Vulnerabilities and security researches forsimple-csv-table simple-csv-table

Jan 10, 2026

CVE, Research URL: CVE-2025-12960
Home page URL: Security reports for Simple CSV Table
Application: Simple CSV Table
Date: Dec 12, 2025
Research Description: The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Affected versions: max 1.0.2.
Status: vulnerable