WBcom Credits SDK Checkout Bypass Allows Arbitrary Credit Purchases at Manipulated Prices

A critical pricing-manipulation vulnerability has been identified in the WBcom Credits SDK, exposing any consuming application to direct financial loss. The checkout endpoint at `POST /wp-json/wbcom-credits/v1/{slug}/checkout/{gateway}` accepts both `credits` and `price_cents` parameters directly from the client without server-side validation against a known exchange rate. An authenticated user can submit a request setting `credits=10000` and `price_cents=1`, proceed to the payment provider with a 1-cent charge, and receive 10,000 credits upon webhook confirmation.

The flaw is confirmed exploitable against WB Ad Manager Pro 1.6.0 running SDK version 1.2.0, where the attack surface is immediately accessible through the bundled wallet UI. A threat actor needs only a standard advertiser account and browser devtools to extract the `data-checkout-url` and `data-nonce` values from `.wbam-direct-` elements. The vulnerability requires no custom tooling or authentication bypass—only the manipulation of a client-supplied parameter that the system trusts without verification.

Maintainers have flagged the repository as public and recommended converting the disclosure to a private security advisory while the patch is developed. The exposed payment flow means any consuming plugin integrating this SDK faces risk of uncontrolled credit generation at trivial cost. Organizations running WBcom-based credit systems should treat this as an active exploitation risk pending a validated server-side fix that enforces rate consistency independently of client inputs.