According to Roger Montti’s article on Search Engine Journal, “WooCommerce WordPress Plugin Exploit Enables Fraudulent Charges,” a serious security vulnerability has been discovered in the WooCommerce Square WordPress plugin, potentially impacting over 80,000 installations and allowing attackers to carry out fraudulent credit card charges.
Vulnerability Overview
Montti reports that the flaw allows unauthenticated attackers to uncover credit card information on file and potentially use it to make unauthorized charges. The issue impacts the WooCommerce Square plugin, which merchants widely use to accept payments via Square and synchronize products and inventory between Square and WooCommerce.
The plugin supports multiple payment options, including Apple Pay, Google Pay, WooCommerce Subscriptions, and Pre-Orders, making the vulnerability particularly concerning for e-commerce sites handling customer payment data.
Root Cause: Insecure Direct Object Reference (IDOR)
The vulnerability stems from an Insecure Direct Object Reference (IDOR) flaw. This occurs when an application exposes internal object identifiers, such as IDs passed through URLs or request parameters, without verifying whether the requester is authorized to access them.
According to Wordfence, the issue affects all versions of the plugin up to and including 5.1.1 due to a missing validation check in the get_token_by_id function. This allows attackers to manipulate a user-controlled parameter to retrieve Square “ccof” values (credit cards on file), which they can then abuse to carry out fraudulent transactions.
Crucially, the exploit does not require authentication, significantly lowering the barrier for attackers.
Severity and Fixes
The vulnerability carries a CVSS score of 7.5, indicating a high-risk, remotely exploitable flaw, though not classified as critical due to certain limiting factors.
Multiple patched versions of the plugin have been released. Montti notes that site owners should update to at least one of the following versions to be protected:
4.2.3
4.3.2
4.4.2
4.5.2
4.6.4
4.7.4
4.8.8
4.9.9
5.0.1
5.1.2
What Site Owners Should Do
WooCommerce merchants using the Square plugin are strongly advised to update to a patched version immediately. Leaving the plugin unpatched could expose stored payment data, leading to financial losses, chargebacks, and reputational damage.
As Montti’s reporting highlights, unauthenticated IDOR vulnerabilities remain one of the most dangerous classes of web security flaws, especially when they involve payment systems and customer credit card data.