CSRF in Automattic Woocommerce
CVE-2026-3589
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users vi…
Vulnerability class: CSRF (Cross-Site Request Forgery)
EPSS: 0.001 (2.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Automattic Woocommerce — versions 5.4.0, 5.5.0, 5.6.0
Weakness classification (CWE)
References
- contact@wpscan.com (technical-description, exploit, vdb-entry)
- contact@wpscan.com (technical-description)
Frequently asked questions
- What is CVE-2026-3589?
- CVE-2026-3589 is a high-severity vulnerability in Automattic Woocommerce, classified under Cross-Site Request Forgery (CSRF). CVSS score: 7.5/10. Published 2026-03-06.
- How severe is CVE-2026-3589?
- High severity. CVSS v3 base score is 7.5 out of 10.