CVE-2025-13070 is a path traversal vulnerability classified under CWE-22 found in the CSV to SortTable WordPress plugin versions through 4.2. The issue arises because the plugin does not properly validate certain shortcode attributes before using them to construct file paths passed to PHP include functions. This improper validation allows authenticated users with contributor-level access to manipulate these attributes to include arbitrary files from the server’s filesystem, leading to Local File Inclusion (LFI) attacks. LFI can enable attackers to read sensitive files such as configuration files, password stores, or other critical data, potentially escalating privileges or facilitating further attacks. The vulnerability requires the attacker to be authenticated, but contributor privileges are relatively low-level and commonly granted in WordPress environments, increasing the risk. No public exploits have been reported yet, but the vulnerability is published and known. The plugin is used in WordPress sites to convert CSV data into sortable tables, a common feature in many websites, increasing the attack surface. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps. The vulnerability impacts confidentiality and integrity primarily, with potential indirect availability impacts if further exploitation occurs. The absence of a CVSS score necessitates an expert severity assessment based on these factors.

For European organizations, this vulnerability poses a significant risk especially to those relying on WordPress sites with the CSV to SortTable plugin installed. Unauthorized file access can lead to exposure of sensitive business data, user credentials, or internal configuration details, potentially resulting in data breaches or compliance violations under GDPR. Attackers with contributor-level access can exploit this vulnerability to escalate privileges or move laterally within the network. Organizations in sectors such as finance, healthcare, government, and e-commerce, which often use WordPress for public-facing or internal portals, are at heightened risk. The impact extends to reputational damage and potential regulatory penalties if personal data is exposed. Since the vulnerability requires authentication but only low-level privileges, insider threats or compromised contributor accounts increase the risk. The lack of a patch means organizations must rely on compensating controls until an update is available. The threat is particularly relevant in Europe due to the widespread use of WordPress and the plugin’s popularity among European web developers and content managers.

1. Immediately audit WordPress sites to identify installations of the CSV to SortTable plugin and verify the version in use. 2. Restrict contributor-level user accounts and review user permissions to ensure only trusted users have such access. 3. Implement strict input validation and sanitization on shortcode attributes if custom modifications are possible. 4. Disable or remove the CSV to SortTable plugin temporarily if patching is not yet available. 5. Monitor web server logs for unusual file inclusion attempts or suspicious shortcode usage patterns. 6. Employ Web Application Firewalls (WAFs) with rules targeting path traversal and LFI patterns to block exploitation attempts. 7. Educate content managers and contributors about the risks of this vulnerability and the importance of secure practices. 8. Stay updated with vendor advisories for patches or updates addressing this vulnerability and apply them promptly once released. 9. Conduct regular security assessments and penetration testing focusing on WordPress plugins and user privilege abuse. 10. Consider implementing file integrity monitoring to detect unauthorized changes or access to critical files.