Payment Plugins Braintree For WooCommerce Authorization Bypass Vulnerability Allowing Payment Token Exposure and Fraudulent Transactions

A vulnerability exists in the Payment Plugins Braintree For WooCommerce WordPress plugin, specifically in versions through 3.2.78. The issue arises from an authorization bypass on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint, which is registered with a permission callback that allows unauthenticated access. This endpoint processes user-supplied token IDs without verifying ownership or authentication, enabling unauthenticated attackers to access payment method nonces for any stored payment token. These nonces can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.

Impact

Exploitation of this vulnerability allows for unauthorized access to payment tokens, which can be used to conduct fraudulent transactions or manipulate subscription payments.

Reproduction

To reproduce this vulnerability, send a POST request to the wc-braintree/v1/3ds/vaulted_nonce endpoint without authentication. Include a token ID of a stored payment token in the request. The absence of a capability check will allow the request to be processed, and the payment method nonce for the specified token will be returned.

Remediation

Users are advised to update the Payment Plugins Braintree For WooCommerce plugin to version 3.2.79 or later.