WordPress Plugin Vulnerabilities

Booster for WooCommerce < 7.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 7.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
woocommerce-jetpack
Fixed in 7.4.0

References

CVE
CVE-2025-64380
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2bd989c7-b7dc-4243-83ae-23621d100052

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
3afea29c-2b4d-4637-bd1c-65c757d8c259

Timeline

Publicly Published
2025-10-18 (about 8 months ago)
Added
2025-11-17 (about 7 months ago)
Last Updated
2025-11-17 (about 7 months ago)

Other

Published
Title
Published
2022-07-18
Title
Name Directory < 1.25.5 - Stored Cross-Site Scripting via CSRF
Published
2025-03-28
Title
MicroPayments < 2.9.30 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-02
Title
Vayu Blocks < 1.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes
Published
2025-04-09
Title
WooCommerce Sales MIS Report <= 4.0.3 - Reflected Cross-Site Scripting
Published
2023-03-22
Title
WooCommerce JazzCash Gateway <= 2.0 - Reflected Cross-Site Scripting