WooCommerce Square Unauthenticated Insecure Direct Object Reference Vulnerability

A vulnerability exists in the WooCommerce Square plugin for WordPress, affecting all versions up to and including 5.1.1. The issue is an Insecure Direct Object Reference (IDOR) in the 'get_token_by_id' function, where user-controlled keys are not properly validated. This flaw allows unauthenticated attackers to access arbitrary Square 'ccof' (credit card on file) values, which could be used to make fraudulent charges on the targeted site.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive payment information, specifically Square credit card on file values, allowing for potentially fraudulent transactions.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress site with a user-controlled key that bypasses the nonce verification. This can be done by accessing the 'wp_ajax_wc_square_get_token_by_id' action without being logged in, and including a token ID that corresponds to a Square credit card on file value.

Remediation

Users are advised to update the WooCommerce Square plugin to version 5.1.2 or to one of the earlier patched versions: 4.2.3, 4.3.2, 4.4.2, or 4.5.2.