CVE-2025-64379 is a vulnerability identified in the Pluggabl Booster for WooCommerce plugin (also known as woocommerce-jetpack) that stems from missing authorization controls. Specifically, the plugin fails to properly enforce access control security levels, allowing users with limited privileges (PR:L) to perform actions or access data that should be restricted. The vulnerability affects all versions up to and including 7.4.0. The CVSS 3.1 base score is 4.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This means the attack can be performed remotely over the network without user interaction, requires low complexity, and only limited privileges, but results in a low impact on confidentiality and no impact on integrity or availability. The missing authorization could allow an attacker to access sensitive information or functionality not intended for their privilege level, potentially leading to data leakage or unauthorized configuration changes. No known exploits have been reported in the wild, and no official patches have been linked yet, although the vulnerability was published on November 13, 2025. The issue is critical for e-commerce sites relying on this plugin for WooCommerce, as improper access control can undermine the security of customer data and business operations.

For European organizations, this vulnerability could lead to unauthorized access to sensitive e-commerce data such as pricing, discounts, or customer information managed through the Booster for WooCommerce plugin. Although the impact on confidentiality is rated low, even limited data exposure can have regulatory consequences under GDPR, including fines and reputational damage. The lack of impact on integrity and availability reduces the risk of service disruption or data tampering, but unauthorized access could facilitate further attacks or data harvesting. Given the widespread use of WooCommerce in European e-commerce markets, especially in countries with large online retail sectors like Germany, the UK, France, and the Netherlands, the threat could affect a significant number of businesses. Attackers exploiting this vulnerability could gain footholds that might be leveraged for more extensive attacks or fraud. The absence of known exploits in the wild currently reduces immediate risk, but organizations should not delay mitigation due to the potential for future exploitation.

European organizations should immediately audit user roles and permissions within their WooCommerce installations to ensure the principle of least privilege is enforced, minimizing the number of users with elevated rights. Implement strict access control policies and monitor logs for unusual access patterns related to the Booster for WooCommerce plugin. Disable or restrict the plugin if it is not essential to business operations until a patch is available. Engage with the vendor or community to track the release of security updates and apply patches promptly once released. Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. Conduct regular security assessments and penetration testing focused on e-commerce plugins to identify similar authorization weaknesses. Additionally, ensure that all e-commerce data is encrypted both in transit and at rest to mitigate confidentiality risks. Maintain an incident response plan tailored to e-commerce threats to quickly address any exploitation attempts.