Overview
CVE-2025-12823 identifies a stored Cross-Site Scripting (XSS) vulnerability found in the CSV to SortTable WordPress plugin. This vulnerability affects all versions up to and including 4.2. It allows authenticated attackers, with Contributor-level access or higher, to inject malicious JavaScript code into pages using the ‘csv’ shortcode. This code executes whenever a user visits the compromised page.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s ‘csv’ shortcode functionality. Specifically, user-supplied attributes passed to the shortcode are not properly validated before being rendered into the HTML output. An attacker can inject arbitrary HTML and JavaScript code within these attributes, leading to XSS when the page is viewed.
For example, an attacker could craft a shortcode like this:
[csv table_id="my_table" csv_file="data.csv" header="true" caption="<img src=x onerror=alert('XSS')>"]When the plugin renders this shortcode, the embedded JavaScript would execute within the user’s browser context.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-12823 a score of 6.4 (MEDIUM). This score reflects the potential impact and exploitability of the vulnerability.
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality Impact (C): Low (L)
- Integrity Impact (I): Low (L)
- Availability Impact (A): None (N)
Possible Impact
Successful exploitation of this XSS vulnerability can have significant consequences:
- Account Takeover: An attacker could potentially steal user session cookies and hijack accounts.
- Malware Distribution: The injected script could redirect users to malicious websites or trigger the download of malware.
- Defacement: The attacker could modify the content of the affected pages, defacing the website.
- Phishing: The injected script could display a fake login form to steal user credentials.
Because Contributor-level access is sufficient for exploitation, the risk to sites with many contributors is especially heightened.
Mitigation or Patch Steps
The most effective mitigation is to update the CSV to SortTable plugin to the latest version. Check the WordPress plugin repository for a patched version that addresses this vulnerability. If an update is not yet available, consider temporarily disabling the plugin until a patch is released.
As a temporary workaround, carefully review and sanitize any existing ‘csv’ shortcodes on your website. Remove or escape any potentially malicious HTML or JavaScript code embedded within the attributes. However, this is not a foolproof solution and upgrading the plugin is highly recommended.
