WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id

Wordfence Intelligence   >   Vulnerability Database   >   WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id
7.5
Authorization Bypass Through User-Controlled Key
CVE CVE-2025-13457
CVSS 7.5 (High)
Publicly Published January 9, 2026
Last Updated January 10, 2026
Researcher DityaRA

Description

The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.

References

Share

Vulnerability Details for WooCommerce Square

WooCommerce Square

Software Type Plugin
Software Slug woocommerce-square (view on wordpress.org)
Patched? Yes
Remediation Update to one of the following versions, or a newer patched version: 4.2.3, 4.3.2, 4.4.2, 4.5.2, 4.6.4, 4.7.4, 4.8.8, 4.9.9, 5.0.1, 5.1.2
Affected Versions
  • 4.2.0 - 4.2.3 (exclusive)
  • 4.3.0 - 4.3.2 (exclusive)
  • 4.4.0 - 4.4.2 (exclusive)
  • 4.5.0 - 4.5.2 (exclusive)
Expand to see 6 more affected version ranges.
  • 4.6.0 - 4.6.4 (exclusive)
  • 4.7.0 - 4.7.4 (exclusive)
  • 4.8.0 - 4.8.8 (exclusive)
  • 4.9.0 - 4.9.9 (exclusive)
  • 5.0.0 - 5.0.1 (exclusive)
  • 5.1.0 - 5.1.2 (exclusive)
Patched Versions
  • 4.2.3
  • 4.3.2
  • 4.4.2
  • 4.5.2
Expand to see 6 more patched versions.
  • 4.6.4
  • 4.7.4
  • 4.8.8
  • 4.9.9
  • 5.0.1
  • 5.1.2

Recent vulnerabilities in WooCommerce Square

WooCommerce Square <= 3.8.1 - Missing Authorization via multiple AJAX actions
4.3
CVE-2023-35876
Jun 19, 2023
Researcher: Rafie Muhammad
# Title CVE ID CVSS Researchers Date
1 WooCommerce Square <= 3.8.1 - Missing Authorization via multiple AJAX actions CVE-2023-35876 4.3 Rafie Muhammad June 19, 2023
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation