CSRF Vulnerability in WooCommerce Plugin Affects WordPress Users
CVE-2026-3589

7.5HIGH

Key Information:

Vendor

WordPress
Status
WooCommerce
Vendor
CVE Published:
6 March 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-3589?

The WooCommerce plugin for WordPress, affecting versions 5.4.0 through 10.5.2, contains a CSRF vulnerability that permits unauthenticated users to perform actions as a logged-in administrator. This vulnerability arises from the improper handling of batch requests, particularly allowing unauthorized access to non-store/WC REST endpoints, which could result in the creation of arbitrary admin users.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WooCommerce 5.4.0 < 5.4.4

WooCommerce 5.5.0 < 5.4.5

WooCommerce 5.6.0 < 5.6.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-3589 - Proof of Concept

References

https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-...
exploitvdb-entrytechnical-description
https://developer.woocommerce.com/2026/03/02/store-api-vu...
technical-description

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

oolongeya
JSON
.