Cyber Resilience

CVE-2026-3589

High

Published: 06 March 2026

Published
06 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 13.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3589 is a high-severity CSRF (CWE-352) vulnerability in Woocommerce (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3589 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the WooCommerce WordPress plugin in versions 5.4.0 through 10.5.2. The flaw stems from improper handling of batch requests, enabling unauthenticated attackers to leverage a logged-in administrator's session to invoke non-Store API or WooCommerce REST endpoints. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high potential impact with network accessibility, high attack complexity, no privileges required, and user interaction needed.

An attacker can exploit this vulnerability by crafting a malicious webpage or link that, when visited by a logged-in WooCommerce administrator, triggers a CSRF attack via batch requests. This allows the unauthenticated attacker to impersonate the admin and execute arbitrary actions on non-WooCommerce REST endpoints, such as creating new administrator users with full privileges. Successful exploitation grants the attacker complete administrative control over the affected WordPress site.

Advisories from the WooCommerce developer site confirm the vulnerability was patched, with details available at https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/. WPScan also documents the issue at https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/, recommending affected users upgrade to a patched version beyond 10.5.2 to mitigate the risk.

EU & UK References

Vulnerability details

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack…

more

for example.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF in public-facing WooCommerce REST API directly enables T1190 exploitation; malicious link delivery requires T1204.001; impact explicitly includes unauthorized admin account creation (T1136.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352

Affected Assets

Woocommerce
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in WooCommerce batch request handling via patching directly prevents CSRF exploitation as confirmed by vendor advisories.

prevent

Session authenticity mechanisms like anti-CSRF tokens or SameSite cookies prevent forged batch requests from impersonating logged-in admin sessions.

prevent

Validating batch request inputs ensures only legitimate, non-forged requests to non-WC REST endpoints are processed, blocking CSRF attacks.

References