CVE-2025-12903: 
WordPress vulnerability analysis and mitigation

CVE-2025-12903 affects the Payment Plugins Braintree For WooCommerce plugin for WordPress in versions up to and including 3.2.78. The vulnerability was disclosed on November 12, 2025, and is classified as an authorization bypass vulnerability in the plugin's REST API endpoint. This security issue stems from a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint (NVD).

The vulnerability exists due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

This vulnerability allows unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system. These nonces can be exploited to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions (NVD).

The vulnerability has been patched in version 3.2.79, released on November 8, 2025. The update includes verification of token ID during requests and authentication verification when 3DS for vaulted cards is enabled (WordPress Plugin).