Platform
wordpress
Component
csv-to-sorttable
Fixed in
4.2.1
CVE-2025-13070 is a high-severity vulnerability affecting the CSV to SortTable WordPress plugin. This vulnerability allows authenticated users, such as contributors, to exploit unvalidated shortcode attributes to trigger a Local File Inclusion (LFI) attack. Versions 0 through 4.2 of the plugin are affected, and a patch is expected to be released by the plugin developers.
The Local File Inclusion (LFI) vulnerability in CSV to SortTable allows an authenticated user to read arbitrary files on the server. An attacker could leverage this to access sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete server compromise, data exfiltration, and further malicious activity. This vulnerability is particularly concerning given the prevalence of WordPress and the potential for widespread exploitation if left unaddressed. The ability to read arbitrary files significantly expands the attack surface.
CVE-2025-13070 was publicly disclosed on 2025-12-09. While a public proof-of-concept (POC) is not yet widely available, the ease of exploitation inherent in LFI vulnerabilities suggests a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its severity and the popularity of the plugin warrant close monitoring. Active campaigns targeting WordPress plugins are common, increasing the risk of exploitation.
Exploit Status
EPSS
0.08% (24% percentile)
CVSS Vector
The primary mitigation for CVE-2025-13070 is to upgrade the CSV to SortTable WordPress plugin to a version that addresses the vulnerability. Until a patch is available, consider restricting access to the plugin's shortcode attributes or implementing input validation within the plugin itself (if feasible). Web Application Firewalls (WAFs) configured to detect and block LFI attempts can provide an additional layer of defense. Monitor WordPress logs for suspicious file access patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13070 is a high-severity vulnerability in the CSV to SortTable WordPress plugin allowing authenticated users to read arbitrary files via Local File Inclusion (LFI).
You are affected if you are using the CSV to SortTable WordPress plugin versions 0 through 4.2.
Upgrade the CSV to SortTable WordPress plugin to a patched version as soon as it becomes available. Monitor the plugin developer's website for updates.
While no active exploitation has been confirmed, the ease of exploitation suggests a high probability of exploitation.
Check the plugin developer's website and the WordPress plugin directory for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.