CVE-2025-64380: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Booster for WooCommerce plugin (woocommerce-jetpack) affecting versions through 7.3.2. The vulnerability was disclosed on November 13, 2025, and was assigned identifier CVE-2025-64380. This security issue affects the WordPress plugin specifically when used with WooCommerce installations (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality (Rapid7).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of the user's browser session (Rapid7).

The vulnerability has been fixed in version 7.4.0 of the Booster for WooCommerce plugin. Site administrators are advised to update to this version or later to remediate the security risk. The issue is considered to have a low severity impact and is unlikely to be exploited in most circumstances (Patchstack).