CVE-2025-13070 is a security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal) found in the CSV to SortTable WordPress plugin versions through 4.2. The vulnerability arises because the plugin fails to properly validate certain shortcode attributes before using them to construct file paths passed to PHP include functions. This lack of validation allows authenticated users with contributor-level privileges or higher to manipulate these attributes to traverse directories and include arbitrary local files on the server. Such Local File Inclusion (LFI) attacks can lead to disclosure of sensitive information, including configuration files, source code, or other protected data. In some cases, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or misconfigurations. The CVSS v3.1 base score is 6.6, reflecting a medium severity level. The vector metrics indicate network attack vector (AV:N), high attack complexity (AC:H), requiring privileges (PR:H), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability was published on December 9, 2025, with no known exploits reported in the wild at this time. The affected product is widely used in WordPress environments for converting CSV data into sortable tables, making it a relevant risk for many websites relying on this plugin for content management and display.

The impact of CVE-2025-13070 is significant for organizations using the CSV to SortTable plugin on WordPress sites. Successful exploitation allows authenticated users with contributor-level access to perform Local File Inclusion attacks, potentially exposing sensitive server files such as configuration files, credentials, or application source code. This can lead to data breaches, intellectual property theft, or further compromise of the web server if attackers chain this vulnerability with others. The integrity of the website can be undermined by unauthorized code execution or modification of content, while availability may be affected if malicious files cause server errors or crashes. Since contributors typically have limited privileges, this vulnerability effectively escalates their capabilities, increasing insider threat risks and complicating access control. The medium CVSS score reflects the requirement for authentication and high attack complexity, but the broad impact on confidentiality, integrity, and availability makes it a serious concern for web administrators. Organizations with multiple contributors or less stringent access controls are particularly vulnerable.

To mitigate CVE-2025-13070, organizations should immediately update the CSV to SortTable plugin to a patched version once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and audit existing contributors for suspicious activity. Implement strict input validation and sanitization on shortcode attributes, especially those used to generate file paths, to prevent directory traversal sequences such as '../'. Employ Web Application Firewalls (WAFs) with rules targeting path traversal attempts and monitor logs for unusual include path requests. Disable or limit the use of shortcodes by contributors if feasible. Additionally, harden the server environment by restricting PHP include paths and disabling unnecessary PHP functions that could be exploited. Regularly back up website data and configurations to enable recovery in case of compromise. Finally, conduct security awareness training for content contributors to understand the risks of improper shortcode usage.