CVE-2025-13801
Published: 07 January 2026
Summary
CVE-2025-13801 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).
Deeper analysis
The Yoco Payments plugin for WordPress is vulnerable to path traversal in all versions through 3.9.0. The flaw resides in the file parameter handling within the Logs.php component and is tracked as CWE-22, enabling unauthenticated remote actors to retrieve arbitrary server files.
Unauthenticated attackers can exploit the issue over the network with low complexity to read sensitive file contents stored on the server. The vulnerability carries a CVSS 3.1 score of 7.5 reflecting high confidentiality impact without any required privileges or user interaction.
Advisories reference the vulnerable code paths in plugin tags 3.8.8 and a subsequent changeset that resolves the traversal flaw, indicating an update is available through the WordPress plugin repository.
The EPSS score rose from lower values after disclosure to a peak of 0.6466 on 2026-04-24 before receding to the current 0.3471, signaling increased exploitation interest following publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1310
Vulnerability details
The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server,…
more
which can contain sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary local file reads (configs/logs/sensitive data) by unauthenticated remote attackers, mapping cleanly to data collection from the local system.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the 'file' parameter to block path traversal sequences, preventing unauthenticated arbitrary file reads.
Mandates identification, reporting, and correction of the path traversal flaw in the Yoco Payments plugin via patching.
Monitors for events indicating unauthorized information disclosure from path traversal exploitation attempts.