CVE-2025-12903 Overview
CVE-2025-12903 is an authorization bypass vulnerability in the Payment Plugins Braintree For WooCommerce plugin for WordPress. The flaw exists in the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint across all versions up to and including 3.2.78. The endpoint registers its permission_callback as __return_true, removing authentication and capability checks. Unauthenticated attackers can submit arbitrary token IDs and retrieve payment method nonces tied to any stored payment token. These nonces enable fraudulent charges against customer credit cards, attachment of payment methods to other subscriptions, and unauthorized transactions through the merchant's Braintree integration.
Critical Impact
Unauthenticated attackers can retrieve payment method nonces for any stored token, enabling fraudulent transactions against customer cards.
Affected Products
- Payment Plugins Braintree For WooCommerce — all versions through 3.2.78
- WordPress sites running WooCommerce with this plugin enabled
- Merchants using Braintree 3D Secure (3DS) vaulted payment flows
Discovery Timeline
- 2025-11-12 - CVE-2025-12903 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12903
Vulnerability Analysis
The vulnerability is an Authorization Bypass classified under [CWE-639] (Authorization Bypass Through User-Controlled Key). The plugin exposes a REST API route under the wc-braintree/v1/3ds/vaulted_nonce namespace to support 3D Secure flows for previously vaulted payment methods. The controller registers the route without any authentication or capability gating. The handler accepts a user-supplied payment token ID and returns the associated payment method nonce without verifying that the requester owns the token or is authenticated. An attacker can iterate token IDs and harvest nonces tied to any stored card in the merchant's vault. Because the disclosed nonces are valid for downstream Braintree operations, an attacker can chain them into charge requests, subscription modifications, or other vaulted-payment workflows. The disclosure document supplied with the CVE references the controller at class-wc-braintree-controller-3ds.php lines 23, 35, and 41, where route registration and token handling occur.
Root Cause
The root cause is the use of permission_callback => __return_true during register_rest_route for a sensitive payment endpoint. The WordPress REST API treats __return_true as an explicit allow-all, bypassing nonce, cookie, and application password checks. The handler compounds the issue by trusting the supplied token ID and skipping ownership validation against the current user or session.
Attack Vector
An attacker sends an unauthenticated HTTP request to /wp-json/wc-braintree/v1/3ds/vaulted_nonce with a target token identifier. The server returns a usable payment method nonce. The attacker then submits the nonce to checkout, subscription, or order-pay flows to authorize transactions against the victim's stored card.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Advisory and the WooCommerce Braintree Controller Code for the affected route registration.
Detection Methods for CVE-2025-12903
Indicators of Compromise
- Unauthenticated POST or GET requests to /wp-json/wc-braintree/v1/3ds/vaulted_nonce from external IP addresses
- Sequential or enumerated token ID values in REST API request payloads targeting the Braintree endpoint
- WooCommerce orders or subscription updates created shortly after a burst of vaulted_nonce requests
- Braintree transaction logs showing charges using nonces issued without a matching authenticated session
Detection Strategies
- Inspect web server and WordPress access logs for any requests to the wc-braintree/v1/3ds/vaulted_nonce path and alert on requests lacking authenticated user context
- Correlate REST API access spikes with WooCommerce order and subscription activity to identify nonce-replay patterns
- Enable Wordfence or equivalent WordPress security plugin signatures covering CVE-2025-12903
Monitoring Recommendations
- Forward WordPress, WooCommerce, and reverse-proxy logs to a centralized SIEM or data lake for cross-source correlation
- Alert on chargeback rate increases and Braintree gateway transaction anomalies tied to vaulted payment methods
- Track plugin version inventory across WordPress estates to flag any installations still running 3.2.78 or earlier
How to Mitigate CVE-2025-12903
Immediate Actions Required
- Update the Payment Plugins Braintree For WooCommerce plugin to a version newer than 3.2.78 once available from the vendor
- Audit Braintree transaction history for unauthorized charges, refunds, and subscription payment-method changes since plugin deployment
- Rotate or invalidate stored payment method tokens for accounts showing suspicious nonce activity
Patch Information
A fix was committed in the plugin repository, referenced in the WooCommerce Payment Gateway Changeset 3392259. Administrators should install the patched release through the WordPress plugin manager and confirm the new version is active across all sites.
Workarounds
- Temporarily disable the Payment Plugins Braintree For WooCommerce plugin until the patched version is installed
- Block external access to /wp-json/wc-braintree/v1/3ds/vaulted_nonce at the WAF or reverse proxy until the fix is deployed
- Restrict REST API access to authenticated sessions where business workflows allow, using a WAF rule that denies unauthenticated requests to the affected route
# Example NGINX rule to block external access to the vulnerable endpoint
location ~ ^/wp-json/wc-braintree/v1/3ds/vaulted_nonce {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
