The vulnerability identified as CVE-2024-12265 affects the Web3 Crypto Payments by DePay plugin for WooCommerce, a WordPress plugin facilitating cryptocurrency payments. The issue arises from a missing authorization check (CWE-862) on the REST API endpoint /wp-json/depay/wc/debug, which is intended for debugging purposes. This endpoint does not verify whether the requester has the necessary permissions, allowing any unauthenticated user to retrieve debug information. The plugin versions up to and including 2.12.17 are affected. The debug data exposed could include sensitive internal state or configuration details that may assist attackers in further exploitation or reconnaissance activities. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality only (C:L), without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was publicly disclosed on December 12, 2024, and assigned by Wordfence. Given the plugin’s role in handling crypto payments, unauthorized access to debug information could expose implementation details or sensitive operational data, increasing the risk of targeted attacks.

The primary impact of this vulnerability is unauthorized disclosure of debug information, which could include sensitive configuration details, API keys, or internal logic related to cryptocurrency payment processing. While the vulnerability does not directly compromise data integrity or availability, the leaked information could facilitate further attacks such as targeted phishing, exploitation of other vulnerabilities, or unauthorized transactions. Organizations using the affected plugin may face increased risk of data exposure and potential reputational damage. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely by any attacker scanning for vulnerable endpoints. This increases the attack surface for WooCommerce sites using this plugin, especially those handling significant volumes of crypto transactions. The medium severity rating reflects the limited direct impact but acknowledges the potential for indirect consequences through information leakage.

To mitigate this vulnerability, organizations should immediately restrict access to the /wp-json/depay/wc/debug REST API endpoint. This can be achieved by implementing web application firewall (WAF) rules to block unauthenticated requests to this endpoint or by configuring server-level access controls to limit access to trusted IP addresses only. Additionally, administrators should monitor web server logs for suspicious access attempts to this endpoint. Since no official patch is currently available, disabling or removing the debug endpoint if possible is recommended. Organizations should also ensure that the plugin is updated promptly once a patch is released by the vendor. As a best practice, debug endpoints should never be exposed publicly in production environments. Conducting a thorough security review of all REST API endpoints in the WordPress environment to verify proper authorization checks is advisable. Finally, educating site administrators on the risks of exposing debug information and enforcing the principle of least privilege for API access will reduce future risk.