CVE-2026-3589Cross-Site Request Forgery in Woocommerce

CWE-352Cross-Site Request Forgery4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 89.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Automattic Woocommerce
Timeline
PublishedMar 6

Description

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

CVEListV5automattic/woocommerce5.4.05.4.4+51

🔴Vulnerability Details

2
CVEList
WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF2026-03-06
GHSA
GHSA-2wr3-vxcp-rxmc: The WooCommerce WordPress plugin from versions 52026-03-06

🕵️Threat Intelligence

1
Wiz
CVE-2026-3589 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-3589 — Cross-Site Request Forgery | cvebase