CVE-2025-64380 identifies a stored cross-site scripting (XSS) vulnerability in the Booster for WooCommerce plugin developed by Pluggabl, specifically affecting versions up to 7.3.2. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and stored persistently within the website's content or database. When other users or administrators access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or website defacement. Stored XSS is particularly dangerous because the payload remains on the server and affects multiple users without requiring repeated injection. The plugin Booster for WooCommerce is widely used to enhance WooCommerce e-commerce functionality, making the attack surface significant for online stores. No CVSS score has been assigned yet, and no public exploits are known at this time, but the vulnerability is publicly disclosed and should be treated with urgency. The flaw does not require authentication to exploit, increasing the risk level. The vulnerability highlights the need for secure coding practices such as proper input validation, output encoding, and context-aware sanitization to prevent injection of executable scripts. The lack of a patch link suggests that a fix may be forthcoming, and users should monitor vendor advisories closely.

For European organizations running WooCommerce stores with the affected Booster plugin, this vulnerability can lead to severe consequences including unauthorized access to user accounts, theft of payment or personal data, and damage to brand reputation. Attackers can exploit the stored XSS to execute arbitrary JavaScript in the context of the victim’s browser, potentially bypassing same-origin policies and security controls. This can facilitate further attacks such as phishing, malware distribution, or privilege escalation within the e-commerce platform. The impact on confidentiality is high due to potential data leakage; integrity can be compromised through unauthorized transactions or content manipulation; availability may be affected if attackers deface or disrupt the website. Given the widespread use of WooCommerce in Europe’s e-commerce sector, the threat could affect a broad range of small to medium-sized enterprises that rely on this plugin for enhanced functionality. The vulnerability also poses risks to customer trust and compliance with data protection regulations such as GDPR if personal data is compromised.

1. Monitor official Pluggabl and WooCommerce channels for the release of a security patch addressing CVE-2025-64380 and apply it immediately upon availability. 2. Until a patch is released, implement strict input validation and output encoding on all user-supplied data fields related to the Booster plugin to prevent script injection. 3. Deploy a Web Application Firewall (WAF) with rules tailored to detect and block common XSS payloads targeting WooCommerce and its plugins. 4. Conduct a thorough audit of existing content and database entries for injected scripts or suspicious code and remove any malicious payloads found. 5. Educate site administrators and users about the risks of clicking on suspicious links or interacting with untrusted content on the platform. 6. Limit user privileges to the minimum necessary to reduce the impact of potential exploitation. 7. Regularly backup website data and configurations to enable quick recovery in case of compromise. 8. Consider implementing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on the website.