CVE-2025-64296 Overview
CVE-2025-64296 is a missing authorization vulnerability in the Facebook for WooCommerce WordPress plugin. The flaw affects all versions up to and including 3.5.7. It stems from incorrectly configured access control on the plugin's notice dismissal functionality [CWE-862]. Unauthenticated attackers can send crafted network requests to dismiss administrative notices without proper authorization checks. The vulnerability carries a CVSS 3.1 base score of 5.3 and impacts integrity only, with no confidentiality or availability effects.
Critical Impact
Unauthenticated attackers can manipulate administrative notice state in affected WordPress sites running the Facebook for WooCommerce plugin, undermining administrator awareness of security or configuration issues.
Affected Products
- Facebook for WooCommerce plugin (facebook-for-woocommerce)
- All versions from n/a through 3.5.7
- WordPress sites using the WooCommerce ecommerce platform with this plugin installed
Discovery Timeline
- 2025-10-29 - CVE-2025-64296 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64296
Vulnerability Analysis
The vulnerability resides in the notice dismissal handler of the Facebook for WooCommerce plugin. The affected code path fails to verify whether the requester holds the required capability or a valid nonce before executing the dismissal action. This maps to Common Weakness Enumeration category [CWE-862] Missing Authorization.
Because the endpoint is reachable over the network with no privileges required and no user interaction, an attacker can invoke it directly. The impact is limited to integrity of dismissable admin notice state — attackers cannot read data or trigger denial of service through this flaw alone. However, hiding notices can mask important warnings from site administrators, including configuration or security alerts surfaced by the plugin.
Root Cause
The root cause is an absent authorization check in the AJAX or admin request handler responsible for marking notices as dismissed. The handler processes the request based solely on parameters supplied by the caller, without validating user capabilities such as manage_woocommerce or verifying a WordPress nonce token bound to an authenticated session.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to the vulnerable WordPress endpoint exposed by the plugin. The request targets the notice dismissal action with attacker-chosen identifiers. Because no authentication or authorization is enforced, the server processes the request and updates the stored notice state. See the Patchstack Vulnerability Report for additional technical detail.
Detection Methods for CVE-2025-64296
Indicators of Compromise
- Unexpected HTTP POST requests to admin-ajax.php referencing Facebook for WooCommerce notice dismissal actions from unauthenticated sessions.
- WordPress option or user meta entries indicating admin notices were dismissed without a corresponding administrator login event.
- Access log entries showing requests to plugin endpoints originating from IP addresses that never authenticated to /wp-admin/.
Detection Strategies
- Review WordPress access logs for requests to plugin action handlers that lack a preceding authenticated admin session.
- Correlate notice dismissal database changes with authenticated administrator activity, flagging mismatches.
- Deploy web application firewall rules that require a valid wp_nonce parameter on notice dismissal requests to the plugin.
Monitoring Recommendations
- Monitor the WordPress wp_options and wp_usermeta tables for changes to keys associated with the Facebook for WooCommerce plugin.
- Alert on high-volume or repeated requests to plugin AJAX endpoints from single source IPs.
- Track plugin version inventory across managed WordPress installations to identify hosts still running 3.5.7 or earlier.
How to Mitigate CVE-2025-64296
Immediate Actions Required
- Update the Facebook for WooCommerce plugin to the version released after 3.5.7 that addresses the missing authorization check.
- Audit administrative notices in affected sites to confirm no important warnings were silently dismissed.
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where feasible via IP allowlisting or WAF policy.
Patch Information
Refer to the Patchstack Vulnerability Report for the fixed version and vendor remediation guidance. Apply the plugin update through the WordPress plugin manager or WP-CLI as soon as it is available.
Workarounds
- Deploy a WAF rule blocking requests to the vulnerable notice dismissal action that do not carry a valid nonce token.
- Temporarily deactivate the Facebook for WooCommerce plugin on production sites until the update is applied.
- Enforce capability checks at the reverse proxy layer for admin-ajax requests tied to this plugin.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

