Path Traversal Vulnerability in Yoco Payments Plugin for WordPress
CVE-2025-13801

7.5HIGH

Key Information:

Vendor: WordPress
Status: Yoco Payments
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-13801?

The Yoco Payments plugin for WordPress is susceptible to a path traversal vulnerability allowing unauthenticated users to access files on the server. This flaw occurs via the 'file' parameter, potentially exposing sensitive information stored in arbitrary files. It is crucial for users to update to the latest version to mitigate this risk and ensure the security of their applications.

Affected Version(s)

Yoco Payments 0 <= 3.9.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/yoco-payment-g...

EPSS Score

64% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Nov 30, 2025

Credit

NumeX

CVE-2025-13801 Data

JSON