Vulnerability-Lookup

FKIE_CVE-2026-3589

Vulnerability from fkie_nvd - Published: 2026-03-06 10:16 - Updated: 2026-03-09 13:35

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

References

	URL	Tags
	contact@wpscan.com	https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/
	contact@wpscan.com	https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example."
    },
    {
      "lang": "es",
      "value": "El plugin de WordPress WooCommerce desde las versiones 5.4.0 hasta la 10.5.2 no gestiona correctamente las solicitudes por lotes, lo que podr\u00eda permitir a usuarios no autenticados realizar una llamada de administrador autenticado a puntos finales REST que no sean de tienda/WC, y crear usuarios administradores arbitrarios a trav\u00e9s de un ataque CSRF, por ejemplo."
    }
  ],
  "id": "CVE-2026-3589",
  "lastModified": "2026-03-09T13:35:34.633",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T10:16:22.497",
  "references": [
    {
      "source": "contact@wpscan.com",
      "url": "https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/"
    },
    {
      "source": "contact@wpscan.com",
      "url": "https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/"
    }
  ],
  "sourceIdentifier": "contact@wpscan.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

CVE-2026-3589 (GCVE-0-2026-3589)

Vulnerability from cvelistv5 – Published: 2026-03-06 09:11 – Updated: 2026-03-06 17:44

Title

WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF

Summary

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-352 Cross-Site Request Forgery (CSRF)

Assigner

WPScan

References

URL

Tags

	https://wpscan.com/vulnerability/53ded097-274d-48…	exploitvdb-entrytechnical-description
	https://developer.woocommerce.com/2026/03/02/stor…	technical-description

Impacted products

	Vendor	Product	Version
	Automattic	WooCommerce	Affected: 5.4.0 , < 5.4.4 (semver) Affected: 5.5.0 , < 5.4.5 (semver) Affected: 5.6.0 , < 5.6.3 (semver) Affected: 5.7.0 , < 5.7.3 (semver) Affected: 5.8.0 , < 5.8.2 (semver) Affected: 5.9.0 , < 5.9.2 (semver) Affected: 6.0.0 , < 6.0.2 (semver) Affected: 6.1.0 , < 6.1.3 (semver) Affected: 6.2.0 , < 6.2.3 (semver) Affected: 6.3.0 , < 6.3.2 (semver) Affected: 6.4.0 , < 6.4.2 (semver) Affected: 6.5.0 , < 6.5.2 (semver) Affected: 6.6.0 , < 6.6.2 (semver) Affected: 6.7.0 , < 6.7.1 (semver) Affected: 6.8.0 , < 6.8.3 (semver) Affected: 6.9.0 , < 6.9.5 (semver) Affected: 7.0.0 , < 7.0.2 (semver) Affected: 7.1.0 , < 7.1.2 (semver) Affected: 7.2.0 , < 7.2.4 (semver) Affected: 7.3.0 , < 7.3.1 (semver) Affected: 7.4.0 , < 7.4.2 (semver) Affected: 7.5.0 , < 7.5.2 (semver) Affected: 7.6.0 , < 7.6.2 (semver) Affected: 7.7.0 , < 7.7.3 (semver) Affected: 7.8.0 , < 7.8.4 (semver) Affected: 7.9.0 , < 7.9.2 (semver) Affected: 8.0.0 , < 8.0.5 (semver) Affected: 8.1.0 , < 8.1.4 (semver) Affected: 8.2.0 , < 8.2.5 (semver) Affected: 8.3.0 , < 8.3.4 (semver) Affected: 8.4.0 , < 8.4.3 (semver) Affected: 8.5.0 , < 8.5.5 (semver) Affected: 8.6.0 , < 8.6.4 (semver) Affected: 8.7.0 , < 8.7.3 (semver) Affected: 8.8.0 , < 8.8.7 (semver) Affected: 8.9.0 , < 8.9.5 (semver) Affected: 9.0.0 , < 9.0.4 (semver) Affected: 9.1.0 , < 9.1.7 (semver) Affected: 9.2.0 , < 9.2.5 (semver) Affected: 9.3.0 , < 9.3.6 (semver) Affected: 9.4.0 , < 9.4.5 (semver) Affected: 9.5.0 , < 9.5.4 (semver) Affected: 9.6.0 , < 9.6.4 (semver) Affected: 9.7.0 , < 9.7.3 (semver) Affected: 9.8.0 , < 9.8.7 (semver) Affected: 9.9.0 , < 9.9.7 (semver) Affected: 10.0.0 , < 10.0.6 (semver) Affected: 10.1.0 , < 10.1.4 (semver) Affected: 10.2.0 , < 10.2.4 (semver) Affected: 10.3.0 , < 10.3.8 (semver) Affected: 10.4.0 , < 10.4.4 (semver) Affected: 10.5.0 , < 10.5.3 (semver)

Credits

oolongeya

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-3589",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T17:44:54.283745Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-352",
                "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T17:44:58.613Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "product": "WooCommerce",
          "vendor": "Automattic",
          "versions": [
            {
              "lessThan": "5.4.4",
              "status": "affected",
              "version": "5.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.4.5",
              "status": "affected",
              "version": "5.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.6.3",
              "status": "affected",
              "version": "5.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.7.3",
              "status": "affected",
              "version": "5.7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.8.2",
              "status": "affected",
              "version": "5.8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.9.2",
              "status": "affected",
              "version": "5.9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.0.2",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.3",
              "status": "affected",
              "version": "6.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.3",
              "status": "affected",
              "version": "6.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.3.2",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.4.2",
              "status": "affected",
              "version": "6.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.5.2",
              "status": "affected",
              "version": "6.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.2",
              "status": "affected",
              "version": "6.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.7.1",
              "status": "affected",
              "version": "6.7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.8.3",
              "status": "affected",
              "version": "6.8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.9.5",
              "status": "affected",
              "version": "6.9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.0.2",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.1.2",
              "status": "affected",
              "version": "7.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.2.4",
              "status": "affected",
              "version": "7.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.3.1",
              "status": "affected",
              "version": "7.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.4.2",
              "status": "affected",
              "version": "7.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.5.2",
              "status": "affected",
              "version": "7.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.6.2",
              "status": "affected",
              "version": "7.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.7.3",
              "status": "affected",
              "version": "7.7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.8.4",
              "status": "affected",
              "version": "7.8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.9.2",
              "status": "affected",
              "version": "7.9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.0.5",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.1.4",
              "status": "affected",
              "version": "8.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.2.5",
              "status": "affected",
              "version": "8.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.4",
              "status": "affected",
              "version": "8.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4.3",
              "status": "affected",
              "version": "8.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.5",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.6.4",
              "status": "affected",
              "version": "8.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.7.3",
              "status": "affected",
              "version": "8.7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.8.7",
              "status": "affected",
              "version": "8.8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.9.5",
              "status": "affected",
              "version": "8.9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.0.4",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.1.7",
              "status": "affected",
              "version": "9.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.2.5",
              "status": "affected",
              "version": "9.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.3.6",
              "status": "affected",
              "version": "9.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.4.5",
              "status": "affected",
              "version": "9.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.5.4",
              "status": "affected",
              "version": "9.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.6.4",
              "status": "affected",
              "version": "9.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.7.3",
              "status": "affected",
              "version": "9.7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.8.7",
              "status": "affected",
              "version": "9.8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.9.7",
              "status": "affected",
              "version": "9.9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.0.6",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.1.4",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.3.8",
              "status": "affected",
              "version": "10.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.4.4",
              "status": "affected",
              "version": "10.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.5.3",
              "status": "affected",
              "version": "10.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "oolongeya"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T09:11:10.949Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "exploit",
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/"
        },
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WooCommerce \u003c 10.5.3 - Arbitrary Admin User Creation via CSRF",
      "x_generator": {
        "engine": "WPScan CVE Generator"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2026-3589",
    "datePublished": "2026-03-06T09:11:10.949Z",
    "dateReserved": "2026-03-05T10:41:21.729Z",
    "dateUpdated": "2026-03-06T17:44:58.613Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2026-3589

CVE-2026-3589 (GCVE-0-2026-3589)

Tags

Sightings

Nomenclature