CVE-2025-13457 is a vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the WooCommerce Square plugin for WordPress, affecting all versions up to and including 5.1.1. The issue arises from the get_token_by_id function, which fails to properly validate a user-supplied key parameter. This lack of validation leads to an Insecure Direct Object Reference (IDOR), allowing unauthenticated attackers to retrieve arbitrary Square credit card on file (ccof) tokens associated with the e-commerce site. These tokens represent stored payment credentials that can be leveraged to initiate fraudulent charges without needing to compromise user accounts or perform authentication. The vulnerability is remotely exploitable over the network without any user interaction, increasing its risk profile. The CVSS v3.1 score of 7.5 reflects high confidentiality impact due to exposure of sensitive payment tokens, though integrity and availability remain unaffected. No patches were linked at the time of disclosure, indicating the need for vendor action. While no exploits have been observed in the wild, the vulnerability’s characteristics make it a prime target for attackers seeking financial gain through payment fraud. The plugin’s widespread use in WordPress e-commerce sites globally, including Europe, amplifies the threat surface. Detection and mitigation require careful monitoring of API calls to the vulnerable function and restricting access to authorized users only once patches are available.

For European organizations, this vulnerability poses a significant risk to the confidentiality of stored payment credentials, potentially leading to unauthorized financial transactions and fraud. E-commerce businesses relying on WooCommerce Square for payment processing could suffer direct financial losses, reputational damage, and regulatory penalties under GDPR due to exposure of sensitive customer payment data. The inability to authenticate or require user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. This could disrupt customer trust and result in chargebacks or legal liabilities. Additionally, organizations may face increased scrutiny from payment card industry (PCI) compliance auditors. The impact is particularly severe for high-volume online retailers and marketplaces in Europe, where digital payments are prevalent. The vulnerability does not affect system integrity or availability directly but compromises critical confidentiality aspects, undermining the security of stored payment methods.

1. Monitor official WooCommerce and Square plugin channels for patches addressing CVE-2025-13457 and apply updates immediately upon release. 2. Until patches are available, implement web application firewall (WAF) rules to detect and block suspicious requests targeting the get_token_by_id function or containing unusual key parameters. 3. Restrict access to the plugin’s API endpoints by IP whitelisting or requiring authentication where possible, even if the plugin does not enforce it by default. 4. Conduct thorough audits of stored payment tokens and transaction logs to identify any unauthorized access or fraudulent charges. 5. Employ anomaly detection systems to flag unusual payment activity or token retrieval patterns. 6. Educate development and security teams about the risks of IDOR vulnerabilities and enforce secure coding practices, including strict validation of user-controlled inputs. 7. Consider temporary disabling of the WooCommerce Square plugin if the risk outweighs operational needs until a secure version is deployed. 8. Engage with payment processors to monitor for suspicious transactions and prepare incident response plans specific to payment fraud scenarios.