CVE-2025-12960

Name of the Vulnerable Software and Affected Versions The Simple CSV Table versions up to and including 1.0.1

Description The Simple CSV Table plugin for WordPress is susceptible to a Directory Traversal issue due to inadequate path validation. Specifically, the href parameter within the [csv] shortcode does not properly sanitize user-supplied input before incorporating it into a base directory path. This allows authenticated attackers with Contributor-level access or higher to read arbitrary files on the server. These files may contain sensitive data, including database credentials and authentication keys. The API endpoint involved is the [csv] shortcode, and the vulnerable parameter is href.

Recommendations Versions prior to and including 1.0.1 should be updated to a newer, fixed version if available.