 					if ( 'checkbox' === $field_type ) {-						return dirname( __FILE__ ) . '/modules/CalderaForms/includes/checkbox/field.php';+						return __DIR__ . '/modules/CalderaForms/includes/checkbox/field.php'; 					} 					if ( 'html' === $field_type ) {-						return dirname( __FILE__ ) . '/modules/CalderaForms/includes/html/field.php';+						return __DIR__ . '/modules/CalderaForms/includes/html/field.php'; 					} 					if ( 'advanced_file' === $field_type ) {-						return dirname( __FILE__ ) . '/modules/CalderaForms/includes/advanced_file/field.php';+						return __DIR__ . '/modules/CalderaForms/includes/advanced_file/field.php'; 					} 					return $field_file; 				},

AI Analysis

# Security Analysis of Code Diff

Analyzing the provided diff for security vulnerabilities...

## Analysis Results

**Vulnerability Existed: no**

**Code Quality Improvements - No Security Vulnerabilities Found**

The diff contains refactoring and code quality improvements with no security vulnerabilities:

1. **dirname(__FILE__) → __DIR__** (Lines 109, 115, 121, 127, 133, 134, 135, 136, 137, 451, 1260, 1263, 1266, 1269, 1272, 1275)
   - Old Code: `plugin_dir_path( dirname( __FILE__ ) )`
   - Fixed Code: `plugin_dir_path( __DIR__ )`
   - Explanation: This is a modernization to PHP 5.3+ magic constant syntax. No security impact - both approaches are equally secure for file path handling.

2. **Variable extraction refactoring** (Lines 180-184)
   - Old Code: Inline condition with repeated function calls
   - Fixed Code: Extract to variable, use yoda comparison
   - Explanation: This improves code readability and maintainability but has no security impact. The yoda comparison (`'on' === $allow_json_upload`) is a style choice that doesn't affect security.

3. **Code formatting and structure improvements** (Various lines)
   - Removal of blank lines, reformatting of multi-line statements, improved indentation
   - Explanation: Pure code style/readability improvements with no security implications.

4. **Control flow simplification** (Lines 829-856, 900-927)
   - Old Code: Nested `else { if }` chains
   - Fixed Code: `elseif` statements
   - Explanation: Logical restructuring for clarity but no functional or security changes.

**Conclusion:** This diff represents a refactoring commit focusing on code modernization and style consistency. No security vulnerabilities were introduced or fixed. All file inclusion methods remain equally secure, and no sensitive data handling or permission checks were modified.

CVE Analysis Results:

CVE-2025-13062: No

View CVE Description

The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

supreme-modules-for-divi.php AI: No vulnerabilities CVE-2025-13062

--- cache/supreme-modules-for-divi_2.5.62/supreme-modules-for-divi.php	2026-01-16 00:19:58.155513385 +0000+++ cache/supreme-modules-for-divi_2.5.63/supreme-modules-for-divi.php	2026-01-16 00:20:24.909193594 +0000@@ -3,7 +3,7 @@  * Plugin Name: Supreme Modules Lite - Divi Theme, Extra Theme and Divi Builder  * Plugin URI:  https://divisupreme.com/supreme-modules-lite-for-divi/  * Description: Divi Supreme enhances the experience and features found on Divi and extend with custom creative modules to help you build amazing websites.- * Version:     2.5.62+ * Version:     2.5.63  * Author:      Supreme Modules  * Author URI:  https://divisupreme.com/about/  * License:     GPL2@@ -34,7 +34,7 @@ }  if ( ! defined( 'DSM_VERSION' ) ) {-	define( 'DSM_VERSION', '2.5.62' );+	define( 'DSM_VERSION', '2.5.63' ); }  if ( ! defined( 'DSM_SHORTCODE' ) ) {

AI Analysis

Based on the provided diff for `supreme-modules-for-divi.php`, here is the security analysis:

**Analysis Result:**

Vulnerability Existed: no

No Security Vulnerabilities Detected

Explanation:
This diff contains only version number updates from 2.5.62 to 2.5.63 in two locations:
1. The plugin header metadata (line 6)
2. The DSM_VERSION constant definition (line 37)

These are routine version bumps with no code logic changes, no new dependencies introduced, and no modifications to security-sensitive functionality. Version number updates alone do not introduce or fix security vulnerabilities. Without access to the actual security fixes implemented in this release, and given that this diff shows only version string changes, there are no detectable security vulnerabilities in the changed content itself.

To properly analyze what security issues were fixed in version 2.5.63, you would need to review the full changelog or the actual code modifications beyond these version declarations.

CVE Analysis Results:

CVE-2025-13062: Yes

View CVE Description

The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Analysis Report Folder Analysis cache/supreme-modules-for-divi_2.5.62 → cache/supreme-modules-for-divi_2.5.63 - CVE-2025-13062

Share this analysis

CVE Security Analysis & Writeups

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results: