Platform
wordpress
Component
yoco-payment-gateway
Fixed in
3.9.1
CVE-2025-13801 describes an Arbitrary File Access vulnerability discovered in the Yoco Payments WordPress plugin. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information such as configuration files or database credentials. The vulnerability affects versions 0.0.0 through 3.9.0 and has been resolved in version 3.9.1.
The primary impact of CVE-2025-13801 is the potential for unauthorized access to sensitive files on the web server. An attacker could exploit this vulnerability to read configuration files containing database passwords, API keys, or other sensitive credentials. This could lead to further compromise of the WordPress site and potentially the underlying server. The ability to read arbitrary files also presents a risk of information disclosure, potentially exposing customer data or proprietary business information. While the vulnerability requires no authentication, the ease of exploitation makes it a significant risk.
This vulnerability was publicly disclosed on 2026-01-07. No public proof-of-concept (POC) code has been released at the time of writing, but the simplicity of the path traversal vulnerability suggests that a POC is likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns. The NVD entry for this CVE is also available.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13801 is to immediately upgrade the Yoco Payments plugin to version 3.9.1 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting file access permissions on the server to prevent unauthorized access. Review server access logs for any suspicious activity related to file access attempts. While a WAF might offer some protection, it is not a substitute for patching the vulnerable plugin.
Update to version 3.9.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13801 is a vulnerability in the Yoco Payments WordPress plugin allowing unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive data. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using the Yoco Payments plugin version 0.0.0 through 3.9.0. Upgrade to version 3.9.1 or later to mitigate the risk.
Upgrade the Yoco Payments plugin to version 3.9.1 or later. As a temporary workaround, restrict file access permissions on the server.
There are currently no reports of active exploitation campaigns, but the vulnerability's simplicity suggests a potential for exploitation.
Refer to the Yoco Payments website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.