CVE-2025-64379 – This CVE describes a missing authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Pluggabl Booster for WooCommerce plugin that allows attackers to exploit incorrectly configured access control security levels. The vulnerability affects WooCommerce sites using the Booster plugin, potentially allowing unauthorized users to access restricted functionality. All sites running affected versions of the plugin are at risk.

💻 Affected Systems

Products:

Pluggabl Booster for WooCommerce (woocommerce-jetpack)

Versions: All versions through 7.4.0

Operating Systems: Any OS running WordPress with WooCommerce

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce installed. The plugin must be active and vulnerable version installed.

📦 What is this software?

Booster For Woocommerce by Booster

View all CVEs affecting Booster For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify WooCommerce settings, access sensitive order data, or manipulate plugin functionality to disrupt e-commerce operations.

🟠

Likely Case

Unauthorized users could view or modify plugin settings, potentially affecting store configuration or accessing limited administrative functions.

🟢

If Mitigated

With proper access controls and network segmentation, impact would be limited to the plugin's scope without compromising the entire WordPress/WooCommerce installation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WordPress site, but specific authorization checks are missing for certain plugin functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.4.1 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/woocommerce-jetpack/vulnerability/wordpress-booster-for-woocommerce-plugin-7-4-0-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Booster for WooCommerce'
4. Click 'Update Now' if available
5. Alternatively, download version 7.4.1+ from WordPress.org and manually update

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate woocommerce-jetpack

Access Restriction via .htaccess

linux

Restrict access to plugin directories

# Add to .htaccess in wp-content/plugins/woocommerce-jetpack/
Order Deny,Allow
Deny from all

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the WordPress admin interface
Enable WordPress security plugins that monitor for unauthorized access attempts and implement additional authorization layers

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'Booster for WooCommerce' version 7.4.0 or earlier

Check Version:

wp plugin get woocommerce-jetpack --field=version

Verify Fix Applied:

Verify plugin version shows 7.4.1 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to plugin-specific admin pages
Unusual plugin setting changes from non-admin users

Network Indicators:

HTTP requests to /wp-admin/admin.php?page=wcj-* endpoints from unauthorized IPs

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin.php" AND query="page=wcj-*") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2025-64379

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.04% exploit probability (11th percentile)

Published: November 13, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/woocommerce-jetpack/vulnerability/wordpress-booster-for-woocommerce-plugin-7-4-0-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64379, you might also want to check these: