CVE-2025-12903 is an authorization bypass vulnerability identified in the Payment Plugins Braintree For WooCommerce plugin for WordPress, affecting all versions up to 3.2.78. The root cause is the registration of the REST API endpoint wc-braintree/v1/3ds/vaulted_nonce with a permission_callback set to __return_true, effectively disabling any permission checks. This endpoint processes user-supplied token IDs without verifying whether the requester owns the token or is authenticated. Consequently, an unauthenticated attacker can query this endpoint with arbitrary token IDs to retrieve payment method nonces associated with stored payment tokens in the system. These nonces are sensitive tokens used to authorize payment transactions without exposing full credit card details. By obtaining these nonces, attackers can initiate fraudulent charges on customer credit cards or attach stolen payment methods to other subscriptions, leading to unauthorized financial transactions. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS v3.1 base score of 7.5, indicating high severity. The attack vector is network-based with no privileges or user interaction required, increasing the risk of exploitation. Although no known exploits have been reported in the wild, the potential impact on confidentiality and financial integrity is significant. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

The vulnerability allows attackers to bypass authorization controls and access sensitive payment method nonces without authentication. This can lead to unauthorized financial transactions, including fraudulent charges on customer credit cards and unauthorized subscription modifications. The confidentiality of stored payment tokens is compromised, potentially damaging customer trust and causing financial losses. Organizations using the affected plugin risk regulatory penalties under data protection laws due to exposure of payment data. The ease of exploitation and lack of required user interaction increase the likelihood of automated attacks, potentially impacting a large number of WooCommerce stores globally. The integrity of payment processing is undermined, although availability is not directly affected. Overall, the threat poses a significant risk to e-commerce businesses relying on this plugin for payment processing.

Immediate mitigation should include disabling or restricting access to the vulnerable REST API endpoint wc-braintree/v1/3ds/vaulted_nonce until a patch is available. Implementing custom permission callbacks that verify user authentication and ownership of the requested payment token is critical. Monitoring and logging all access to this endpoint can help detect suspicious activity. Organizations should audit stored payment tokens for unauthorized access and review recent transactions for fraud indicators. If possible, rotate or invalidate stored payment method nonces to prevent reuse by attackers. Applying the latest plugin updates as soon as they are released is essential. Additionally, consider implementing Web Application Firewall (WAF) rules to block unauthenticated requests targeting this endpoint. Educate developers and administrators about secure REST API design, emphasizing strict permission checks on sensitive endpoints.