Merge branch 'trunk' into fix/SQUARE-150-no-title-display

Author: peterwilsoncc

changelog.txt

@@ -1,5 +1,10 @@
 *** WooCommerce Square Changelog ***
 
+= 5.1.2 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457.
+* Dev - Bump WooCommerce "tested up to" version 10.4.
+* Dev - Bump WordPress "tested up to" version 6.9.
+
 = 5.1.1 - 2025-11-03 =
 * Fix - Missing attribute names after Product Import.
 * Fix - Update for PHP 8.4 compatibility.
@@ -18,11 +23,17 @@
 * Dev - Bump WooCommerce "tested up to" version 10.2.
 * Dev - Bump WooCommerce minimum supported version to 10.0.
 
+= 5.0.1 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 5.0.
+
 = 5.0.0 - 2025-09-10 =
 * Add - Order fulfillment sync between WooCommerce and Square orders for those that opt-in.
 * Fix - Ensure inventory sync isn’t interrupted in case of a category insert failure.
 * Fix - Accurately count attribute values – 250 values, not characters.
 
+= 4.9.9 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.9.
+
 = 4.9.8 - 2025-08-21 =
 * Fix - Ensure there is no fatal error on the product page when the product price is blank.
 * Fix - Corrected variation option assignment logic to prevent mismatched item option IDs during manual syncs to Square.
@@ -89,6 +100,9 @@
 * Dev - Updates to E2E tests setup.
 * Dev - Update all third-party actions our workflows rely on to use versions based on specific commit hashes.
 
+= 4.8.8 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.8.
+
 = 4.8.7 - 2025-03-06 =
 * Add - Support for syncing the "Mark as Sold Out" field value during inventory sync.
 * Fix - Ensure payment methods display the correct buttons and statuses in the new WooCommerce Payments settings.
@@ -153,6 +167,9 @@
 * Dev - Bump WooCommerce "tested up to" version 9.2.
 * Dev - Bump WooCommerce minimum supported version to 9.0.
 
+= 4.7.4 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.7.
+
 = 4.7.3 - 2024-08-19 =
 * Fix - Inconsistency in the height of Express Payment Button and compliance with the new Woo Express Payment Method Styling API.
 * Fix - Ensure the "Uncaught TypeError" JavaScript console error does not occur for out-of-stock products.
@@ -177,6 +194,9 @@
 * Dev - Bump WooCommerce minimum supported version to 8.8.
 * Dev - Bump WordPress minimum supported version to 6.4.
 
+= 4.6.4 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.6.
+
 = 4.6.3 - 2024-06-17 =
 * Add - ESLint GitHub Action workflow to enforce ESLint rules on pull requests.
 * Dev - Bump Square PHP SDK version from `29.0.0.20230720` to `35.1.0.20240320`.
@@ -211,6 +231,9 @@
 * Fix - npm ERR! Missing script: "test:e2e".
 * Fix - Issue with Square payment gateway being shown for unsupported currencies.
 
+= 4.5.2 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.5.
+
 = 4.5.1 - 2024-02-27 =
 * Fix - Address the repetitive creation of `wc_square_init_payment_token_migration` actions in the payment token migration process.
 * Dev - Bump WooCommerce "tested up to" version 8.6.
@@ -224,6 +247,9 @@
 * Dev - Bump WordPress minimum supported version to 6.3.
 * Fix - Issue with syncing products that have a description more than 4096 characters.
 
+= 4.4.2 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.4.
+
 = 4.4.1 - 2024-01-18 =
 * Fix - Resolved the issue of double-counted inventory drops when WooPayments is used as the payment processor.
 * Dev - Bump WooCommerce "tested up to" version 8.4.
@@ -246,6 +272,9 @@
 * Dev - Add Playwright e2e coverage for Cart Block and Checkout Block.
 * Tweak - Admin settings colour to match admin theme colour scheme.
 
+= 4.3.2 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.3.
+
 = 4.3.1 - 2023-11-06 =
 * Fix - Fatal error caused when the Action Scheduler API method `as_has_scheduled_action` is used for migrating payment tokens.
 * Fix - Missing payment token and customer ID in subscription orders when HPOS is enabled.
@@ -261,6 +290,9 @@
 * Dev - Bump WooCommerce minimum supported version to 7.9.
 * Dev - Bump woocommerce-sniffs to 1.0.0.
 
+= 4.2.3 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.2.
+
 = 4.2.2 - 2023-10-11 =
 * Dev - Update PHPCS and PHPCompatibility GitHub Actions.
 * Tweak - Timing of the Apple Pay domain registration warning message.

includes/Gateway.php

@@ -118,7 +118,6 @@ public function __construct() {
 		add_action( 'wp_ajax_nopriv_wc_' . $this->get_id() . '_log_js_data', array( $this, 'log_js_data' ) );
 
 		add_action( 'wp_ajax_wc_' . $this->get_id() . '_get_token_by_id', array( $this, 'get_token_by_id' ) );
-		add_action( 'wp_ajax_nopriv_wc_' . $this->get_id() . '_get_token_by_id', array( $this, 'get_token_by_id' ) );
 
 		// store the Square item variation ID to order items
 		add_action( 'woocommerce_new_order_item', array( $this, 'store_new_order_item_square_meta' ), 10, 3 );
@@ -179,20 +178,52 @@ public function get_description() {
 	public function get_token_by_id() {
 		$nonce = isset( $_GET['nonce'] ) ? sanitize_text_field( wp_unslash( $_GET['nonce'] ) ) : false;
 
-		if ( ! wp_verify_nonce( $nonce, 'payment_token_nonce' ) ) {
-			wp_send_json_error( esc_html__( 'Nonce verification failed.', 'woocommerce-square' ) );
+		if ( ! wp_verify_nonce( $nonce, 'payment_token_nonce' ) || ! is_user_logged_in() ) {
+			wp_send_json_error( esc_html__( 'Verification failed.', 'woocommerce-square' ), \WP_Http::UNAUTHORIZED );
 		}
 
 		$token_id = isset( $_GET['token_id'] ) ? absint( wp_unslash( $_GET['token_id'] ) ) : false;
 
 		if ( ! $token_id ) {
-			wp_send_json_error( esc_html__( 'Token ID missing.', 'woocommerce-square' ) );
+			wp_send_json_error( esc_html__( 'Token ID missing.', 'woocommerce-square' ), \WP_Http::BAD_REQUEST );
 		}
 
 		$token_obj = \WC_Payment_Tokens::get( $token_id );
 
+		/*
+		 * Verify token belongs to this gateway.
+		 *
+		 * This ajax endpoint is for retrieving Square payment tokens only.
+		 */
+		if ( is_object( $token_obj ) && $this->get_id() !== $token_obj->get_gateway_id() ) {
+			wp_send_json_error( esc_html__( 'Verification failed.', 'woocommerce-square' ), \WP_Http::FORBIDDEN );
+		}
+
+		/*
+		 * Ensure user has permission to access token.
+		 *
+		 * Store administrators can request any token but other users can only
+		 * access tokens belonging to their own account.
+		 */
+		if (
+			! current_user_can( 'manage_woocommerce' )
+			&& (
+				is_null( $token_obj )
+				|| get_current_user_id() !== $token_obj->get_user_id()
+			)
+		) {
+			wp_send_json_error( esc_html__( 'Verification failed.', 'woocommerce-square' ), \WP_Http::FORBIDDEN );
+		}
+
+		/*
+		 * Show invalid Token ID to store admins only.
+		 *
+		 * The condition above will present a generic "validation failed" message to other
+		 * users, this will only provide the details of why validation failed to store
+		 * admins to avoid information disclosure.
+		 */
 		if ( is_null( $token_obj ) ) {
-			wp_send_json_error( esc_html__( 'No payment token exists for this ID.', 'woocommerce-square' ) );
+			wp_send_json_error( esc_html__( 'No payment token exists for this ID.', 'woocommerce-square' ), \WP_Http::NOT_FOUND );
 		}
 
 		wp_send_json_success( $token_obj->get_token() );

package-lock.json

@@ -7,7 +7,7 @@
     "url": "git://github.com/woocommerce/woocommerce-square.git"
   },
   "title": "WooCommerce Square",
-  "version": "5.1.1",
+  "version": "5.1.2",
   "homepage": "https://woocommerce.com/products/woocommerce-square/",
   "scripts": {
     "build": "composer install --no-dev && npm run build:webpack && npm run makepot && npm run archive",

package.json

@@ -1,10 +1,10 @@
 === WooCommerce Square ===
 Contributors: woocommerce, automattic
 Tags: credit card, square, woocommerce, inventory sync
-Requires at least: 6.5
+Requires at least: 6.7
 Tested up to: 6.9
 Requires PHP: 7.4
-Stable tag: 5.1.1
+Stable tag: 5.1.2
 License: GPL-3.0-or-later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 
@@ -72,6 +72,11 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 
 == Changelog ==
 
+= 5.1.2 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457.
+* Dev - Bump WooCommerce "tested up to" version 10.4.
+* Dev - Bump WordPress "tested up to" version 6.9.
+
 = 5.1.1 - 2025-11-03 =
 * Fix - Missing attribute names after Product Import.
 * Fix - Update for PHP 8.4 compatibility.
@@ -90,11 +95,17 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 * Dev - Bump WooCommerce "tested up to" version 10.2.
 * Dev - Bump WooCommerce minimum supported version to 10.0.
 
+= 5.0.1 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 5.0.
+
 = 5.0.0 - 2025-09-10 =
 * Add - Order fulfillment sync between WooCommerce and Square orders for those that opt-in.
 * Fix - Ensure inventory sync isn’t interrupted in case of a category insert failure.
 * Fix - Accurately count attribute values – 250 values, not characters.
 
+= 4.9.9 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.9.
+
 = 4.9.8 - 2025-08-21 =
 * Fix - Ensure there is no fatal error on the product page when the product price is blank.
 * Fix - Corrected variation option assignment logic to prevent mismatched item option IDs during manual syncs to Square.
@@ -161,6 +172,9 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 * Dev - Updates to E2E tests setup.
 * Dev - Update all third-party actions our workflows rely on to use versions based on specific commit hashes.
 
+= 4.8.8 - 2025-12-10 =
+* Security - Resolve CVE-2025-13457 for version 4.8.
+
 = 4.8.7 - 2025-03-06 =
 * Add - Support for syncing the "Mark as Sold Out" field value during inventory sync.
 * Fix - Ensure payment methods display the correct buttons and statuses in the new WooCommerce Payments settings.
@@ -229,6 +243,9 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 
 == Upgrade Notice ==
 
+= 5.1.2 =
+Security release affecting versions 4.2 upward, please update promptly. Minor releases are available on wordpress.org.
+
 = 3.5.0 =
 * Note that this version bumps the minimum PHP version from 7.2 to 7.4.
 

readme.txt

@@ -2,9 +2,9 @@
 /**
  * Plugin Name: WooCommerce Square
  * Requires Plugins: woocommerce
- * Version: 5.1.1
+ * Version: 5.1.2
  * Plugin URI: https://woocommerce.com/products/square/
- * Requires at least: 6.5
+ * Requires at least: 6.7
  * Tested up to: 6.9
  * Requires PHP: 7.4
  * PHP tested up to: 8.4
@@ -22,14 +22,14 @@
  * @copyright Copyright (c) 2019, Automattic, Inc.
  * @license   http://www.gnu.org/licenses/gpl-3.0.html GNU General Public License v3.0 or later
  *
- * WC requires at least: 10.1
+ * WC requires at least: 10.2
  * WC tested up to: 10.4
  */
 
 defined( 'ABSPATH' ) || exit;
 
 if ( ! defined( 'WC_SQUARE_PLUGIN_VERSION' ) ) {
-	define( 'WC_SQUARE_PLUGIN_VERSION', '5.1.1' ); // WRCS: DEFINED_VERSION.
+	define( 'WC_SQUARE_PLUGIN_VERSION', '5.1.2' ); // WRCS: DEFINED_VERSION.
 }
 
 if ( ! defined( 'WC_SQUARE_PLUGIN_URL' ) ) {
@@ -63,7 +63,7 @@ class WooCommerce_Square_Loader {
 	const MINIMUM_WP_VERSION = '6.7';
 
 	/** minimum WooCommerce version required by this plugin */
-	const MINIMUM_WC_VERSION = '10.1';
+	const MINIMUM_WC_VERSION = '10.2';
 
 	/**
 	 * SkyVerge plugin framework version used by this plugin