CVE-2025-13801 is a path traversal vulnerability classified under CWE-22 affecting the Yoco Payments plugin for WordPress, versions up to and including 3.8.8. The vulnerability arises from improper limitation of the pathname to a restricted directory, specifically through the 'file' parameter. An attacker can manipulate this parameter to traverse directories and access arbitrary files on the web server filesystem. Since the vulnerability is exploitable without authentication or user interaction, it poses a serious risk of information disclosure. The exposed files may contain sensitive data such as configuration files, credentials, or payment information, which could be leveraged for further attacks. The CVSS v3.1 score of 7.5 reflects a high impact on confidentiality with no impact on integrity or availability. Although no exploits have been observed in the wild yet, the ease of exploitation and the widespread use of WordPress and its plugins make this a critical issue to address. The vulnerability was publicly disclosed in early 2026, and no official patch links were provided at the time of reporting, indicating that mitigation may require temporary workarounds until an update is available.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information stored on web servers running the vulnerable Yoco Payments plugin. This includes payment data, customer information, and internal configuration files, potentially violating GDPR and other data protection regulations. The exposure of such data could result in financial losses, reputational damage, and regulatory penalties. E-commerce businesses and financial service providers using this plugin are particularly at risk. The lack of required authentication and user interaction means attackers can exploit this vulnerability remotely and anonymously, increasing the likelihood of attacks. Additionally, the vulnerability could serve as a foothold for further attacks such as privilege escalation or lateral movement within compromised networks.

Immediate mitigation steps include restricting access to the vulnerable plugin's file handling functionality via web server configuration, such as disabling direct access to the 'file' parameter or limiting file read permissions to necessary directories only. Employing a web application firewall (WAF) with rules to detect and block path traversal attempts can provide temporary protection. Organizations should monitor logs for suspicious requests targeting the 'file' parameter. It is critical to update the Yoco Payments plugin to a patched version once available. In the interim, consider disabling the plugin if feasible or isolating the affected WordPress instance to minimize exposure. Conduct thorough audits of server file permissions and remove any unnecessary sensitive files from web-accessible directories. Finally, ensure regular backups and incident response plans are in place to respond to potential breaches.