CVE-2025-13801
Unknown Unknown - Not Provided
Path Traversal in Yoco Payments Plugin Allows Arbitrary File Read

Publication date: 2026-01-07

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13801
EUVD
EUVD-2026-1310
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yoco yoco_payment_gateway to 3.8.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13801 is a vulnerability in the Yoco Payments plugin for WordPress (up to version 3.8.8) that allows unauthenticated attackers to read arbitrary log files on the server via a REST API endpoint. The plugin exposes a REST route (/yoco/logs) that accepts a file parameter. The permission check for this endpoint always returns true, meaning no authentication is required. Although the file parameter must contain the substring "yoco" and the file must exist in the WooCommerce log directory, this check is weak and can be bypassed by guessing log file names. Attackers can retrieve sensitive information such as API keys and transaction details by reading these log files without any sanitization or escaping. [1]

Compliance Impact

This vulnerability allows unauthenticated attackers to read arbitrary log files that may contain sensitive information such as API keys and transaction details. Such unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. [1]

Impact Analysis

This vulnerability can lead to information disclosure by allowing unauthenticated attackers to access sensitive log files on the server. These logs may contain confidential data such as API keys, transaction details, and other internal information related to the payment gateway. Exposure of such data can compromise the security of the payment system, potentially leading to fraud, unauthorized transactions, or further attacks on the server or network. [1]

Detection Guidance

You can detect this vulnerability by attempting to access the REST API endpoint `/yoco/logs` on your WordPress site with a GET request including a `file` parameter containing the substring "yoco". For example, using curl: `curl -v "https://your-site.com/wp-json/yoco/v1/logs?file=yoco-log.txt"`. If the response returns log file contents without authentication, the vulnerability is present. Additionally, monitoring web server logs for unauthenticated GET requests to `/wp-json/yoco/v1/logs` can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Updating the Yoco Payments plugin to a version later than 3.8.8 where the vulnerability is fixed. 2) If an update is not immediately possible, restrict access to the REST API endpoint `/yoco/logs` by implementing authentication or IP-based access controls at the web server or application level. 3) Monitor and audit access logs for suspicious requests to this endpoint. 4) Consider temporarily disabling the plugin if the risk is high and no patch is available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart