CVE-2025-64379: 
WordPress vulnerability analysis and mitigation

The CVE-2025-64379 is a Missing Authorization vulnerability affecting the Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches and 100+ Tools plugin for WordPress. The vulnerability exists in versions up to and including 7.4.0, discovered on October 30, 2025. This security flaw allows authenticated users with Subscriber-level access and above to perform unauthorized actions due to missing capability checks (Rapid7, Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS 3.1 Base Score of 4.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The security flaw stems from a missing capability check on a function that allows authenticated users with minimal privileges to perform actions beyond their intended access level (NIST NVD).

The vulnerability allows authenticated attackers with Subscriber-level access to perform unauthorized actions within the WooCommerce plugin. This could potentially lead to information disclosure and unauthorized access to plugin functionality (Rapid7).

The vulnerability has been fixed in version 7.5.0 of the Booster for WooCommerce plugin. Users are advised to update to this version or later to remediate the security issue (Patchstack).