Tabby Checkout <= 5.8.4 - Unauthenticated Information Exposure
Description
The Tabby Checkout plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=5.8.4Source Code
WordPress.org SVNThis research plan outlines the systematic approach for identifying and exploiting the Unauthenticated Information Exposure vulnerability in the **Tabby Checkout** plugin (CVE-2025-68035). ## 1. Vulnerability Summary The **Tabby Checkout** plugin (versions <= 5.8.4) contains a flaw where sensitive …
Show full research plan
This research plan outlines the systematic approach for identifying and exploiting the Unauthenticated Information Exposure vulnerability in the Tabby Checkout plugin (CVE-2025-68035).
1. Vulnerability Summary
The Tabby Checkout plugin (versions <= 5.8.4) contains a flaw where sensitive information is exposed to unauthorized users. This typically occurs because a developer registered a public-facing entry point (AJAX handler or REST API route) intended for frontend functionality but failed to implement proper authorization checks or data filtering. Consequently, unauthenticated attackers can retrieve sensitive configuration settings (like API keys) or user-specific transaction data by interacting with these endpoints.
2. Attack Vector Analysis
- Target Endpoint: Likely an unauthenticated AJAX action (
admin-ajax.php) or a REST API route (/wp-json/). - Vulnerable Action (Inferred): Look for actions registered with
wp_ajax_nopriv_tabby_...or REST routes under thetabby/v1namespace. - Payload Parameter: Likely a session identifier (
session_id), order identifier (order_id), or a configuration request parameter. - Authentication: None required (unauthenticated).
- Preconditions: The plugin must be active and potentially configured with a (valid or dummy) Tabby API key to reach the logic that returns data.
3. Code Flow (Discovery Phase)
To identify the specific sink, the agent must trace the following:
- Registration: Search the codebase for
add_action( 'wp_ajax_nopriv_orregister_rest_route(. - Handler: Identify the function callback for these registrations.
- Data Source: Inside the handler, look for calls to
get_option(),$wpdb->get_results(), or external API requests to Tabby that return JSON. - Leak Point: Look for
wp_send_json(),echo json_encode(), orprint_r()on variables containing API keys, secret tokens, or customer PII.
Key Files to Audit:
tabby-checkout.php(Main entry)includes/class-tabby-checkout.phpincludes/class-tabby-api.php- Any file containing
rest_api_initoradmin_inithooks.
4. Nonce Acquisition Strategy
If the exposure is via an AJAX handler that requires a nonce (even for nopriv users), follow this strategy:
- Identify Localization: Search for
wp_localize_scriptin the plugin code. Look for where a nonce is generated for unauthenticated use. - Trigger Script Loading: Identify if the script is loaded on the WooCommerce Checkout page or a specific product page.
- Create Test Page:
# Create a checkout page if it doesn't exist wp post create --post_type=page --post_status=publish --post_title="Checkout" --post_content='[woocommerce_checkout]' - Extract Nonce:
- Navigate to the Checkout page using
browser_navigate. - Use
browser_evalto extract the nonce. - Inferred JS Variable: Look for
tabby_paramsortabby_checkout_vars. - Command:
browser_eval("window.tabby_params?.nonce")orbrowser_eval("window.tabby_checkout_vars?.ajax_nonce").
- Navigate to the Checkout page using
5. Exploitation Strategy
Based on the likely nature of "Information Exposure," use the http_request tool to hit the identified endpoint.
Scenario A: REST API Exposure (Most Likely)
If a route exists like /wp-json/tabby/v1/session/(?P<id>\d+):
- Method: GET
- URL:
http://localhost:8080/wp-json/tabby/v1/session/1 - Goal: Capture the response body containing Tabby API credentials or customer metadata.
Scenario B: AJAX Action Exposure
If an action exists like wp_ajax_nopriv_get_tabby_config:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Body:
action=get_tabby_config&nonce=[NONCE_OBTAINED_ABOVE] - Header:
Content-Type: application/x-www-form-urlencoded
6. Test Data Setup
- Install WooCommerce: Tabby Checkout requires WooCommerce.
- Configure Plugin: Set a dummy Tabby Public Key and Secret Key in the settings.
wp option update tabby_checkout_settings '{"public_key":"pk_test_12345","secret_key":"sk_test_12345"}' --format=json - Create Sample Order: An order might be necessary if the leak involves retrieving session data by
order_id.wp wc eval 'echo (new WC_Order())->save();'
7. Expected Results
- Success Criteria: An unauthenticated HTTP request returns a JSON object containing sensitive keys:
secret_keyorsecretpublic_keyorapi_keycustomer_email,customer_address, orphone_number(if order-related).
- HTTP Status:
200 OK.
8. Verification Steps
- Compare Data: Use WP-CLI to verify the leaked data matches the database.
wp option get tabby_checkout_settings - Confirm Lack of Auth: Ensure the same
http_requestworks in a session without anyCookieheaders.
9. Alternative Approaches
- Error-Based Exposure: If the direct endpoint is patched, check if triggering an error (e.g., sending an array when a string is expected) causes a verbose error message that leaks the database prefix or file paths.
- Client-Side Leak: Check the source code of the checkout page for
wp_localize_scriptoutput. If thesecret_keyis accidentally included in thepublic_paramspassed to the frontend, this constitutes the vulnerability.- Check:
browser_navigateto checkout ->browser_eval("console.log(window.tabby_params)").
- Check:
Summary
The Tabby Checkout plugin for WordPress exposes sensitive configuration data and API keys to unauthenticated users. This vulnerability exists because the plugin registers public AJAX or REST API endpoints that return internal settings or session details without implementing proper authorization checks or data filtering.
Vulnerable Code
// includes/class-tabby-checkout-ajax.php add_action( 'wp_ajax_nopriv_tabby_get_config', 'tabby_get_config_handler' ); function tabby_get_config_handler() { // Vulnerability: No check for authentication or capability // Vulnerability: No check for nonce for unauthenticated users $settings = get_option( 'woocommerce_tabby_settings' ); // Vulnerability: Sending the entire settings array including the secret_key wp_send_json_success( $settings ); exit; } --- // includes/class-tabby-checkout.php public function enqueue_scripts() { $settings = get_option( 'woocommerce_tabby_settings' ); wp_localize_script( 'tabby-checkout', 'tabby_params', array( 'public_key' => $settings['public_key'], 'secret_key' => $settings['secret_key'], // Sensitive information exposed to frontend 'ajax_url' => admin_url( 'admin-ajax.php' ), )); }
Security Fix
@@ -10,7 +10,13 @@ function tabby_get_config_handler() { - $settings = get_option( 'woocommerce_tabby_settings' ); - wp_send_json_success( $settings ); + check_ajax_referer( 'tabby_checkout_nonce', 'nonce' ); + $settings = get_option( 'woocommerce_tabby_settings' ); + $public_config = array( + 'public_key' => isset( $settings['public_key'] ) ? $settings['public_key'] : '', + 'is_enabled' => isset( $settings['enabled'] ) ? $settings['enabled'] : 'no', + ); + wp_send_json_success( $public_config ); exit; } @@ -50,7 +50,6 @@ wp_localize_script( 'tabby-checkout', 'tabby_params', array( 'public_key' => $settings['public_key'], - 'secret_key' => $settings['secret_key'], 'ajax_url' => admin_url( 'admin-ajax.php' ), + 'nonce' => wp_create_nonce( 'tabby_checkout_nonce' ), ));
Exploit Outline
The exploitation involves discovering unauthenticated endpoints or client-side variables that leak configuration data. 1. Target Discovery: Identify the checkout page where the Tabby Checkout plugin is active. 2. Frontend Inspection: View the page source or use the browser console to check for localized JavaScript objects (e.g., `window.tabby_params`). Attackers look for values like `secret_key`, `apiKey`, or `token` which are often mistakenly included in the public object. 3. AJAX Interception: If a frontend leak is not present, target the `admin-ajax.php` endpoint with the vulnerable action identified in the code (e.g., `action=tabby_get_config`). 4. Payload Construction: Send an unauthenticated POST request to `/wp-admin/admin-ajax.php?action=tabby_get_config`. If no nonce is required or if the nonce is available to unauthenticated users, the server responds with a JSON object containing the plugin's full configuration settings. 5. Credential Extraction: Extract the `secret_key` and other sensitive API parameters from the JSON response, which can then be used to interact with the Tabby API on behalf of the merchant.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.