Cyber Resilience

CVE-2025-13801

High

Published: 07 January 2026

Published
07 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3471 97.1th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13801 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).

Deeper analysis

The Yoco Payments plugin for WordPress is vulnerable to path traversal in all versions through 3.9.0. The flaw resides in the file parameter handling within the Logs.php component and is tracked as CWE-22, enabling unauthenticated remote actors to retrieve arbitrary server files.

Unauthenticated attackers can exploit the issue over the network with low complexity to read sensitive file contents stored on the server. The vulnerability carries a CVSS 3.1 score of 7.5 reflecting high confidentiality impact without any required privileges or user interaction.

Advisories reference the vulnerable code paths in plugin tags 3.8.8 and a subsequent changeset that resolves the traversal flaw, indicating an update is available through the WordPress plugin repository.

The EPSS score rose from lower values after disclosure to a peak of 0.6466 on 2026-04-24 before receding to the current 0.3471, signaling increased exploitation interest following publication.

EU & UK References

Vulnerability details

The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.9.0 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server,…

more

which can contain sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal enables direct arbitrary local file reads (configs/logs/sensitive data) by unauthenticated remote attackers, mapping cleanly to data collection from the local system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44307Shared CWE-22
CVE-2025-68921Shared CWE-22
CVE-2026-39369Shared CWE-22
CVE-2026-42600Shared CWE-22
CVE-2025-54794Shared CWE-22
CVE-2026-41205Shared CWE-22
CVE-2026-41419Shared CWE-22
CVE-2025-45691Shared CWE-22
CVE-2026-7182Shared CWE-22
CVE-2025-24605Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the 'file' parameter to block path traversal sequences, preventing unauthenticated arbitrary file reads.

prevent

Mandates identification, reporting, and correction of the path traversal flaw in the Yoco Payments plugin via patching.

detect

Monitors for events indicating unauthorized information disclosure from path traversal exploitation attempts.

References