cbcvebase.
CVE-2026-3589
published 2026-03-06

CVE-2026-3589: The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a…

PriorityP343high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EPSS
0.13%
2.6th percentile
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

Affected

52 ranges· showing 25
VendorProductVersion rangeFixed in
automatticwoocommerce>= 10.0.0 < 10.0.610.0.6
automatticwoocommerce>= 10.1.0 < 10.1.410.1.4
automatticwoocommerce>= 10.2.0 < 10.2.410.2.4
automatticwoocommerce>= 10.3.0 < 10.3.810.3.8
automatticwoocommerce>= 10.4.0 < 10.4.410.4.4
automatticwoocommerce>= 10.5.0 < 10.5.310.5.3
automatticwoocommerce>= 5.4.0 < 5.4.45.4.4
automatticwoocommerce>= 5.5.0 < 5.4.55.4.5
automatticwoocommerce>= 5.6.0 < 5.6.35.6.3
automatticwoocommerce>= 5.7.0 < 5.7.35.7.3
automatticwoocommerce>= 5.8.0 < 5.8.25.8.2
automatticwoocommerce>= 5.9.0 < 5.9.25.9.2
automatticwoocommerce>= 6.0.0 < 6.0.26.0.2
automatticwoocommerce>= 6.1.0 < 6.1.36.1.3
automatticwoocommerce>= 6.2.0 < 6.2.36.2.3
automatticwoocommerce>= 6.3.0 < 6.3.26.3.2
automatticwoocommerce>= 6.4.0 < 6.4.26.4.2
automatticwoocommerce>= 6.5.0 < 6.5.26.5.2
automatticwoocommerce>= 6.6.0 < 6.6.26.6.2
automatticwoocommerce>= 6.7.0 < 6.7.16.7.1
automatticwoocommerce>= 6.8.0 < 6.8.36.8.3
automatticwoocommerce>= 6.9.0 < 6.9.56.9.5
automatticwoocommerce>= 7.0.0 < 7.0.27.0.2
automatticwoocommerce>= 7.1.0 < 7.1.27.1.2
automatticwoocommerce>= 7.2.0 < 7.2.47.2.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.