Security Alert Summary
The WooCommerce Square plugin for WordPress contains an insecure direct object reference (IDOR) vulnerability in the get_token_by_id function. According to the CVE entry, missing validation on a user-controlled key can allow unauthenticated attackers to retrieve arbitrary Square “ccof” (credit card on file) values, which could be leveraged to attempt fraudulent charges against affected accounts.
CVE Details
- CVE ID: CVE-2025-13457
- Affected component: WooCommerce Square plugin for WordPress
- Affected versions: All versions up to, and including, 5.1.1
- Published: January 10, 2026 at 4:15:59 AM (UTC)
- Last modified: January 10, 2026 at 4:15:59 AM (UTC)
- CVSS v3.1 (base): 7.5 — HIGH
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - Authentication / privileges / user interaction: No authentication required; Privileges Required: NONE; User Interaction: NONE (per CVSS data)
- Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
- CWE / weakness ID: CWE-639
Technical Details
The vulnerability is an Insecure Direct Object Reference (IDOR) in the WooCommerce Square plugin’s get_token_by_id function. The CVE description states that the function fails to validate a user-controlled key, allowing unauthenticated requests to reference and retrieve arbitrary Square “ccof” (credit card on file) values. Because the attacker can obtain these token values without authentication or proper authorization checks, the exposed data may be usable to attempt fraudulent charges via Square if other conditions allow.
No additional function names, REST endpoints, or mitigation details are provided in the CVE entry beyond the get_token_by_id function and the missing validation on the user-controlled key.
How This Could Impact Your Website
Consider a small ecommerce site using WooCommerce and the Square extension with several user roles: a site owner, internal store managers, and external contractors who may help manage products or orders. If an unauthenticated attacker is able to exploit this IDOR, they could retrieve stored Square “ccof” tokens linked to customer payment methods. This increases the risk of targeted financial fraud against customers and may also expose sensitive payment-related data that creates regulatory or reputational risk for the site owner.
Practical consequences include disclosure of payment-related token data and an increased chance of successful phishing or social engineering targeted at customers whose payment information is partially exposed. The vulnerability, as described, affects confidentiality primarily and does not indicate direct integrity or availability impacts in the CVE data.
professional review — If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (fixed version is not specified in this CVE entry).
- Temporarily limit or review access to payment-related settings and tokens for non-administrative users until the plugin is updated.
- Review and reduce unnecessary user roles, especially contributor-level or external accounts that do not require access to payment data.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce overall attack surface.
- Monitor site activity and payment logs for unusual access patterns or attempts to use exposed tokens.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
