Vulnerabilities and security researches forwoocommerce-square woocommerce-square

Jun 07, 2024

CVE, Research URL: CVE-2023-35876
Home page URL: Security reports for WooCommerce Square
Application: WooCommerce Square
Date: Dec 20, 2023
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.
Affected versions: max 3.8.2.
Status: vulnerable

Jan 27, 2026

CVE, Research URL: CVE-2025-13457
Home page URL: Security reports for WooCommerce Square
Application: WooCommerce Square
Date: Jan 10, 2026
Research Description: The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.
Affected versions: max 5.1.1.
Status: vulnerable