CVE-2026-3589

Summary

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

Affected Software

VendorProductVersion RangeStatus
AutomatticWooCommerce5.4.0 < 5.4.4affected
AutomatticWooCommerce5.5.0 < 5.4.5affected
AutomatticWooCommerce5.6.0 < 5.6.3affected
AutomatticWooCommerce5.7.0 < 5.7.3affected
AutomatticWooCommerce5.8.0 < 5.8.2affected
AutomatticWooCommerce5.9.0 < 5.9.2affected
AutomatticWooCommerce6.0.0 < 6.0.2affected
AutomatticWooCommerce6.1.0 < 6.1.3affected
AutomatticWooCommerce6.2.0 < 6.2.3affected
AutomatticWooCommerce6.3.0 < 6.3.2affected
AutomatticWooCommerce6.4.0 < 6.4.2affected
AutomatticWooCommerce6.5.0 < 6.5.2affected
AutomatticWooCommerce6.6.0 < 6.6.2affected
AutomatticWooCommerce6.7.0 < 6.7.1affected
AutomatticWooCommerce6.8.0 < 6.8.3affected
AutomatticWooCommerce6.9.0 < 6.9.5affected
AutomatticWooCommerce7.0.0 < 7.0.2affected
AutomatticWooCommerce7.1.0 < 7.1.2affected
AutomatticWooCommerce7.2.0 < 7.2.4affected
AutomatticWooCommerce7.3.0 < 7.3.1affected
AutomatticWooCommerce7.4.0 < 7.4.2affected
AutomatticWooCommerce7.5.0 < 7.5.2affected
AutomatticWooCommerce7.6.0 < 7.6.2affected
AutomatticWooCommerce7.7.0 < 7.7.3affected
AutomatticWooCommerce7.8.0 < 7.8.4affected
AutomatticWooCommerce7.9.0 < 7.9.2affected
AutomatticWooCommerce8.0.0 < 8.0.5affected
AutomatticWooCommerce8.1.0 < 8.1.4affected
AutomatticWooCommerce8.2.0 < 8.2.5affected
AutomatticWooCommerce8.3.0 < 8.3.4affected
AutomatticWooCommerce8.4.0 < 8.4.3affected
AutomatticWooCommerce8.5.0 < 8.5.5affected
AutomatticWooCommerce8.6.0 < 8.6.4affected
AutomatticWooCommerce8.7.0 < 8.7.3affected
AutomatticWooCommerce8.8.0 < 8.8.7affected
AutomatticWooCommerce8.9.0 < 8.9.5affected
AutomatticWooCommerce9.0.0 < 9.0.4affected
AutomatticWooCommerce9.1.0 < 9.1.7affected
AutomatticWooCommerce9.2.0 < 9.2.5affected
AutomatticWooCommerce9.3.0 < 9.3.6affected
AutomatticWooCommerce9.4.0 < 9.4.5affected
AutomatticWooCommerce9.5.0 < 9.5.4affected
AutomatticWooCommerce9.6.0 < 9.6.4affected
AutomatticWooCommerce9.7.0 < 9.7.3affected
AutomatticWooCommerce9.8.0 < 9.8.7affected
AutomatticWooCommerce9.9.0 < 9.9.7affected
AutomatticWooCommerce10.0.0 < 10.0.6affected
AutomatticWooCommerce10.1.0 < 10.1.4affected
AutomatticWooCommerce10.2.0 < 10.2.4affected
AutomatticWooCommerce10.3.0 < 10.3.8affected
AutomatticWooCommerce10.4.0 < 10.4.4affected
AutomatticWooCommerce10.5.0 < 10.5.3affected

Weaknesses

  • CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References