The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Automattic |
|
| Wordpress |
|
No data.
No data.
References
History
Mon, 09 Mar 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Automattic
Automattic woocommerce Wordpress Wordpress wordpress |
|
| Vendors & Products |
Automattic
Automattic woocommerce Wordpress Wordpress wordpress |
Fri, 06 Mar 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-352 | |
| Metrics |
cvssV3_1
|
Fri, 06 Mar 2026 09:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example. | |
| Title | WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: WPScan
Published: 2026-03-06T09:11:10.949Z
Updated: 2026-03-06T17:44:58.613Z
Reserved: 2026-03-05T10:41:21.729Z
Link: CVE-2026-3589
Vulnrichment
Updated: 2026-03-06T17:44:24.175Z
NVD
Status : Awaiting Analysis
Published: 2026-03-06T10:16:22.497
Modified: 2026-03-09T13:35:34.633
Link: CVE-2026-3589
Redhat
No data.