Executive Summary

CVE-2026-3589 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability in the WooCommerce WordPress plugin versions 5.4.0 to 10.5.2. The plugin does not properly handle batch requests, which allows unauthenticated users to exploit logged-in admin sessions to make calls to non-store/WooCommerce REST API endpoints.

This flaw enables attackers to create arbitrary admin users without authorization by tricking a logged-in administrator into visiting a malicious link, thereby performing unauthorized administrative actions.

The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and relates to OWASP Top 10 category A2: Broken Authentication and Session Management.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can allow attackers to gain full administrative control over affected WooCommerce sites by creating arbitrary admin accounts.

This can lead to unauthorized administrative actions such as creating posts or managing site settings.

Attackers could potentially access sensitive customer order data including names, emails, phone numbers, shipping and billing addresses, payment methods, purchased items, and related metadata.

However, passwords, credit card details, or other financial information are not exposed by this vulnerability.

No confirmed exploitation or customer data breaches have been reported outside of internal security testing.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves verifying the WooCommerce plugin version installed on your WordPress site. Versions from 5.4.0 up to 10.5.2 are vulnerable and should be updated.

You can check the WooCommerce version via the WordPress Admin dashboard under the Plugins section.

To detect suspicious activity related to this vulnerability, monitor for unauthorized creation of admin users or unexpected REST API calls to non-store/WooCommerce endpoints.

While no specific commands are provided in the resources, general commands to check plugin versions and user accounts on a WordPress server include:

• Using WP-CLI to check WooCommerce version: `wp plugin status woocommerce`
• Listing all admin users: `wp user list --role=administrator`
• Checking recent user creation dates for suspicious new admin accounts.

Additionally, monitoring web server logs for unusual REST API requests or batch requests targeting WooCommerce endpoints may help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate step is to update the WooCommerce plugin to version 10.5.3 or later, as this vulnerability has been fixed in these versions.

If you are running any version between 5.4.0 and 10.5.2, update immediately to the corresponding patched version (e.g., 5.4.5, 10.5.3).

Additional mitigation steps include:

• Avoid clicking on suspicious links while logged into the WordPress admin area to prevent CSRF attacks.
• Use separate browsers or browser profiles for administrative tasks to reduce risk.
• Log out of the WordPress admin dashboard when not actively managing the site.
• Verify URLs before clicking on links to avoid malicious requests.
• If compromise is suspected, immediately change all admin passwords and review user accounts for unauthorized additions.
• Implement strong passwords, enable two-factor authentication, maintain regular backups, and monitor site activity for anomalies.

Useful 0 Not Useful 0