CVE-2025-13457 Overview
The WooCommerce Square plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 5.1.1. The flaw exists in the get_token_by_id function due to missing validation on a user-controlled key. This security gap allows unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and potentially leverage this information to make fraudulent charges on affected WordPress sites.
Critical Impact
Unauthenticated attackers can access sensitive payment token data and potentially conduct fraudulent transactions on vulnerable e-commerce sites.
Affected Products
- WooCommerce Square plugin for WordPress versions up to and including 5.1.1
- WordPress sites using WooCommerce Square for payment processing
- Square payment integration implementations with vulnerable plugin versions
Discovery Timeline
- 2026-01-10 - CVE CVE-2025-13457 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-13457
Vulnerability Analysis
This vulnerability falls under CWE-639 (Authorization Bypass Through User-Controlled Key), a common access control weakness where the application uses user-controllable data as a key to access restricted resources without proper authorization checks. In the context of the WooCommerce Square plugin, the get_token_by_id function fails to verify that the requesting user has proper authorization to access the requested payment token.
The vulnerability is particularly dangerous because it can be exploited remotely over the network without requiring any authentication or user interaction. Successful exploitation results in the exposure of sensitive credit card token data ("ccof" values) that Square uses to reference stored payment methods.
Root Cause
The root cause of this vulnerability is the absence of proper authorization validation in the get_token_by_id function. When processing requests for payment token data, the function accepts a user-supplied identifier and retrieves the corresponding token without verifying that the requester is authorized to access that specific resource. This missing validation creates a direct object reference vulnerability where any user can access any token by simply guessing or enumerating token identifiers.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by sending crafted requests to the vulnerable endpoint with manipulated token identifiers. Since no authentication is required, attackers can enumerate through token IDs to discover and extract payment token data belonging to other users.
The exploitation flow involves:
- Identifying the vulnerable API endpoint that handles token retrieval
- Crafting requests with sequential or guessed token identifiers
- Extracting exposed "ccof" (credit card on file) values from responses
- Potentially using stolen token values for fraudulent transactions
The vulnerability manifests in the get_token_by_id function where token retrieval occurs without proper ownership validation. Technical implementation details can be found in the WordPress Changeset for WooCommerce which contains the security fix.
Detection Methods for CVE-2025-13457
Indicators of Compromise
- Unusual patterns of requests to payment token retrieval endpoints
- Sequential or enumeration-style requests targeting token identifiers
- Access attempts to token resources from unauthenticated sessions
- Anomalous spikes in API calls to WooCommerce Square payment endpoints
Detection Strategies
- Monitor web application logs for repeated requests to token-related endpoints with varying identifiers
- Implement rate limiting detection for payment API endpoints to identify enumeration attempts
- Review access logs for unauthenticated requests accessing sensitive payment data
- Deploy Web Application Firewall (WAF) rules to detect IDOR attack patterns
Monitoring Recommendations
- Enable detailed logging for all WooCommerce Square plugin API interactions
- Configure alerts for unusual payment token access patterns
- Monitor for failed authorization attempts on payment-related endpoints
- Implement real-time monitoring for access to sensitive Square payment data
How to Mitigate CVE-2025-13457
Immediate Actions Required
- Update WooCommerce Square plugin to the latest patched version immediately
- Review recent access logs for signs of exploitation or unauthorized token access
- Audit all payment transactions for potentially fraudulent activity
- Consider temporarily disabling the plugin if immediate patching is not possible
Patch Information
A security patch addressing this vulnerability is available through the WordPress plugin repository. The fix implements proper authorization validation in the get_token_by_id function to ensure users can only access their own payment tokens. Detailed code changes can be reviewed in the WordPress Changeset for WooCommerce. Additional vulnerability details are available in the Wordfence Vulnerability Report.
Workarounds
- Restrict access to WooCommerce Square API endpoints at the web server level using IP allowlists
- Implement additional authentication layers for payment-related functionality
- Deploy a Web Application Firewall (WAF) with rules to detect and block IDOR attempts
- Monitor and rate-limit requests to payment token endpoints
# Example: Restrict access to WooCommerce Square endpoints in Apache
<Location "/wp-json/wc-square/">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
