漏洞描述
WordPress 插件 Yoco Payments 在 3.8.8 及之前版本中存在路径穿越漏洞,相关接口在处理 file 参数时缺乏有效的安全过滤,未认证的攻击者可构造恶意路径读取服务器上的任意文件内容,从而造成敏感信息泄露。
WordPress Yoco Payments plugin /wp-json/yoco/logs 目录遍历漏洞(CVE-2025-13801)
PoC代码
暂无相关漏洞推荐
- POC CVE-2012-10018: WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload
- POC CVE-2024-29138: WordPress Restrict User Access <= 2.5 - Cross-Site Scripting
- POC wordpress-elementor-fpd: WordPress Elementor Page Builder - Full Path Disclosure
- POC wordpress-menu-image-fpd: WordPress Menu Image - Full Path Disclosure
- POC wp-jetpack-ssrf: Wordpress Jetpack plugin - Server Side Request Forgery
- POC CVE-2015-8350: WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS
- POC CVE-2017-18580: WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution
- POC CVE-2020-12832: WordPress Simple File List - Path Traversal
- POC CVE-2021-24657: Limit Login Attempts WordPress - Stored Cross-site Scripting
- POC CVE-2021-24681: Duplicate Page WordPress - Stored Cross-Site Scripting
- POC CVE-2021-25082: WordPress Popup Builder < 4.0.7 - Remote Code Execution
- POC CVE-2022-0765: WordPress Loco Translate < 2.6.1 - Cross-Site Scripting
- POC CVE-2022-0873: WordPress Gmedia Photo Gallery Plugin < 1.20.0 - Cross-Site Scripting