CVE-2025-12960 is a path traversal vulnerability classified under CWE-22 affecting the Simple CSV Table plugin for WordPress, versions up to and including 1.0.1. The vulnerability arises because the plugin fails to properly validate the 'href' parameter used in the [csv] shortcode before concatenating it with a base directory path. This improper limitation allows an authenticated attacker with Contributor-level privileges or higher to manipulate the path and access arbitrary files on the web server. Such files may include sensitive configuration files like wp-config.php, which contain database credentials and authentication keys, potentially leading to further compromise. The vulnerability does not require user interaction but does require authentication, which limits the attack surface to users with some level of content editing permissions. The CVSS 3.1 score of 6.5 reflects a medium severity, with high confidentiality impact but no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress environments, making this a relevant threat for many websites relying on it for CSV table display functionality.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive server-side information, including database credentials and authentication keys, which can lead to further compromise of the website and backend systems. Organizations with WordPress sites that use the Simple CSV Table plugin and allow contributors or higher-level users to add or edit content are particularly vulnerable. The exposure of sensitive data can result in data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR), and potential financial penalties. Since WordPress is widely used across Europe for business and governmental websites, the impact can be significant, especially for sectors that handle sensitive or personal data. The vulnerability could also be leveraged as a foothold for more advanced attacks, including privilege escalation and lateral movement within the network.

1. Immediately audit WordPress sites to identify installations of the Simple CSV Table plugin and verify the version in use. 2. Restrict Contributor-level and higher privileges to trusted users only, minimizing the number of users who can exploit this vulnerability. 3. Until a patch is released, consider disabling or uninstalling the Simple CSV Table plugin to eliminate the attack vector. 4. Implement web application firewall (WAF) rules to detect and block attempts to exploit directory traversal patterns in the 'href' parameter of the [csv] shortcode. 5. Monitor logs for suspicious access patterns or attempts to read sensitive files. 6. Educate content contributors about the risks of uploading or linking to untrusted files or paths. 7. Once a patch becomes available, apply it promptly and verify the fix. 8. Employ principle of least privilege for file system permissions to limit the impact of any file disclosure. 9. Regularly back up website data and configurations to enable recovery in case of compromise.