CVE-2025-13070

The CSV to SortTable WordPress plugin through version 4.2 fails to validate shortcode attributes before using them to generate file paths that are passed to PHP include functions. This lack of sanitization allows an attacker to control the path argument, leading to a Local File Inclusion (LFI) vulnerability [1].

Any authenticated user with at least contributor-level privileges, such as a contributor, can exploit this flaw. The attack vector involves crafting a malicious shortcode attribute that points to an arbitrary file on the server. Since the plugin does not restrict which files can be included, an attacker can read sensitive files like wp-config.php or other system files [1].Successful exploitation allows an attacker to read arbitrary files on the server, potentially exposing database credentials, configuration files, or other sensitive data. This can lead to further compromise of the WordPress site and underlying server [1].As of the publication date, no fix is available for this vulnerability. The plugin is closed-source or no longer maintained, leaving sites that use it installed at risk. Users are advised to remove the plugin or apply strict access controls to mitigate the risk [1].