CVE-2021-34646

Name of the Vulnerable Software and Affected Versions: Booster for WooCommerce WordPress plugin versions up to, and including, 5.4.3

Description: The issue allows attackers to bypass authentication via the process email verification function due to a weakness in random token generation in the reset and mail activation link function. This enables attackers to impersonate users, trigger email address verification for arbitrary accounts, including administrative accounts, and automatically log in as that user. The Email Verification module must be active and the Login User After Successful Verification setting must be enabled, which is the default configuration.

Recommendations: For versions up to, and including, 5.4.3, consider disabling the process email verification function and the Email Verification module until a patch is available. Restrict access to the ~/includes/class-wcj-emails-verification.php file to minimize the risk of exploitation. Avoid using the default Login User After Successful Verification setting until the issue is resolved.