CVE-2026-3589 in WooCommerce Plugin
Summary
by MITRE • 03/06/2026
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/08/2026
The vulnerability identified as CVE-2026-3589 affects the WooCommerce WordPress plugin across versions 5.4.0 through 10.5.2, representing a critical security flaw that undermines the plugin's authentication and authorization mechanisms. This issue stems from improper handling of batch requests within the plugin's REST API implementation, creating a pathway for unauthenticated attackers to execute administrative actions that should require valid user credentials and session validation. The vulnerability specifically targets the WooCommerce REST API endpoints that are designed to be accessible only to authenticated administrators, yet the flawed batch request processing allows malicious actors to bypass these security controls through carefully crafted requests.
The technical flaw manifests in the plugin's failure to properly validate and authenticate batch request submissions, enabling attackers to construct malicious requests that appear to originate from legitimate administrative sessions. This weakness creates a cross-site request forgery (CSRF) attack vector where unauthenticated users can leverage the batch processing functionality to make unauthorized calls to non-store WooCommerce REST endpoints. The vulnerability essentially allows an attacker to execute administrative functions without proper authentication, potentially leading to complete system compromise. The batch request handling mechanism does not adequately verify the authenticity of requests or ensure that they originate from authorized users, creating a fundamental breakdown in the plugin's security architecture.
From an operational impact perspective, this vulnerability presents a severe risk to WordPress sites utilizing affected WooCommerce versions, as it allows attackers to escalate privileges and create arbitrary administrative user accounts. The ability to forge administrative requests without authentication means that malicious actors could gain full control over the WordPress site, including the capability to modify content, install malware, access sensitive customer data, and manipulate e-commerce transactions. The vulnerability's impact extends beyond simple privilege escalation, as it could enable attackers to establish persistent access through the creation of new admin accounts, potentially allowing for long-term unauthorized access to the compromised system. This risk is particularly concerning for e-commerce platforms where customer data and financial transactions are processed through the WooCommerce plugin.
The security implications of this vulnerability align with CWE-352, which describes Cross-Site Request Forgery vulnerabilities, and specifically relates to the improper handling of authentication tokens and session validation within REST API endpoints. This flaw also maps to ATT&CK technique T1078.004, which covers valid accounts used for lateral movement, as attackers could potentially use the created admin accounts for further exploitation. Organizations should immediately implement mitigation strategies including updating to the latest WooCommerce plugin version that addresses this vulnerability, implementing additional authentication controls such as two-factor authentication, and monitoring for suspicious administrative activities. Network-level protections such as web application firewalls and rate limiting for API endpoints can provide additional defense-in-depth measures to prevent exploitation of this vulnerability.