WooCommerce Square < 5.1.2 – Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id | CVE 2025-13457 | Plugin Vulnerabilities

Description

The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.

Affects Plugins

woocommerce-square

Fixed in 5.1.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f4f726-7e53-4397-8d8b-7a574326adc6

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

DityaRA

Verified

No

WPVDB ID

a6066416-4b31-4113-ad42-46ff1193a1a6

Timeline

Publicly Published

2026-01-09 (about 5 months ago)

Added

2026-01-09 (about 5 months ago)

Last Updated

2026-01-10 (about 5 months ago)

Other

Published

Title

Published

2024-03-29

Title

Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2026-02-02

Title

WP ULike < 5.0.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Log Deletion via 'id' Parameter

Published

2025-04-22

Title

WordPress Simple PayPal Shopping Cart < 5.1.3 - Unauthenticated Product Price Manipulation

Published

2025-02-12

Title

DethemeKit For Elementor < 2.1.9 - Authenticated (Contributor+) Protected Post Disclosure

Published

2026-01-15

Title

NextMove Lite < 2.24.0 - Unauthenticated Insecure Direct Object Reference