CVE-2025-13457 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the WooCommerce Square plugin for WordPress. The vulnerability exists in all versions up to and including 5.1.1, specifically in the get_token_by_id function. This function fails to properly validate the user-supplied key parameter, which is used to retrieve Square credit card on file (ccof) tokens. Due to this lack of validation, an unauthenticated attacker can manipulate the key to access arbitrary ccof tokens belonging to other users. These tokens represent stored credit card information used for payment processing via Square. By obtaining these tokens, attackers can potentially initiate fraudulent transactions without needing to compromise user credentials or perform complex attacks. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and the critical confidentiality impact. Although no public exploits have been reported yet, the vulnerability poses a significant threat to the integrity of payment data and trust in affected e-commerce platforms. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention from site administrators.

The primary impact of CVE-2025-13457 is the exposure of sensitive payment tokens (ccof) stored by the WooCommerce Square plugin, which can lead to unauthorized financial transactions and fraudulent charges. This compromises the confidentiality of customer payment data and can severely damage the reputation and financial standing of affected organizations. Since the vulnerability allows unauthenticated remote access, attackers can exploit it at scale, potentially affecting large numbers of customers. The integrity of payment processing is at risk, though availability is not directly impacted. Organizations may face regulatory penalties for failing to protect payment information, especially under data protection laws such as GDPR or PCI DSS requirements. The financial losses and erosion of customer trust could be substantial, particularly for businesses heavily reliant on WooCommerce and Square for online payments. Additionally, the vulnerability could be leveraged as a stepping stone for further attacks or fraud schemes targeting e-commerce ecosystems.

To mitigate CVE-2025-13457, organizations should immediately upgrade the WooCommerce Square plugin to a patched version once available. Until a patch is released, administrators should implement strict access controls and input validation on the get_token_by_id function to ensure that user-supplied keys are authorized and correspond only to the requesting user’s tokens. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable endpoint can reduce exploitation risk. Monitoring logs for unusual access patterns or repeated attempts to access ccof tokens is critical for early detection. Additionally, organizations should review and tighten API permissions and consider disabling the Square integration temporarily if feasible. Conducting a thorough audit of stored payment tokens and transaction logs can help identify any fraudulent activity. Finally, educating development teams about secure coding practices related to authorization checks and direct object references will help prevent similar vulnerabilities in the future.