CVE-2025-13801: Yoco Payments WordPress Path Traversal

CVE-2025-13801 Overview

CVE-2025-13801 is a Path Traversal vulnerability affecting the Yoco Payments plugin for WordPress in all versions up to, and including, 3.8.8. The vulnerability exists in the file parameter handling, allowing unauthenticated attackers to read arbitrary files on the server. This can expose sensitive configuration files, database credentials, WordPress secrets, and other confidential data stored on the web server.

Critical Impact
Unauthenticated attackers can exploit this vulnerability remotely to read sensitive files on the server, potentially exposing database credentials, API keys, and other confidential information without requiring any user interaction or authentication.

Affected Products

Yoco Payments Plugin for WordPress versions up to and including 3.8.8
WordPress installations with the vulnerable Yoco Payment Gateway plugin installed
Web servers hosting WordPress sites with this plugin enabled

Discovery Timeline

2026-01-07 - CVE CVE-2025-13801 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-13801

Vulnerability Analysis

This Path Traversal vulnerability (CWE-22) resides in the Yoco Payments plugin's log handling functionality, specifically within the Logs.php helper file. The vulnerability allows attackers to manipulate the file parameter to traverse directory structures and access files outside the intended directory scope. The flaw enables network-based attacks that require no authentication or user interaction, with a direct impact on data confidentiality.

The vulnerable code can be found in the plugin's src/Helpers/Logs.php file, where insufficient input validation allows directory traversal sequences (such as ../) to be processed, enabling access to files throughout the server's file system.

Root Cause

The root cause of this vulnerability is improper input validation in the file parameter handling within the Logs.php helper class. The application fails to properly sanitize user-supplied input before using it to construct file paths, allowing attackers to inject directory traversal sequences. This lack of path canonicalization and boundary checking enables requests to escape the intended directory and access arbitrary files on the server.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can craft malicious HTTP requests containing path traversal sequences in the file parameter to access sensitive server files. Common targets include:

WordPress configuration file (wp-config.php) containing database credentials
Server configuration files like /etc/passwd
Application logs containing sensitive information
Environment files with API keys and secrets

The vulnerability in the Logs.php file at line 25 and line 59 demonstrates where inadequate input validation occurs. Attackers can exploit this by submitting requests with traversal patterns like ../../../wp-config.php to read sensitive WordPress configuration data. For detailed technical analysis, refer to the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-13801

Indicators of Compromise

HTTP requests to the Yoco Payments plugin endpoints containing path traversal sequences (../, ..%2f, %2e%2e/)
Unusual access patterns to the Logs.php endpoint with suspicious file parameter values
Web server logs showing attempts to access sensitive files like wp-config.php, /etc/passwd, or .env files
Error logs indicating failed or successful file access attempts outside the plugin directory

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect and block requests containing directory traversal patterns
Monitor web server access logs for requests to the Yoco Payments plugin with suspicious file parameters
Deploy intrusion detection systems (IDS) with signatures for path traversal attack patterns
Enable WordPress security audit logging to track plugin-related file access attempts

Monitoring Recommendations

Set up alerts for HTTP requests containing encoded or unencoded path traversal sequences targeting the Yoco plugin
Monitor for unusual spikes in requests to the plugin's log-related endpoints
Review web server logs regularly for evidence of file disclosure attempts
Implement file integrity monitoring on sensitive configuration files to detect unauthorized access

How to Mitigate CVE-2025-13801

Immediate Actions Required

Update the Yoco Payments plugin to the latest patched version immediately
If an update is not available, temporarily disable or remove the Yoco Payments plugin
Review web server logs for evidence of exploitation attempts
Rotate any credentials that may have been exposed, including database passwords and API keys
Implement WAF rules to block path traversal attempts while awaiting a patch

Patch Information

Check the official WordPress plugin repository for an updated version of the Yoco Payments plugin that addresses this vulnerability. Review the Wordfence Vulnerability Report for the latest patch status and remediation guidance. The vulnerable source code can be examined at the WordPress Plugin Trac repository.

Workarounds

Temporarily disable the Yoco Payments plugin until a patched version is available
Implement server-level restrictions to block requests containing path traversal patterns to the plugin directory
Use a Web Application Firewall (WAF) with rules to filter malicious file parameter values
Restrict direct access to the plugin's helper files via .htaccess or server configuration

bash

# Apache .htaccess workaround to restrict access to Logs.php
<Files "Logs.php">
    Order deny,allow
    Deny from all
</Files>

# Alternative: Block requests with path traversal patterns
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\.\\) [NC]
RewriteRule .* - [F,L]