WooCommerce Plugin Exploit Leads to Fraud

A newly issued security warning has raised concerns over a serious vulnerability affecting tens of thousands of WordPress websites using the WooCommerce Square plugin.

The issue is believed to impact more than 80,000 active installations, putting a significant number of online retailers at risk of financial fraud if action is not taken quickly.

Security researchers have warned that the flaw could allow attackers to access sensitive payment information and carry out unauthorised charges, even without logging into the affected website.

WooCommerce Square is a widely used plugin that enables WordPress-based online shops to accept payments through Square’s point-of-sale system. It is particularly popular among merchants who operate both online and physical stores.

In addition to processing card payments, the plugin allows users to synchronise product listings and stock levels between WooCommerce and Square, helping businesses manage inventory more efficiently.

The plugin also supports several modern payment options, including Apple Pay, Google Pay, WooCommerce Subscriptions and WooCommerce Pre-Orders, making it a central part of many e-commerce operations.

The vulnerability itself stems from a security weakness known as an Insecure Direct Object Reference, often referred to as an IDOR flaw.

IDOR vulnerabilities occur when applications expose internal object identifiers, such as record or token IDs, through URLs or request parameters without proper access checks in place.

When this happens, attackers can manipulate those identifiers to gain access to data they should not normally be allowed to view or control.

The Open Worldwide Application Security Project (OWASP) explains that IDOR issues arise when applications fail to verify whether a user is authorised to access specific objects, leading to potential data exposure or misuse.

In this case, the vulnerability does not require the attacker to have an account, log in, or hold any special permissions, making it significantly easier to exploit.

According to a security advisory published by Wordfence, all versions of the WooCommerce Square plugin up to and including version 5.1.1 are affected by this flaw.

The problem lies within the plugin’s get_token_by_id function, which lacks sufficient validation on user-controlled input, allowing unauthenticated attackers to retrieve stored Square “credit card on file” data.

Once exposed, this information could potentially be used to carry out fraudulent transactions on the affected website, placing both merchants and customers at risk.

To address the issue, several patched versions of the plugin have been released, and users are strongly encouraged to update immediately to a secure version, such as 4.2.3, 4.6.4, 4.9.9, 5.0.1 or 5.1.2.

The vulnerability has been assigned a CVSS severity score of 7.5, indicating a high-risk issue that is remotely exploitable, even though certain limitations prevent it from being classified as critical.

Website owners using WooCommerce Square are advised to update their plugins without delay and review their payment security measures to minimise the risk of unauthorised activity.