CVE-2025-13801
published 2026-01-07CVE-2025-13801: The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.71%
74.5th percentile
The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yocoadmin | yoco_payments | <= 3.9.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring GET requests to /wp-json/yoco/logs or /?rest_route=/yoco/logs with a 'file' parameter containing path traversal sequences (e.g., ../../). ↗
- →Confirm successful exploitation by checking if the HTTP 200 response body matches the pattern root:[x*]?:0:0: (contents of /etc/passwd). ↗
- →Use FOFA/Shodan to identify exposed targets via the body string 'yoco-payment-gateway'. ↗
- ·NVD states the vulnerability affects all versions up to and including 3.9.0, while the Nuclei template targets <= 3.8.8. Ensure detection coverage accounts for the full affected range through 3.9.0. ↗
- ·The exploit is unauthenticated — no session, cookie, or authentication header is required, making it trivially exploitable at scale. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Yoco Payments <= 3.8.8 - Path Traversal
nuclei·CVSS 7.5
CVE-2025-13801 [HIGH] Yoco Payments <= 3.8.8 - Path Traversal
Yoco Payments <= 3.8.8 - Path Traversal
Yoco Payments WordPress plugin <= 3.8.8 contains a path traversal caused by improper validation of the file parameter, letting unauthenticated attackers read arbitrary files on the server.
Template:
id: CVE-2025-13801
info:
name: Yoco Payments <= 3.8.8 - Path Traversal
author: 0x_Akoko
severity: high
description: |
Yoco Payments WordPress plugin <= 3.8.8 contains a path traversal caused by improper validation of the file parameter, letting unauthenticated attackers read arbitrary files on the server.
impact: |
Unauthenticated attackers can read sensitive files on the server, potentially exposing confidential information.
remediation: |
Update to the latest version beyond 3.8.8.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:
https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L25https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L59https://plugins.trac.wordpress.org/changeset/3434947/https://www.wordfence.com/threat-intel/vulnerabilities/id/ad74d5d0-270e-41d3-9596-2f71b05af276?source=cve
2026-01-07
Published