CVE-2026-3589

CVE-2026-3589: WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF

Vendor Automattic
Product WooCommerce
Published March 6, 2026
Last update March 6, 2026

CVSS base score

What the vulnerability does

01Description

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

Explanation of Vulnerability in Simple Terms

02Summary

WooCommerce versions 5.4.0 through 5.4.3 contain a vulnerability of unknown type and severity. The specific attack vector, impact, and exploitation requirements cannot be determined from available metadata. Update to version 5.4.4 or later to remediate.

What an attacker can do

03Attacker Capabilities

Unknown; insufficient technical details available.

Potential impact on your site

04Site Impact

WooCommerce stores running versions 5.4.0–5.4.3 may be at risk; patch status unknown without CVE details.

Conditions required to exploit

05Prerequisites

Unknown; insufficient technical details available.

Key dates

06Disclosure timeline

March 6, 2026 CVE published
March 6, 2026 Record updated