CVE-2025-12903 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Payment Plugins Braintree For WooCommerce plugin for WordPress. The vulnerability arises because the REST API endpoint wc-braintree/v1/3ds/vaulted_nonce is registered with a permission callback that always returns true (__return_true), effectively disabling any authentication or capability checks. This endpoint processes user-supplied token IDs without verifying whether the requester owns the token or is authenticated. As a result, an unauthenticated attacker can supply arbitrary token IDs and retrieve corresponding payment method nonces. These nonces are sensitive tokens used to authorize payment transactions. By obtaining them, attackers can create fraudulent charges on customers’ credit cards or attach stolen payment methods to other subscriptions, leading to financial fraud. The vulnerability affects all plugin versions up to 3.2.78 and can be exploited remotely without any user interaction or privileges. The CVSS v3.1 base score is 7.5 (high), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact. Although no public exploits have been reported yet, the flaw’s nature and ease of exploitation make it a critical risk for e-commerce sites using this plugin. The lack of patch links suggests a fix may not yet be available, emphasizing the need for immediate mitigation.

For European organizations operating WooCommerce-based e-commerce platforms with the vulnerable Braintree payment plugin, this vulnerability poses a significant risk of financial fraud. Attackers can exploit the flaw to retrieve payment method nonces without authentication, enabling unauthorized transactions and fraudulent charges on customers’ credit cards. This can lead to direct financial losses, chargebacks, and damage to customer trust. Additionally, fraudulent subscription attachments can cause ongoing financial harm and complicate billing reconciliation. The breach of payment data confidentiality can also trigger regulatory consequences under GDPR, including fines and mandatory breach notifications. The reputational damage from such incidents can be severe, especially for businesses relying heavily on online payments. Since WooCommerce is widely used across Europe, especially in countries with strong e-commerce markets like Germany, the UK, France, and the Netherlands, the potential impact is broad. The vulnerability’s exploitation could disrupt business operations, increase fraud-related costs, and erode consumer confidence in affected merchants.

Immediate mitigation steps include disabling or restricting access to the vulnerable REST API endpoint wc-braintree/v1/3ds/vaulted_nonce until a patch is available. Organizations should implement custom permission callbacks that verify user authentication and ownership of payment tokens before processing requests. Applying web application firewall (WAF) rules to block suspicious requests targeting this endpoint can reduce exposure. Monitoring logs for unusual API access patterns or repeated requests to this endpoint can help detect exploitation attempts. Merchants should review and audit stored payment tokens and transactions for signs of fraudulent activity. If possible, temporarily disabling the Braintree payment plugin or switching to alternative payment methods can reduce risk. Organizations should stay alert for official patches or updates from the plugin vendor and apply them promptly once released. Additionally, educating development and security teams about the risks of improper authorization checks in REST APIs can prevent similar issues in the future.