CVE-2025-13070 | THREATINT

Description

The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks.

PUBLISHED Reserved 2025-11-12 | Published 2025-12-09 | Updated 2025-12-11 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

affected

Any version

affected

Credits

Ivan Cese finder

WPScan coordinator

References

wpscan.com/...rability/deb52d69-d7f8-43a5-a709-1f543fd343c6/ exploit vdb-entry technical-description

cve.org (CVE-2025-13070)

nvd.nist.gov (CVE-2025-13070)

Download JSON