CVE-2025-13801
Path Traversal in Yoco Payments Plugin Allows Arbitrary File Read
Publication date: 2026-01-07
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yoco | yoco_payment_gateway | to 3.8.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to read arbitrary log files that may contain sensitive information such as API keys and transaction details. Such unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. [1]
Can you explain this vulnerability to me?
CVE-2025-13801 is a vulnerability in the Yoco Payments plugin for WordPress (up to version 3.8.8) that allows unauthenticated attackers to read arbitrary log files on the server via a REST API endpoint. The plugin exposes a REST route (/yoco/logs) that accepts a file parameter. The permission check for this endpoint always returns true, meaning no authentication is required. Although the file parameter must contain the substring "yoco" and the file must exist in the WooCommerce log directory, this check is weak and can be bypassed by guessing log file names. Attackers can retrieve sensitive information such as API keys and transaction details by reading these log files without any sanitization or escaping. [1]
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure by allowing unauthenticated attackers to access sensitive log files on the server. These logs may contain confidential data such as API keys, transaction details, and other internal information related to the payment gateway. Exposure of such data can compromise the security of the payment system, potentially leading to fraud, unauthorized transactions, or further attacks on the server or network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to access the REST API endpoint `/yoco/logs` on your WordPress site with a GET request including a `file` parameter containing the substring "yoco". For example, using curl: `curl -v "https://your-site.com/wp-json/yoco/v1/logs?file=yoco-log.txt"`. If the response returns log file contents without authentication, the vulnerability is present. Additionally, monitoring web server logs for unauthenticated GET requests to `/wp-json/yoco/v1/logs` can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Yoco Payments plugin to a version later than 3.8.8 where the vulnerability is fixed. 2) If an update is not immediately possible, restrict access to the REST API endpoint `/yoco/logs` by implementing authentication or IP-based access controls at the web server or application level. 3) Monitor and audit access logs for suspicious requests to this endpoint. 4) Consider temporarily disabling the plugin if the risk is high and no patch is available. [1]