Vulnerability in WooCommerce Square Plugin Puts Credit Card Information at Risk

The popular WooCommerce Square plugin for WordPress has a vulnerability that enables unauthenticated attackers to uncover credit cards on file and make fraudulent charges. This vulnerability affects up to 80,000 installations, making it a significant concern for WordPress site owners who use this plugin.

About the WooCommerce Square Plugin

The WooCommerce Square plugin allows WordPress sites to accept payments through the Square POS and synchronize product inventory data between Square and WooCommerce. This plugin also enables WooCommerce merchants to support payments through Apple Pay, Google Pay, WooCommerce Pre-Orders, and WooCommerce Subscriptions. With its robust features, the WooCommerce Square plugin has become a popular choice among online store owners.

Understanding the Vulnerability

The vulnerability in the plugin arises from an Insecure Direct Object Reference (IDOR) vulnerability. This type of vulnerability occurs when critical data is exposed in URL file parameters, such as identification numbers, which can be manipulated by an attacker without proper access. The Open Worldwide Application Security Project (OWASP) defines IDOR as a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application’s URLs or parameters.

Exploiting the Vulnerability

Exploiting the vulnerability does not require the attacker to acquire any level of authentication or permission levels, making it easier for them to launch an attack on affected websites. According to a Wordfence advisory, the WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user-controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square credit card on file values and leverage this value to potentially make fraudulent charges on the target site.

Updating the Plugin

To protect against this vulnerability, users of the plugin are recommended to update to at least one of the following patched versions: 4.2.3, 4.3.2, 4.4.2, 4.5.2, 4.6.4, 4.7.4, 4.8.8, 4.9.9, 5.0.1, or 5.1.2. The CVSS severity vulnerability score is rated at 7.5, indicating it’s a dangerous vulnerability that can be remotely exploitable but is mitigated by a constraint that keeps it from being rated as Critical.

Conclusion

In conclusion, the vulnerability in the WooCommerce Square plugin poses a significant risk to WordPress site owners who use this plugin. It is essential for users to update the plugin to a patched version to protect against potential attacks. By understanding the vulnerability and taking the necessary steps to update the plugin, WordPress site owners can ensure the security of their customers’ credit card information and prevent fraudulent charges.