What the vulnerability does
01Description
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Explanation of Vulnerability in Simple Terms
02Summary
WooCommerce versions 5.4.0 through 5.4.3 contain a vulnerability of unknown type and severity. The specific attack vector, impact, and exploitation requirements cannot be determined from available metadata. Update to version 5.4.4 or later to remediate.
What an attacker can do
03Attacker Capabilities
Unknown; insufficient technical details available.
Potential impact on your site
04Site Impact
WooCommerce stores running versions 5.4.0–5.4.3 may be at risk; patch status unknown without CVE details.
Conditions required to exploit
05Prerequisites
Unknown; insufficient technical details available.
Key dates
06Disclosure timeline
March 6, 2026
CVE published
March 6, 2026
Record updated