CVE-2025-13801
📋 TL;DR
The Yoco Payments WordPress plugin contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This affects all versions up to and including 3.8.8. Attackers can potentially access sensitive configuration files, credentials, or other confidential data.
💻 Affected Systems
- Yoco Payments WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain database credentials, SSH keys, or other sensitive system files leading to full server compromise and data exfiltration.
Likely Case
Attackers read WordPress configuration files (wp-config.php) containing database credentials, potentially leading to database access and site takeover.
If Mitigated
Attackers can only read non-sensitive files due to proper file permissions and directory restrictions.
🎯 Exploit Status
Simple HTTP requests with crafted file parameters can exploit this vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/yoco-payment-gateway
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Yoco Payments plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Yoco Payments Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate yoco-payment-gateway
Restrict File Access via .htaccess
linuxAdd rules to block access to the vulnerable endpoint
# Add to .htaccess in WordPress root:
<FilesMatch "\.(php|log|txt|conf|ini|key)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Disable the Yoco Payments plugin immediately
- Implement web application firewall rules to block path traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Yoco Payments version. If version is 3.8.8 or lower, you are vulnerable.Check Version:
wp plugin get yoco-payment-gateway --field=versionVerify Fix Applied:
Verify plugin version is 3.8.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns to Yoco plugin endpoints
- Unusual file access attempts from single IPs
Network Indicators:
- HTTP GET requests with file parameter containing path traversal sequences
SIEM Query:
http.url:*yoco* AND http.uri:*file=* AND (http.uri:*../* OR http.uri:*..%2f*)🔗 References
- https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L25
- https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L59
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ad74d5d0-270e-41d3-9596-2f71b05af276?source=cve
