CVE-2025-13457 PUBLISHED

WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id

Assigner: Wordfence
Reserved: 19.11.2025 Published: 10.01.2026 Updated: 12.01.2026

The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Product Status

Vendor woocommerce
Product WooCommerce Square
Versions Default: unaffected
  • affected from 4.2.0 to 4.2.3 (excl.)
  • affected from 4.3.0 to 4.3.2 (excl.)
  • affected from 4.4.0 to 4.4.2 (excl.)
  • affected from 4.5.0 to 4.5.2 (excl.)
  • affected from 4.6.0 to 4.6.4 (excl.)
  • affected from 4.7.0 to 4.7.4 (excl.)
  • affected from 4.8.0 to 4.8.8 (excl.)
  • affected from 4.9.0 to 4.9.9 (excl.)
  • affected from 5.0.0 to 5.0.1 (excl.)
  • affected from 5.1.0 to 5.1.2 (excl.)

Credits

  • German finder

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE