Payment Plugins Braintree For WooCommerce < 3.2.79 – Missing Authorization to Payment Token Exposure and Transaction Fraud | CVE 2025-12903 | Plugin Vulnerabilities

Description

The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.

Affects Plugins

woo-payment-gateway

Fixed in 3.2.79

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/89cd5429-39a0-441f-ba69-dea111eae5ed

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

M Indra Purnama (type5afe)

Verified

No

WPVDB ID

5a596e46-1de0-48c9-b9a1-a8a928a831cf

Timeline

Publicly Published

2025-11-11 (about 6 months ago)

Added

2025-11-11 (about 6 months ago)

Last Updated

2025-11-12 (about 6 months ago)

Other

Published

Title

Published

2021-10-11

Title

Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure

Published

2025-01-09

Title

One to one user Chat by WPGuppy < 1.1.1 - Authorization Bypass

Published

2024-10-30

Title

Forminator Forms < 1.36.1 - Unauthenticated Arbitrary Quiz Submissions Update

Published

2025-05-08

Title

WPBookit < 1.0.3 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Account Takeover

Published

2026-01-01

Title

Cocco <= 1.5.1 - Authenticated (Subscriber+) Authenticated Insecure Direct Object Reference