CVE-2025-12903 is an authorization bypass vulnerability classified under CWE-639, found in the Payment Plugins Braintree For WooCommerce plugin for WordPress. The issue stems from the REST API endpoint wc-braintree/v1/3ds/vaulted_nonce being registered with a permission callback that always returns true (__return_true), effectively disabling any authorization checks. This endpoint processes user-supplied token IDs without verifying if the requester owns the token or is authenticated. Consequently, an unauthenticated attacker can query this endpoint with arbitrary token IDs to retrieve payment method nonces associated with stored payment tokens in the system. These nonces can be used to initiate fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions, bypassing all intended access controls. The vulnerability affects all versions up to and including 3.2.78 of the plugin. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on confidentiality. No known public exploits have been reported yet, but the vulnerability poses a significant risk due to the sensitive financial data exposure and potential for fraud. The plugin is widely used in WooCommerce installations, which are popular in e-commerce platforms globally, including Europe.

For European organizations, especially e-commerce businesses using WooCommerce with the Payment Plugins Braintree For WooCommerce plugin, this vulnerability could lead to severe financial losses due to fraudulent transactions and unauthorized charges on customer credit cards. The exposure of payment method nonces compromises customer trust and can result in regulatory penalties under GDPR and PCI DSS compliance frameworks due to inadequate protection of payment data. The integrity of subscription services can also be undermined by attackers attaching payment methods without authorization, potentially causing revenue loss and customer disputes. Additionally, the reputational damage from such breaches can impact customer retention and brand value. Given the plugin’s popularity in European markets, the risk is non-trivial, particularly for mid-sized to large online retailers. The lack of authentication requirement and ease of exploitation increase the likelihood of automated scanning and exploitation attempts, raising the urgency for mitigation.

1. Immediate mitigation involves disabling or restricting access to the vulnerable REST API endpoint (wc-braintree/v1/3ds/vaulted_nonce) via web application firewall (WAF) rules or server-level access controls until a patch is available. 2. Monitor web server logs for suspicious requests targeting this endpoint and implement rate limiting to reduce attack surface. 3. Update the Payment Plugins Braintree For WooCommerce plugin to the latest version as soon as the vendor releases a patch addressing this vulnerability. 4. If patching is delayed, consider temporarily removing or replacing the plugin with alternative payment solutions that do not expose such vulnerabilities. 5. Conduct a thorough audit of stored payment tokens and transaction logs to detect any unauthorized activity. 6. Educate development and security teams about proper permission callbacks and authorization checks when exposing REST API endpoints. 7. Implement multi-factor authentication and enhanced monitoring on WooCommerce admin accounts to reduce the impact of potential exploitation. 8. Review and tighten WooCommerce and WordPress security configurations, including limiting REST API access to authenticated users where possible.