cbcvebase.
CVE-2025-13801
published 2026-01-07

CVE-2025-13801: The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.71%
74.5th percentile
The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Affected

1 ranges
VendorProductVersion rangeFixed in
yocoadminyoco_payments<= 3.9.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/yoco/logs?file=../../plugins/yoco-payment-gateway/../../../../../../etc/passwd
url/?rest_route=/yoco/logs&file=../../plugins/yoco-payment-gateway/../../../../../../etc/passwd
path/wp-content/plugins/yoco-payment-gateway/readme.txt
  • Detect exploitation attempts by monitoring GET requests to /wp-json/yoco/logs or /?rest_route=/yoco/logs with a 'file' parameter containing path traversal sequences (e.g., ../../).
  • Confirm successful exploitation by checking if the HTTP 200 response body matches the pattern root:[x*]?:0:0: (contents of /etc/passwd).
  • Use FOFA/Shodan to identify exposed targets via the body string 'yoco-payment-gateway'.
  • ·NVD states the vulnerability affects all versions up to and including 3.9.0, while the Nuclei template targets <= 3.8.8. Ensure detection coverage accounts for the full affected range through 3.9.0.
  • ·The exploit is unauthenticated — no session, cookie, or authentication header is required, making it trivially exploitable at scale.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.