CVE-2025-64380 identifies a stored cross-site scripting (XSS) vulnerability in the Pluggabl Booster for WooCommerce plugin, a popular extension for WooCommerce e-commerce platforms. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be injected and stored persistently within the application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially exposing sensitive information such as authentication tokens or personal data. The vulnerability affects all versions up to and including 7.3.2. Exploitation requires an authenticated user with low privileges (PR:L), but no user interaction is needed once the malicious payload is stored. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. Although no known exploits are reported in the wild, the vulnerability poses a significant risk to e-commerce sites using this plugin, as attackers could leverage it to steal sensitive customer data or perform session hijacking. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for proactive mitigation. The vulnerability was published on November 13, 2025, by Patchstack, with the CVE reserved on October 31, 2025.

For European organizations, particularly those operating e-commerce platforms using WooCommerce with the Booster plugin, this vulnerability can lead to unauthorized disclosure of sensitive customer information, including personal data and authentication credentials. This compromises confidentiality and can result in reputational damage, regulatory penalties under GDPR, and financial losses due to fraud or account takeover. Since the vulnerability requires only low-privileged authenticated access, insider threats or compromised user accounts could be leveraged to inject malicious scripts. The stored XSS nature means that multiple users can be affected once the payload is stored, amplifying the impact. Although integrity and availability are not directly affected, the confidentiality breach alone is significant. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after public disclosure. European e-commerce businesses are attractive targets due to the volume of transactions and sensitive data processed, making this vulnerability a critical concern for compliance and customer trust.

1. Monitor official sources and update the Booster for WooCommerce plugin to the latest version as soon as a patch addressing CVE-2025-64380 is released. 2. Until a patch is available, restrict plugin usage to trusted administrators and limit user privileges to minimize the risk of malicious input submission. 3. Implement strict input validation and output encoding on all user-supplied data within the WooCommerce environment, especially for fields rendered in web pages. 4. Deploy a Web Application Firewall (WAF) with rules specifically targeting XSS attack patterns to detect and block malicious payloads. 5. Conduct regular security audits and penetration testing focusing on XSS vulnerabilities in the e-commerce platform. 6. Educate administrators and users about the risks of stored XSS and encourage vigilance for suspicious behavior or unexpected page content. 7. Review and harden authentication mechanisms to prevent unauthorized access that could facilitate exploitation. 8. Monitor logs for unusual activity indicative of attempted exploitation, such as repeated input of suspicious scripts or anomalous user behavior.