CVE-2025-13801 Scanner

The Yoco Payments WordPress Plugin is a widely used tool in the WordPress ecosystem, facilitating payment gateway functionalities for e-commerce websites. It serves website administrators and developers who integrate online payment systems into their sites, providing seamless transaction capabilities. The plugin is predominantly utilized by small to medium-sized businesses looking to implement payment solutions directly on their WordPress sites. Yoco Payments Plugin supports multiple transaction types, including credit card and online payment processing, enhancing its versatile appeal. By offering a streamlined way to manage payments, it allows businesses to operate efficiently without redirecting users to external payment pages. Regular updates and security patches are crucial to maintaining the security and functionality of the plugin.

Path Traversal is a security vulnerability that allows attackers to gain unauthorized access to files on a server by manipulating variables or parameters containing "dot-dot-slash" sequences. This can lead to the exposure of sensitive files, potentially revealing system configurations and confidential data. Attackers exploit this weakness to traverse directories and access files outside the intended directory scope. This vulnerability is critical as it can undermine the confidentiality of the information on the affected server. Organizations hosting susceptible plugins must ensure rigorous validation of file paths to prevent exploitation. Path Traversal can significantly impact data security if not promptly mitigated.

The vulnerability in the Yoco Payments WordPress Plugin stems from improper validation of the file parameter, allowing unauthorized access to arbitrary files. Attackers can send HTTP requests with manipulated file parameters to exploit this weakness, effectively bypassing directory restrictions. The vulnerable endpoint involves the plugin's log file access, located within the wp-json URL path. By altering the file path, attackers can use sequences like "../../" to traverse up the directory structure and access sensitive files such as /etc/passwd. This occurs in specific versions of the plugin, notably versions up to and including 3.8.8. Regular security audits and updates to higher, secure versions are essential to mitigate this vulnerability.

Exploiting the Path Traversal vulnerability in this plugin can lead to significant damage, primarily exposing sensitive server files. Access to these files can reveal critical information, including system configurations, user credentials, and potentially sensitive business data. This breach of confidentiality can facilitate further attacks, including privilege escalation or data theft. Moreover, unauthorized access to server files can enable attackers to plant malicious code or alter configurations, leading to service disruptions or data manipulation. Consequently, affected sites face risks of reputational damage and financial loss due to compromised user trust and potential regulatory fines.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2025-13801
• https://wordpress.org/plugins/yoco-payment-gateway/