HarborGuard / CVE
Back to search
HIGHCVE-2026-3589Published Modified CNA WPScan

CVE-2026-3589: WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
5.4.4
Affected Products
1

Fix available

5.4.45.4.55.6.35.7.35.8.25.9.26.0.26.1.36.2.36.3.26.4.26.5.26.6.26.7.16.8.36.9.57.0.27.1.27.2.47.3.17.4.27.5.27.6.27.7.37.8.47.9.28.0.58.1.48.2.58.3.48.4.38.5.58.6.48.7.38.8.78.9.59.0.49.1.79.2.59.3.69.4.59.5.49.6.49.7.39.8.79.9.710.0.610.1.410.2.410.3.810.4.410.5.3
Affected packages
  • Automattic / WooCommerce
    < 5.4.4 (from 5.4.0) · < 5.4.5 (from 5.5.0) · < 5.6.3 (from 5.6.0) · < 5.7.3 (from 5.7.0) · < 5.8.2 (from 5.8.0) · < 5.9.2 (from 5.9.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References