CVE-2026-3589
Published: 06 March 2026
Summary
CVE-2026-3589 is a high-severity CSRF (CWE-352) vulnerability in Woocommerce (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WooCommerce REST API directly enables T1190 exploitation; malicious link delivery requires T1204.001; impact explicitly includes unauthorized admin account creation (T1136.001).
NVD Description
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack…
more
for example.
Deeper analysisAI
CVE-2026-3589 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the WooCommerce WordPress plugin in versions 5.4.0 through 10.5.2. The flaw stems from improper handling of batch requests, enabling unauthenticated attackers to leverage a logged-in administrator's session to invoke non-Store API or WooCommerce REST endpoints. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high potential impact with network accessibility, high attack complexity, no privileges required, and user interaction needed.
An attacker can exploit this vulnerability by crafting a malicious webpage or link that, when visited by a logged-in WooCommerce administrator, triggers a CSRF attack via batch requests. This allows the unauthenticated attacker to impersonate the admin and execute arbitrary actions on non-WooCommerce REST endpoints, such as creating new administrator users with full privileges. Successful exploitation grants the attacker complete administrative control over the affected WordPress site.
Advisories from the WooCommerce developer site confirm the vulnerability was patched, with details available at https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/. WPScan also documents the issue at https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/, recommending affected users upgrade to a patched version beyond 10.5.2 to mitigate the risk.
Details
- CWE(s)