CVE-2025-12960 is a path traversal vulnerability classified under CWE-22 affecting the Simple CSV Table plugin for WordPress, specifically all versions up to and including 1.0.1. The vulnerability arises because the plugin fails to properly validate the 'href' parameter passed within the [csv] shortcode before concatenating it with a base directory path. This improper limitation allows an authenticated attacker with Contributor-level or higher privileges to manipulate the parameter to traverse directories and access arbitrary files on the server filesystem. Since WordPress Contributor roles can upload and manage content but not install plugins or themes, this level of access is relatively common in multi-user environments. The attacker can thus read sensitive files such as configuration files containing database credentials, authentication keys, or other critical information, compromising confidentiality. The CVSS v3.1 score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and high confidentiality impact but no integrity or availability impact. No known exploits have been reported in the wild yet. The vulnerability affects all versions of the plugin up to 1.0.1, and no official patches are currently linked, indicating the need for immediate mitigation steps by administrators. The flaw is exploitable remotely over the network once authenticated, making it a significant risk for WordPress sites using this plugin.

For European organizations, this vulnerability presents a substantial risk to the confidentiality of sensitive data hosted on WordPress sites using the Simple CSV Table plugin. Attackers with Contributor-level access can exfiltrate critical configuration files, potentially leading to further compromise such as database breaches or unauthorized access to other systems. Organizations in sectors such as finance, healthcare, government, and e-commerce, which often rely on WordPress for content management, could face data leakage, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The ease of exploitation combined with the commonality of Contributor roles in collaborative environments increases the attack surface. Since the vulnerability does not affect integrity or availability directly, the immediate impact is data exposure rather than service disruption. However, leaked credentials could facilitate subsequent attacks with broader impact. The lack of known exploits in the wild provides a window for proactive defense, but the risk remains significant due to the widespread use of WordPress and the plugin.

European organizations should implement the following specific mitigations: 1) Immediately audit WordPress sites to identify installations of the Simple CSV Table plugin and verify the version; 2) Restrict Contributor-level privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability; 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns in the 'href' parameter of the [csv] shortcode; 4) Monitor server and WordPress logs for unusual file access patterns indicative of directory traversal attempts; 5) Disable or remove the plugin if it is not essential to reduce the attack surface; 6) Apply strict input validation or sanitization on parameters if custom modifications are possible; 7) Stay alert for official patches or updates from the vendor and apply them promptly once released; 8) Consider isolating WordPress instances in segmented network zones to limit lateral movement if compromise occurs; 9) Educate content contributors about the risks of privilege misuse and enforce strong authentication controls to prevent account compromise.