CVE-2026-3589
7.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Automattic | WooCommerce | 5.4.0 < 5.4.4 | affected |
| Automattic | WooCommerce | 5.5.0 < 5.4.5 | affected |
| Automattic | WooCommerce | 5.6.0 < 5.6.3 | affected |
| Automattic | WooCommerce | 5.7.0 < 5.7.3 | affected |
| Automattic | WooCommerce | 5.8.0 < 5.8.2 | affected |
| Automattic | WooCommerce | 5.9.0 < 5.9.2 | affected |
| Automattic | WooCommerce | 6.0.0 < 6.0.2 | affected |
| Automattic | WooCommerce | 6.1.0 < 6.1.3 | affected |
| Automattic | WooCommerce | 6.2.0 < 6.2.3 | affected |
| Automattic | WooCommerce | 6.3.0 < 6.3.2 | affected |
| Automattic | WooCommerce | 6.4.0 < 6.4.2 | affected |
| Automattic | WooCommerce | 6.5.0 < 6.5.2 | affected |
| Automattic | WooCommerce | 6.6.0 < 6.6.2 | affected |
| Automattic | WooCommerce | 6.7.0 < 6.7.1 | affected |
| Automattic | WooCommerce | 6.8.0 < 6.8.3 | affected |
| Automattic | WooCommerce | 6.9.0 < 6.9.5 | affected |
| Automattic | WooCommerce | 7.0.0 < 7.0.2 | affected |
| Automattic | WooCommerce | 7.1.0 < 7.1.2 | affected |
| Automattic | WooCommerce | 7.2.0 < 7.2.4 | affected |
| Automattic | WooCommerce | 7.3.0 < 7.3.1 | affected |
| Automattic | WooCommerce | 7.4.0 < 7.4.2 | affected |
| Automattic | WooCommerce | 7.5.0 < 7.5.2 | affected |
| Automattic | WooCommerce | 7.6.0 < 7.6.2 | affected |
| Automattic | WooCommerce | 7.7.0 < 7.7.3 | affected |
| Automattic | WooCommerce | 7.8.0 < 7.8.4 | affected |
| Automattic | WooCommerce | 7.9.0 < 7.9.2 | affected |
| Automattic | WooCommerce | 8.0.0 < 8.0.5 | affected |
| Automattic | WooCommerce | 8.1.0 < 8.1.4 | affected |
| Automattic | WooCommerce | 8.2.0 < 8.2.5 | affected |
| Automattic | WooCommerce | 8.3.0 < 8.3.4 | affected |
| Automattic | WooCommerce | 8.4.0 < 8.4.3 | affected |
| Automattic | WooCommerce | 8.5.0 < 8.5.5 | affected |
| Automattic | WooCommerce | 8.6.0 < 8.6.4 | affected |
| Automattic | WooCommerce | 8.7.0 < 8.7.3 | affected |
| Automattic | WooCommerce | 8.8.0 < 8.8.7 | affected |
| Automattic | WooCommerce | 8.9.0 < 8.9.5 | affected |
| Automattic | WooCommerce | 9.0.0 < 9.0.4 | affected |
| Automattic | WooCommerce | 9.1.0 < 9.1.7 | affected |
| Automattic | WooCommerce | 9.2.0 < 9.2.5 | affected |
| Automattic | WooCommerce | 9.3.0 < 9.3.6 | affected |
| Automattic | WooCommerce | 9.4.0 < 9.4.5 | affected |
| Automattic | WooCommerce | 9.5.0 < 9.5.4 | affected |
| Automattic | WooCommerce | 9.6.0 < 9.6.4 | affected |
| Automattic | WooCommerce | 9.7.0 < 9.7.3 | affected |
| Automattic | WooCommerce | 9.8.0 < 9.8.7 | affected |
| Automattic | WooCommerce | 9.9.0 < 9.9.7 | affected |
| Automattic | WooCommerce | 10.0.0 < 10.0.6 | affected |
| Automattic | WooCommerce | 10.1.0 < 10.1.4 | affected |
| Automattic | WooCommerce | 10.2.0 < 10.2.4 | affected |
| Automattic | WooCommerce | 10.3.0 < 10.3.8 | affected |
| Automattic | WooCommerce | 10.4.0 < 10.4.4 | affected |
| Automattic | WooCommerce | 10.5.0 < 10.5.3 | affected |
Weaknesses
- CWE-352 Cross-Site Request Forgery (CSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/
- https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.