CVE-2025-64196 Overview
CVE-2025-64196 is a reflected Cross-Site Scripting (XSS) vulnerability in the Booster for WooCommerce plugin (woocommerce-jetpack) developed by Pluggabl. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. It affects all versions of Booster for WooCommerce up to and including 7.2.5. An attacker can craft a malicious link that, when clicked by an authenticated administrator or shop manager, executes arbitrary JavaScript in the victim's browser session.
Critical Impact
Successful exploitation enables session hijacking, administrative account takeover, and unauthorized WooCommerce store modifications through reflected JavaScript execution in privileged user contexts.
Affected Products
- Booster for WooCommerce (woocommerce-jetpack) versions up to and including 7.2.5
- WordPress sites running the vulnerable plugin
- WooCommerce stores using Booster plugin extensions
Discovery Timeline
- 2025-11-06 - CVE-2025-64196 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-64196
Vulnerability Analysis
The vulnerability is a reflected XSS issue [CWE-79] in the Booster for WooCommerce plugin. The plugin fails to properly sanitize or escape user-controlled input before reflecting it back into HTTP responses. An attacker constructs a URL containing a malicious JavaScript payload in a vulnerable parameter. When a victim with an active WordPress session visits the link, the payload executes in the context of the WordPress site origin.
Exploitation requires user interaction, specifically a victim clicking the attacker-crafted link. The scope is changed, meaning the injected script can access resources beyond the vulnerable component. This typically results in theft of session cookies, CSRF token exfiltration, or actions performed on behalf of the authenticated administrator.
Root Cause
The root cause is missing output encoding and input validation on parameters processed by the Booster for WooCommerce plugin. The plugin echoes request data into HTML responses without applying WordPress sanitization functions such as esc_html(), esc_attr(), or wp_kses(). Specific vulnerable parameters and code paths are documented in the Patchstack advisory.
Attack Vector
The attack is network-based and requires no authentication. The attacker delivers a malicious URL through phishing, forum posts, or comments. When an authenticated WordPress administrator or shop manager opens the link, the injected script executes within the WordPress admin origin. The attacker can then read the DOM, exfiltrate session data, or issue authenticated requests through the WordPress REST API.
Detection Methods for CVE-2025-64196
Indicators of Compromise
- HTTP requests to WordPress endpoints containing <script>, javascript:, onerror=, or URL-encoded equivalents in query parameters handled by woocommerce-jetpack
- Unexpected outbound requests from administrator browsers to attacker-controlled domains following clicks on external links
- New or modified administrator accounts and unauthorized plugin installations occurring after admin user sessions
Detection Strategies
- Inspect web server access logs for requests targeting Booster for WooCommerce parameters with HTML or JavaScript metacharacters
- Deploy a Web Application Firewall (WAF) rule that blocks reflected XSS patterns against WordPress admin and WooCommerce endpoints
- Monitor WordPress audit logs for privilege changes, settings modifications, or REST API calls originating from administrator sessions shortly after external referrers
Monitoring Recommendations
- Enable verbose logging on the WordPress site and forward events to a centralized SIEM for correlation with browser telemetry
- Alert on Content Security Policy (CSP) violations reported by administrator browsers, which often indicate attempted script injection
- Track plugin version inventory across managed WordPress installations to identify hosts running Booster for WooCommerce 7.2.5 or earlier
How to Mitigate CVE-2025-64196
Immediate Actions Required
- Update Booster for WooCommerce to a version newer than 7.2.5 once a patched release is available from Pluggabl
- Restrict administrator and shop manager access to trusted personnel and require these users to avoid clicking untrusted links while authenticated
- Deploy a WAF with reflected XSS signatures in front of the WordPress site to block exploitation attempts
Patch Information
Review the Patchstack advisory for current patch availability and update guidance. If no fixed version is yet released, apply virtual patching through a WAF or temporarily disable the plugin.
Workarounds
- Disable or uninstall the Booster for WooCommerce plugin until an updated version is installed
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
- Require administrators to use a separate browser profile or session for WordPress administration to limit cross-site exposure
# Example Content-Security-Policy header for WordPress
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
