No Agency Cube

SEO news from around the world

SEO news

WooCommerce WordPress Plugin Exploit Enables Fraudulent Charges

Avatar photo

ByRose Milev

Jan 13, 2026


The popular WooCommerce Square plugin for WordPress vulnerability enables unauthenticated attackers to uncover credit cards on file and make fraudulent charges. The vulnerability affects up to 80,000 installations.

WooCommerce Square WordPress Plugin

The WooCommerce Square plugin enables WordPress sites to accept payments through the Square POS, as well as synchronize product inventory data between Square and WooCommerce. Square plugin enables a WooCommerce merchant to support payments through Apple Pay®, Google Pay, WooCommerce Pre-Orders, and WooCommerce Subscriptions.

Insecure Direct Object Reference

The vulnerability in the plugin arises from an Insecure Direct Object Reference (IDOR) vulnerability, a flaw that happens when critical data is exposed in URL file parameters, such as identification numbers, which then enables an attacker to manipulate that data without proper access that would normally prevent them from accessing those files.

The Open Worldwide Application Security Project (OWASP) defines IDOR as:

“Insecure Direct Object Reference (IDOR) is a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application’s URLs or parameters. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.”

Exploiting the vulnerability does not require that the attacker acquire any level of authentication or permission levels, making it easier for them to launch an attack on affected websites.

According to a Wordfence advisory:

“The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square “ccof” (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.”

There are multiple versions of the WooCommerce Square plugin that are patched, it’s recommended that users of the plugin update to at least one of the following versions:

  • 4.2.3
  • 4.3.2
  • 4.4.2
  • 4.5.2
  • 4.6.4
  • 4.7.4
  • 4.8.8
  • 4.9.9
  • 5.0.1
  • 5.1.2

The CVSS severity vulnerability score is rated at 7.5, indicating it’s a dangerous vulnerability that can be remotely exploitable but is mitigated by a constraint that keeps it from being rated as “Critical.”

Featured Image by Shutterstock/IgorZh



Source link

Avatar photo

By Rose Milev

I always want to learn something new. SEO is my passion.

Related Post

SEO news

Google’s UCP Checkout Brings New Tradeoffs For Retailers

Jan 13, 2026 Rose Milev
SEO news

Apple Selects Google’s Gemini For New AI-Powered Siri

Jan 12, 2026 Rose Milev
SEO news

What SEOs Need To Consider (ACP & UCP)

Jan 12, 2026 Rose Milev

Leave a Reply

Your email address will not be published. Required fields are marked *

You missed

SEO news

WooCommerce WordPress Plugin Exploit Enables Fraudulent Charges

January 13, 2026 Rose Milev
SEO news

Google’s UCP Checkout Brings New Tradeoffs For Retailers

January 13, 2026 Rose Milev
SEO news

Apple Selects Google’s Gemini For New AI-Powered Siri

January 12, 2026 Rose Milev
SEO news

What SEOs Need To Consider (ACP & UCP)

January 12, 2026 Rose Milev
This website uses cookies to improve user experience. By continuing to use the site, you consent to the use of cookies.