CSRF in Automattic Woocommerce

CVE-2026-3589

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users vi…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.001 (2.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2026-3589?
CVE-2026-3589 is a high-severity vulnerability in Automattic Woocommerce, classified under Cross-Site Request Forgery (CSRF). CVSS score: 7.5/10. Published 2026-03-06.
How severe is CVE-2026-3589?
High severity. CVSS v3 base score is 7.5 out of 10.