The vulnerability in the Booster for WooCommerce plugin is a missing authorization flaw that allows malicious actors to exploit improperly configured access control levels. An attacker who can reach the plugin’s administrative endpoints may gain unauthorized access to functions normally reserved for site administrators, potentially enabling the creation, modification, or deletion of product data, settings, or other sensitive information. This flaw falls under CWE-862, indicating an authorization failure.

Affected systems include the Booster for WooCommerce plugin, a WordPress extension produced by Pluggabl, with all releases up to and including version 7.4.0 vulnerable. The issue applies to any site running the plugin version 7.4.0 or earlier, regardless of the underlying WordPress core version. Version 7.5.0 and later are not affected.

The CVSS score of 4.3 reflects a moderate severity, while the EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in CISA’s KEV catalog, further indicating limited public exploitation at this time. Likely attack vectors involve a user with legitimate but insufficient permissions reaching plugin API endpoints that lack proper checks; the flaw could be triggered through normal web requests. Because the issue stems from missing authorization checks rather than an underlying logic error or code injection, an attacker does not need elevated privileges beyond those they already possess on the site.