Description
The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2026-01-07
Score: 7.5 High
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Yoco Payments WordPress plugin contains a path traversal flaw (CWE-22) in how it processes the file parameter. An attacker who can send a request to the plugin can craft a file name that points to any file on the server and cause the plugin to read and return its contents. This does not require any user authentication, so anyone on the public internet could potentially read configuration files, credentials, or other data that should remain confidential.

Affected Systems

All installations of the Yoco Payments plugin up to and including version 3.9.0 are affected. The plugin is distributed via the WordPress plugin repository and is used on sites that accept payments through WordPress.

Risk and Exploitability

The CVSS score of 7.5 places this vulnerability in the high‑risk category. An EPSS score of 2% indicates a low probability that attackers will target this flaw. Because the attack does not require authentication, the scope is limited to file contents of the web server, but the exposed data may be enough to facilitate additional attacks. The flaw is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 18, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Yoco Payments to the latest version that removes the path traversal vulnerability.
  • If an upgrade cannot be performed immediately, block unauthenticated access to the plugin’s file‑handling endpoint with a web‑application firewall rule, .htaccess restriction, or WordPress REST API permission.
  • Alternatively, modify the plugin’s file‑reading code to validate that the file name matches a whitelist of legitimate files or remove the vulnerable code entirely.

Generated by OpenCVE AI on June 18, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Yoco Payments <= 3.8.8 - Unauthenticated Arbitrary File Read Yoco Payments <= 3.9.0 - Unauthenticated Arbitrary File Read
References

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Yoco Payments <= 3.8.8 - Unauthenticated Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:10.080Z

Reserved: 2025-11-30T14:00:25.604Z

Link: CVE-2025-13801

cve-icon Vulnrichment

Updated: 2026-01-07T14:37:35.288Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:50.000

Modified: 2026-06-17T08:34:47.380

Link: CVE-2025-13801

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T06:15:14Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')