Description
The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2026-01-07
Score: 7.5 High
EPSS: 49.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Yoco Payments WordPress plugin contains a path traversal flaw in the handling of the file parameter. This weakness allows an attacker to read any file on the server, potentially exposing sensitive data such as configuration files, credentials, or user information. The exploit does not require authentication and can be triggered simply by supplying a crafted file name.

Affected Systems

All releases of Yoco Payments up to and including 3.9.0 are affected. The plugin is distributed through WordPress and commonly installed on sites that process payments. The vulnerability applies to any WordPress environment where the Yoco Payments plugin is active and has not been updated to a non‑vulnerable version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk level. The EPSS score of 49% indicates that exploitation of this vulnerability is likely to occur, and it is not listed in CISA's KEV catalog. Nevertheless, because the component can be accessed by unauthenticated users and the flaw provides direct file system exposure, it is likely to be used opportunistically. A successful exploitation would grant read access to arbitrary files, undermining confidentiality and potentially enabling further attacks.

Generated by OpenCVE AI on May 22, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Yoco Payments to the latest released version, which removes the path traversal vulnerability.
  • If an upgrade cannot be performed immediately, remove or rename the vulnerable file handler function and restrict the file parameter to a whitelist of permitted file paths.
  • Disable Yoco Payments on sites that cannot be upgraded until the vulnerability is fixed.

Generated by OpenCVE AI on May 22, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Yoco Payments <= 3.8.8 - Unauthenticated Arbitrary File Read Yoco Payments <= 3.9.0 - Unauthenticated Arbitrary File Read
References

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Yoco Payments <= 3.8.8 - Unauthenticated Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:10.080Z

Reserved: 2025-11-30T14:00:25.604Z

Link: CVE-2025-13801

cve-icon Vulnrichment

Updated: 2026-01-07T14:37:35.288Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:50.000

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13801

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:15:09Z

Weaknesses