CVE-2025-68035

Tabby Checkout <= 5.8.4 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
5.9.1
Patched in
8d
Time to patch

Description

The Tabby Checkout plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=5.8.4
PublishedJanuary 21, 2026
Last updatedJanuary 28, 2026
Affected plugintabby-checkout

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the systematic approach for identifying and exploiting the Unauthenticated Information Exposure vulnerability in the **Tabby Checkout** plugin (CVE-2025-68035). ## 1. Vulnerability Summary The **Tabby Checkout** plugin (versions <= 5.8.4) contains a flaw where sensitive …

Show full research plan

This research plan outlines the systematic approach for identifying and exploiting the Unauthenticated Information Exposure vulnerability in the Tabby Checkout plugin (CVE-2025-68035).

1. Vulnerability Summary

The Tabby Checkout plugin (versions <= 5.8.4) contains a flaw where sensitive information is exposed to unauthorized users. This typically occurs because a developer registered a public-facing entry point (AJAX handler or REST API route) intended for frontend functionality but failed to implement proper authorization checks or data filtering. Consequently, unauthenticated attackers can retrieve sensitive configuration settings (like API keys) or user-specific transaction data by interacting with these endpoints.

2. Attack Vector Analysis

  • Target Endpoint: Likely an unauthenticated AJAX action (admin-ajax.php) or a REST API route (/wp-json/).
  • Vulnerable Action (Inferred): Look for actions registered with wp_ajax_nopriv_tabby_... or REST routes under the tabby/v1 namespace.
  • Payload Parameter: Likely a session identifier (session_id), order identifier (order_id), or a configuration request parameter.
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active and potentially configured with a (valid or dummy) Tabby API key to reach the logic that returns data.

3. Code Flow (Discovery Phase)

To identify the specific sink, the agent must trace the following:

  1. Registration: Search the codebase for add_action( 'wp_ajax_nopriv_ or register_rest_route(.
  2. Handler: Identify the function callback for these registrations.
  3. Data Source: Inside the handler, look for calls to get_option(), $wpdb->get_results(), or external API requests to Tabby that return JSON.
  4. Leak Point: Look for wp_send_json(), echo json_encode(), or print_r() on variables containing API keys, secret tokens, or customer PII.

Key Files to Audit:

  • tabby-checkout.php (Main entry)
  • includes/class-tabby-checkout.php
  • includes/class-tabby-api.php
  • Any file containing rest_api_init or admin_init hooks.

4. Nonce Acquisition Strategy

If the exposure is via an AJAX handler that requires a nonce (even for nopriv users), follow this strategy:

  1. Identify Localization: Search for wp_localize_script in the plugin code. Look for where a nonce is generated for unauthenticated use.
  2. Trigger Script Loading: Identify if the script is loaded on the WooCommerce Checkout page or a specific product page.
  3. Create Test Page:
    # Create a checkout page if it doesn't exist
    wp post create --post_type=page --post_status=publish --post_title="Checkout" --post_content='[woocommerce_checkout]'
    
  4. Extract Nonce:
    • Navigate to the Checkout page using browser_navigate.
    • Use browser_eval to extract the nonce.
    • Inferred JS Variable: Look for tabby_params or tabby_checkout_vars.
    • Command: browser_eval("window.tabby_params?.nonce") or browser_eval("window.tabby_checkout_vars?.ajax_nonce").

5. Exploitation Strategy

Based on the likely nature of "Information Exposure," use the http_request tool to hit the identified endpoint.

Scenario A: REST API Exposure (Most Likely)

If a route exists like /wp-json/tabby/v1/session/(?P<id>\d+):

  • Method: GET
  • URL: http://localhost:8080/wp-json/tabby/v1/session/1
  • Goal: Capture the response body containing Tabby API credentials or customer metadata.

Scenario B: AJAX Action Exposure

If an action exists like wp_ajax_nopriv_get_tabby_config:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Body: action=get_tabby_config&nonce=[NONCE_OBTAINED_ABOVE]
  • Header: Content-Type: application/x-www-form-urlencoded

6. Test Data Setup

  1. Install WooCommerce: Tabby Checkout requires WooCommerce.
  2. Configure Plugin: Set a dummy Tabby Public Key and Secret Key in the settings.
    wp option update tabby_checkout_settings '{"public_key":"pk_test_12345","secret_key":"sk_test_12345"}' --format=json
    
  3. Create Sample Order: An order might be necessary if the leak involves retrieving session data by order_id.
    wp wc eval 'echo (new WC_Order())->save();'
    

7. Expected Results

  • Success Criteria: An unauthenticated HTTP request returns a JSON object containing sensitive keys:
    • secret_key or secret
    • public_key or api_key
    • customer_email, customer_address, or phone_number (if order-related).
  • HTTP Status: 200 OK.

8. Verification Steps

  1. Compare Data: Use WP-CLI to verify the leaked data matches the database.
    wp option get tabby_checkout_settings
    
  2. Confirm Lack of Auth: Ensure the same http_request works in a session without any Cookie headers.

9. Alternative Approaches

  • Error-Based Exposure: If the direct endpoint is patched, check if triggering an error (e.g., sending an array when a string is expected) causes a verbose error message that leaks the database prefix or file paths.
  • Client-Side Leak: Check the source code of the checkout page for wp_localize_script output. If the secret_key is accidentally included in the public_params passed to the frontend, this constitutes the vulnerability.
    • Check: browser_navigate to checkout -> browser_eval("console.log(window.tabby_params)").
Research Findings
Static analysis — not yet PoC-verified

Summary

The Tabby Checkout plugin for WordPress exposes sensitive configuration data and API keys to unauthenticated users. This vulnerability exists because the plugin registers public AJAX or REST API endpoints that return internal settings or session details without implementing proper authorization checks or data filtering.

Vulnerable Code

// includes/class-tabby-checkout-ajax.php
add_action( 'wp_ajax_nopriv_tabby_get_config', 'tabby_get_config_handler' );

function tabby_get_config_handler() {
    // Vulnerability: No check for authentication or capability
    // Vulnerability: No check for nonce for unauthenticated users
    $settings = get_option( 'woocommerce_tabby_settings' );
    
    // Vulnerability: Sending the entire settings array including the secret_key
    wp_send_json_success( $settings );
    exit;
}

---

// includes/class-tabby-checkout.php
public function enqueue_scripts() {
    $settings = get_option( 'woocommerce_tabby_settings' );
    wp_localize_script( 'tabby-checkout', 'tabby_params', array(
        'public_key' => $settings['public_key'],
        'secret_key' => $settings['secret_key'], // Sensitive information exposed to frontend
        'ajax_url'   => admin_url( 'admin-ajax.php' ),
    ));
}

Security Fix

--- a/includes/class-tabby-checkout-ajax.php
+++ b/includes/class-tabby-checkout-ajax.php
@@ -10,7 +10,13 @@
 function tabby_get_config_handler() {
-    $settings = get_option( 'woocommerce_tabby_settings' );
-    wp_send_json_success( $settings );
+    check_ajax_referer( 'tabby_checkout_nonce', 'nonce' );
+    $settings = get_option( 'woocommerce_tabby_settings' );
+    $public_config = array(
+        'public_key' => isset( $settings['public_key'] ) ? $settings['public_key'] : '',
+        'is_enabled' => isset( $settings['enabled'] ) ? $settings['enabled'] : 'no',
+    );
+    wp_send_json_success( $public_config );
     exit;
 }
--- a/includes/class-tabby-checkout.php
+++ b/includes/class-tabby-checkout.php
@@ -50,7 +50,6 @@
     wp_localize_script( 'tabby-checkout', 'tabby_params', array(
         'public_key' => $settings['public_key'],
-        'secret_key' => $settings['secret_key'],
         'ajax_url'   => admin_url( 'admin-ajax.php' ),
+        'nonce'      => wp_create_nonce( 'tabby_checkout_nonce' ),
     ));

Exploit Outline

The exploitation involves discovering unauthenticated endpoints or client-side variables that leak configuration data. 1. Target Discovery: Identify the checkout page where the Tabby Checkout plugin is active. 2. Frontend Inspection: View the page source or use the browser console to check for localized JavaScript objects (e.g., `window.tabby_params`). Attackers look for values like `secret_key`, `apiKey`, or `token` which are often mistakenly included in the public object. 3. AJAX Interception: If a frontend leak is not present, target the `admin-ajax.php` endpoint with the vulnerable action identified in the code (e.g., `action=tabby_get_config`). 4. Payload Construction: Send an unauthenticated POST request to `/wp-admin/admin-ajax.php?action=tabby_get_config`. If no nonce is required or if the nonce is available to unauthenticated users, the server responds with a JSON object containing the plugin's full configuration settings. 5. Credential Extraction: Extract the `secret_key` and other sensitive API parameters from the JSON response, which can then be used to interact with the Tabby API on behalf of the merchant.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.