CVE-2021-34646

Name: CVE-2021-34646
Creator: NVD / NIST
Published: 2021-08-30T19:15:08.75+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 50.87%

Last modified Jun 17, 2026

CVE-2021-34646 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. EPSS estimates a 50.87% chance of exploitation in the next 30 days.

Description

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

50.87%

98.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Booster	Booster For Woocommerce	<= 5.4.3

References

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2581212%40woocommerce-jetpack&new=2581212%40woocommerce-jetpack&sfp_email=&sfph_mail=Patch, Third Party Advisory
https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/Exploit, Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2581212%40woocommerce-jetpack&new=2581212%40woocommerce-jetpack&sfp_email=&sfph_mail=Patch, Third Party Advisory
https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/Exploit, Third Party Advisory

Timeline

Published: Aug 30, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-34646?

How severe is CVE-2021-34646?

CVE-2021-34646 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 50.87% probability of exploitation in the next 30 days.

How do I fix CVE-2021-34646?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-34646?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST