Plattform
wordpress
Komponente
csv-to-sorttable
Behoben in
4.2.1
CVE-2025-13070 is a high-severity vulnerability affecting the CSV to SortTable WordPress plugin. This vulnerability allows authenticated users, such as contributors, to exploit unvalidated shortcode attributes to trigger a Local File Inclusion (LFI) attack. Versions 0 through 4.2 of the plugin are affected, and a patch is expected to be released by the plugin developers.
The primary impact of this vulnerability is the potential for unauthorized access to sensitive files on the WordPress server. An attacker with contributor privileges can leverage the LFI vulnerability to read configuration files, source code, or other data that could reveal credentials, API keys, or internal system information. Successful exploitation could lead to further compromise of the WordPress installation, including potential remote code execution if the attacker can include a file containing malicious code. The blast radius extends to any data accessible through the server's file system, making this a significant security risk.
This vulnerability has been publicly disclosed and assigned a CVSS score of 8.1 (High). While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation associated with LFI vulnerabilities suggests a moderate risk of exploitation. It is not currently listed on CISA KEV. The vulnerability's reliance on authenticated access limits the immediate scope of exploitation, but the widespread use of WordPress and the plugin's popularity increase the potential attack surface.
Websites using the CSV to SortTable WordPress plugin, particularly those with multiple contributors or users with elevated privileges, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "include(..)" /var/www/html/wp-content/plugins/csv-to-sorttable/• wordpress / composer / npm:
wp plugin list --status=all | grep 'csv-to-sorttable'• wordpress / composer / npm:
wp plugin update csv-to-sorttable• generic web: Check WordPress plugin directory for updated versions and security advisories.
disclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CVSS-Vektor
The immediate mitigation for CVE-2025-13070 is to upgrade the CSV to SortTable WordPress plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's shortcode attributes or implementing a Web Application Firewall (WAF) rule to block suspicious file inclusion attempts. Specifically, filter input to the file shortcode attribute to prevent path traversal characters like ../. Monitor WordPress logs for unusual file access patterns that might indicate exploitation.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13070 is a high-severity vulnerability in the CSV to SortTable WordPress plugin allowing authenticated users to read arbitrary files via Local File Inclusion (LFI).
You are affected if you are using the CSV to SortTable WordPress plugin versions 0 through 4.2.
Upgrade the CSV to SortTable WordPress plugin to a patched version as soon as it becomes available. Monitor the plugin developer's website for updates.
While no active exploitation has been confirmed, the ease of exploitation suggests a high probability of exploitation.
Check the plugin developer's website and the WordPress plugin directory for the official advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.