CVE-2025-64296

Vulnerability

Overview CVE-2025-64296 is a missing authorization vulnerability in the Facebook for WooCommerce plugin for WordPress, affecting versions from n/a through 3.5.7. The plugin fails to properly verify access control security levels, allowing an attacker to exploit incorrectly configured access controls. Specifically, the issue involves broken access control that permits unauthenticated users to dismiss notices—an action that should require higher privileged users [1].

Exploitation

An attacker can exploit this vulnerability without authentication by sending a crafted request to the affected endpoint. The plugin does not perform a nonce or capability check before processing notice dismissal actions, making it possible for any visitor to trigger the function. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to dismiss administrative notices, which could be used to hide important warnings or updates from site administrators. While the impact is considered low severity (CVSS 5.3), it can contribute to a broader attack chain by obscuring security-relevant information [1].

Mitigation

The vulnerability has been patched in version 3.5.8 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consulting a hosting provider or web developer is recommended [1].