CVE-2025-64196 Overview
CVE-2025-64196 is a reflected cross-site scripting (XSS) vulnerability in the Pluggabl Booster for WooCommerce plugin (woocommerce-jetpack) for WordPress. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. All versions of Booster for WooCommerce up to and including 7.2.5 are affected. An unauthenticated attacker can craft a malicious URL that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser session under the context of the vulnerable site.
Critical Impact
Successful exploitation allows attackers to hijack authenticated sessions, steal sensitive WooCommerce data, redirect shoppers, or perform actions on behalf of administrators visiting a crafted link.
Affected Products
- Booster for WooCommerce (woocommerce-jetpack) versions through 7.2.5
- WordPress sites running the Pluggabl Booster for WooCommerce plugin
- All deployments where the vulnerable plugin is active and reachable from the internet
Discovery Timeline
- 2025-11-06 - CVE-2025-64196 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-64196
Vulnerability Analysis
The vulnerability is a reflected XSS issue classified under [CWE-79]. The Booster for WooCommerce plugin accepts user-controlled input through HTTP request parameters and reflects that input back into rendered HTML pages without proper sanitization or output encoding. Because the reflected data is interpreted as markup by the browser, an attacker can inject arbitrary JavaScript into a page served by the vulnerable site.
Exploitation requires user interaction — a victim must visit a crafted link. The scope is changed, meaning the injected script can affect resources beyond the originally vulnerable component, including authenticated WordPress administrative sessions on the same origin. This raises the practical impact for store administrators who manage WooCommerce settings through the plugin.
Root Cause
The root cause is missing or insufficient input sanitization and output encoding within the plugin's request-handling code paths. User input flows from HTTP parameters into HTML response bodies without being escaped through WordPress functions such as esc_html(), esc_attr(), or wp_kses(). As a result, attacker-controlled markup is parsed as part of the document.
Attack Vector
The attack proceeds over the network and requires no authentication. An attacker crafts a URL targeting a vulnerable endpoint of a WordPress site running Booster for WooCommerce <= 7.2.5. The URL includes JavaScript payloads within reflected parameters. The attacker delivers the link via phishing email, malicious advertising, social media, or a compromised third-party site. When a victim — particularly an administrator or logged-in customer — clicks the link, the browser executes the attacker's script in the context of the vulnerable WooCommerce store. Consult the Patchstack advisory for Booster for WooCommerce for further technical context.
Detection Methods for CVE-2025-64196
Indicators of Compromise
- Inbound HTTP requests to WordPress endpoints containing URL-encoded <script> tags, javascript: URIs, or HTML event handlers such as onerror= and onload=.
- Web server access logs showing unusually long query strings or referrer values targeting Booster for WooCommerce plugin paths under /wp-content/plugins/woocommerce-jetpack/.
- Browser console errors or unexpected outbound requests from administrator sessions immediately after visiting a crafted link.
Detection Strategies
- Inspect WAF and reverse proxy logs for reflected XSS payload patterns targeting Booster for WooCommerce parameters.
- Deploy a Content Security Policy (CSP) in report-only mode to surface script execution from unexpected inline sources.
- Correlate suspicious referrers with administrator login events in WordPress audit logs.
Monitoring Recommendations
- Monitor for new or modified WordPress administrator accounts following clicks on external links.
- Alert on outbound requests from browser sessions to attacker-controlled domains shortly after WooCommerce admin activity.
- Track plugin version inventory across all WordPress instances and flag any site still running Booster for WooCommerce <= 7.2.5.
How to Mitigate CVE-2025-64196
Immediate Actions Required
- Update Booster for WooCommerce to a release later than 7.2.5 as soon as the vendor publishes a fixed version.
- Restrict access to the WordPress admin interface using IP allowlists or VPN where feasible.
- Train administrators and store operators to avoid clicking unsolicited links targeting the store's domain.
Patch Information
The vendor advisory tracked through Patchstack identifies all versions up to and including 7.2.5 as vulnerable. Administrators should monitor the plugin's WordPress.org listing and apply any subsequent release that addresses the reflected XSS condition. Test the update in a staging environment before deploying to production.
Workarounds
- Deploy a web application firewall rule that blocks requests containing common XSS payload signatures targeting plugin endpoints.
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
- Temporarily disable the Booster for WooCommerce plugin if a patched version is not yet available and the site handles sensitive transactions.
# Example WP-CLI commands to audit and disable the vulnerable plugin
wp plugin get woocommerce-jetpack --field=version
wp plugin deactivate woocommerce-jetpack
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

