CVE-2025-64379 MEDIUM

CVE-2025-64379: WordPress Booster for WooCommerce plugin <= 7.4.0 - Broken Access Control vulnerability

Vendor Pluggabl
Product Booster for WooCommerce
Weakness CWE-862 · Missing authorization
Published November 13, 2025
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booster for WooCommerce: from n/a through <= 7.4.0.

Explanation of Vulnerability in Simple Terms

02Summary

Booster for WooCommerce versions up to 7.4.0 lack proper authorization checks, allowing authenticated users with low privileges to access sensitive information they should not see. An attacker with a basic user account can read data that is restricted to higher-privilege roles. The vulnerability requires an active user account but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Read sensitive data restricted to higher-privilege user roles.

Potential impact on your site

04Site Impact

Customer or subscriber accounts can view restricted shop or admin data not intended for their role.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the WooCommerce site.

Key dates

06Disclosure timeline

November 13, 2025 CVE published
April 28, 2026 Record updated