CVE-2026-3589
WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
| Vendor | automattic |
| Product | woocommerce |
| Published | Mar 6, 2026 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for automattic woocommerce
Be the first to know when new high vulnerabilities affecting automattic woocommerce are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Automattic / WooCommerce
5.4.0 < 5.4.4 5.5.0 < 5.4.5 5.6.0 < 5.6.3 5.7.0 < 5.7.3 5.8.0 < 5.8.2 5.9.0 < 5.9.2 6.0.0 < 6.0.2 6.1.0 < 6.1.3 6.2.0 < 6.2.3 6.3.0 < 6.3.2 6.4.0 < 6.4.2 6.5.0 < 6.5.2 6.6.0 < 6.6.2 6.7.0 < 6.7.1 6.8.0 < 6.8.3 6.9.0 < 6.9.5 7.0.0 < 7.0.2 7.1.0 < 7.1.2 7.2.0 < 7.2.4 7.3.0 < 7.3.1 7.4.0 < 7.4.2 7.5.0 < 7.5.2 7.6.0 < 7.6.2 7.7.0 < 7.7.3 7.8.0 < 7.8.4 7.9.0 < 7.9.2 8.0.0 < 8.0.5 8.1.0 < 8.1.4 8.2.0 < 8.2.5 8.3.0 < 8.3.4 8.4.0 < 8.4.3 8.5.0 < 8.5.5 8.6.0 < 8.6.4 8.7.0 < 8.7.3 8.8.0 < 8.8.7 8.9.0 < 8.9.5 9.0.0 < 9.0.4 9.1.0 < 9.1.7 9.2.0 < 9.2.5 9.3.0 < 9.3.6 9.4.0 < 9.4.5 9.5.0 < 9.5.4 9.6.0 < 9.6.4 9.7.0 < 9.7.3 9.8.0 < 9.8.7 9.9.0 < 9.9.7 10.0.0 < 10.0.6 10.1.0 < 10.1.4 10.2.0 < 10.2.4 10.3.0 < 10.3.8 10.4.0 < 10.4.4 10.5.0 < 10.5.3
References
Credits
oolongeya