CVE-2021-34646: 
WordPress vulnerability analysis and mitigation

CVE-2021-34646 affects versions up to 5.4.3 of the Booster for WooCommerce WordPress plugin. The vulnerability is an authentication bypass issue discovered in the processemailverification function, which was disclosed on August 24, 2021. The plugin's Email Verification module, when active with the default setting 'Login User After Successful Verification' enabled, is susceptible to this security flaw (Wordfence Blog, WPScan).

The vulnerability stems from a random token generation weakness in the resetandmailactivationlink function located in the ~/includes/class-wcj-emails-verification.php file. The issue has been assigned a CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-330 (Use of Insufficiently Random Values) and CWE-290 (Authentication Bypass by Spoofing) (NVD).

This vulnerability allows attackers to impersonate users and trigger email address verification for arbitrary accounts, including administrative accounts. Once exploited, attackers can automatically log in as any user, including site administrators, potentially gaining complete control over the affected WordPress installation (Wordfence Blog).

The vulnerability has been patched in version 5.4.4 of the Booster for WooCommerce plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).