CVE-2025-13457 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the WooCommerce Square plugin for WordPress. The vulnerability exists in all versions up to and including 5.1.1 due to insufficient validation in the get_token_by_id function. This function accepts a user-controlled key parameter that is not properly validated, allowing unauthenticated attackers to perform Insecure Direct Object Reference (IDOR) attacks. By manipulating this key, attackers can retrieve arbitrary Square 'ccof' (credit card on file) tokens associated with other users or customers. These tokens represent stored payment credentials that can be leveraged to make fraudulent charges on the affected WooCommerce site. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely over the network. The CVSS v3.1 base score is 7.5, reflecting high confidentiality impact but no impact on integrity or availability. Although no known exploits are currently reported in the wild, the potential for financial fraud and data exposure is significant. The vulnerability affects a wide range of WooCommerce Square versions from 4.2.0 through 5.1.0, which are commonly used in WordPress e-commerce deployments. The lack of patch links suggests that fixes may be pending or not yet publicly released, emphasizing the need for vigilance and interim mitigations.

For European organizations, this vulnerability poses a significant risk to the confidentiality of stored payment information and the financial integrity of their e-commerce operations. Unauthorized access to Square credit card on file tokens can lead to fraudulent transactions, financial losses, chargebacks, and reputational damage. Given the widespread use of WooCommerce in Europe, especially among small to medium-sized online retailers, exploitation could disrupt business operations and erode customer trust. The vulnerability does not affect system availability or data integrity directly but compromises sensitive payment data confidentiality. Regulatory implications under GDPR are also critical, as exposure of payment data constitutes a personal data breach requiring notification and potential penalties. The ease of exploitation without authentication or user interaction increases the threat level, making it attractive for financially motivated attackers. Organizations relying on WooCommerce Square for payment processing must consider this vulnerability a high priority to address to avoid financial and compliance repercussions.

1. Monitor official WooCommerce and Square plugin channels for security patches addressing CVE-2025-13457 and apply updates immediately upon release. 2. Until patches are available, implement strict access controls on the get_token_by_id API endpoint, such as IP whitelisting or requiring authentication tokens to restrict access. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to manipulate user-controlled keys or access unauthorized tokens. 4. Conduct thorough logging and monitoring of API calls related to payment token retrieval to identify anomalous patterns indicative of exploitation attempts. 5. Review and audit all third-party plugins and integrations to ensure they follow secure coding practices, especially regarding authorization checks. 6. Educate development and security teams about the risks of IDOR vulnerabilities and enforce secure coding standards to prevent similar issues. 7. Consider temporarily disabling the WooCommerce Square plugin if immediate patching is not feasible and alternative payment methods are available. 8. Prepare incident response plans specifically for payment data breaches, including customer notification procedures and coordination with payment processors.