Plattform
wordpress
Komponente
yoco-payment-gateway
Behoben in
3.9.1
CVE-2025-13801 describes an Arbitrary File Access vulnerability discovered in the Yoco Payments WordPress plugin. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information such as configuration files or database credentials. The vulnerability affects versions 0.0.0 through 3.9.0 and has been resolved in version 3.9.1.
The impact of this vulnerability is significant due to its ease of exploitation and potential for data exposure. An attacker can leverage the Path Traversal flaw in the 'file' parameter to bypass access controls and read any file accessible to the webserver user. This could include configuration files containing database credentials, API keys, or other sensitive information. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the entire server, depending on the files accessed and the privileges of the webserver user. The ability to read arbitrary files represents a serious security risk, especially in environments where sensitive data is stored on the server.
This vulnerability is publicly known and documented in the NVD database. While no active exploitation campaigns have been definitively linked to CVE-2025-13801 at the time of writing, the ease of exploitation and the potential for data exposure make it a likely target for opportunistic attackers. No proof-of-concept code has been publicly released, but the vulnerability's nature makes it relatively straightforward to exploit. The vulnerability was disclosed on 2026-01-07.
Websites using the Yoco Payments plugin, particularly those running older versions (0.0.0 - 3.9.0), are at risk. Shared hosting environments are particularly vulnerable, as attackers may be able to exploit this vulnerability to gain access to files on other websites hosted on the same server.
• wordpress / composer / npm:
grep -r 'file=([^&]+)' /var/www/html/wp-content/plugins/yoco-payments/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/yoco-payments/../../../../etc/passwd'disclosure
Exploit-Status
EPSS
0.19% (41% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-13801 is to immediately upgrade the Yoco Payments plugin to version 3.9.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, ensure that the webserver user has minimal privileges and that sensitive files are not accessible from the webroot. Web Application Firewall (WAF) rules can also be configured to block requests containing suspicious path traversal patterns in the 'file' parameter. After upgrading, verify the fix by attempting to access a non-existent file via the vulnerable parameter; the request should return a 404 error.
Aktualisieren Sie auf Version 3.9.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13801 is a vulnerability in the Yoco Payments WordPress plugin allowing unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive data. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using the Yoco Payments plugin version 0.0.0 through 3.9.0. Upgrade to version 3.9.1 or later to mitigate the risk.
Upgrade the Yoco Payments plugin to version 3.9.1 or later. As a temporary workaround, restrict file access permissions on the server.
There are currently no reports of active exploitation campaigns, but the vulnerability's simplicity suggests a potential for exploitation.
Refer to the Yoco Payments website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.