CVE-2025-13457

Name of the Vulnerable Software and Affected Versions WooCommerce Square versions prior to 5.1.2

Description The WooCommerce Square plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to a lack of validation on a user-controlled key within the get token by id function. An unauthenticated attacker can exploit this to reveal arbitrary Square “ccof” (credit card on file) values. This exposed value could potentially be used to make unauthorized charges on the affected site.

Recommendations Update WooCommerce Square to version 5.1.2 or later.