CSV to SortTable <= 4.2 – Contributor+ LFI | CVE 2025-13070 | Plugin Vulnerabilities

Description

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks.

Proof of Concept

Add a sample PHP file in the WordPress root named "malicious.php" with the content:

<?php 
phpinfo();
?>

As a contributor, add the shortcode to a post/page: [csv src=/malicious.php] and Preview to see the file included and executed.

Affects Plugins

csv-to-sorttable

No known fix

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Ivan Cese

Submitter

Ivan Cese

Verified

Yes

WPVDB ID

deb52d69-d7f8-43a5-a709-1f543fd343c6

Timeline

Publicly Published

2025-11-18 (about 1 month ago)

Added

2025-11-18 (about 1 month ago)

Last Updated

2025-11-18 (about 1 month ago)

Other

Published

Title

Published

2025-06-13

Title

UserPro - Community and User Profile WordPress Plugin <= 5.1.10 - Unauthenticated Arbitrary File Read

Published

2025-09-25

Title

Backuply < 1.4.9 - Admin+ Arbitrary File Deletion

Published

2025-03-29

Title

Smush Image Compression and Optimization < 3.17.1 - Admin+ Directory Traversal

Published

2015-04-10

Title

Fusion Engage 1.0.5 - Local File Disclosure

Published

2024-06-13

Title

Folders <= 3.0 and Folders Pro <= 3.0.2 - Directory Traversal via handle_folders_file_upload