Description
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Automattic / WooCommerce7.5.0 – 7.5.2
- Automattic / WooCommerce7.6.0 – 7.6.2
- Automattic / WooCommerce5.4.0 – 5.4.4
- Automattic / WooCommerce5.5.0 – 5.4.5
- Automattic / WooCommerce5.6.0 – 5.6.3
- Automattic / WooCommerce5.7.0 – 5.7.3
- Automattic / WooCommerce5.8.0 – 5.8.2
- Automattic / WooCommerce5.9.0 – 5.9.2
- Automattic / WooCommerce6.0.0 – 6.0.2
- Automattic / WooCommerce6.1.0 – 6.1.3
- Automattic / WooCommerce6.2.0 – 6.2.3
- Automattic / WooCommerce6.3.0 – 6.3.2
- Automattic / WooCommerce6.4.0 – 6.4.2
- Automattic / WooCommerce6.5.0 – 6.5.2
- Automattic / WooCommerce6.6.0 – 6.6.2
- Automattic / WooCommerce6.7.0 – 6.7.1
- Automattic / WooCommerce6.8.0 – 6.8.3
- Automattic / WooCommerce6.9.0 – 6.9.5
- Automattic / WooCommerce7.0.0 – 7.0.2
- Automattic / WooCommerce7.1.0 – 7.1.2
- Automattic / WooCommerce7.2.0 – 7.2.4
- Automattic / WooCommerce7.3.0 – 7.3.1
- Automattic / WooCommerce7.4.0 – 7.4.2
- Automattic / WooCommerce7.7.0 – 7.7.3
- Automattic / WooCommerce7.8.0 – 7.8.4
- Automattic / WooCommerce7.9.0 – 7.9.2
- Automattic / WooCommerce8.0.0 – 8.0.5
- Automattic / WooCommerce8.1.0 – 8.1.4
- Automattic / WooCommerce8.2.0 – 8.2.5
- Automattic / WooCommerce8.3.0 – 8.3.4
- Automattic / WooCommerce8.4.0 – 8.4.3
- Automattic / WooCommerce8.5.0 – 8.5.5
- Automattic / WooCommerce8.6.0 – 8.6.4
- Automattic / WooCommerce8.7.0 – 8.7.3
- Automattic / WooCommerce8.8.0 – 8.8.7
- Automattic / WooCommerce8.9.0 – 8.9.5
- Automattic / WooCommerce9.0.0 – 9.0.4
- Automattic / WooCommerce9.1.0 – 9.1.7
- Automattic / WooCommerce9.2.0 – 9.2.5
- Automattic / WooCommerce9.3.0 – 9.3.6
- Automattic / WooCommerce9.4.0 – 9.4.5
- Automattic / WooCommerce9.5.0 – 9.5.4
- Automattic / WooCommerce9.6.0 – 9.6.4
- Automattic / WooCommerce9.7.0 – 9.7.3
- Automattic / WooCommerce9.8.0 – 9.8.7
- Automattic / WooCommerce9.9.0 – 9.9.7
- Automattic / WooCommerce10.0.0 – 10.0.6
- Automattic / WooCommerce10.1.0 – 10.1.4
- Automattic / WooCommerce10.2.0 – 10.2.4
- Automattic / WooCommerce10.3.0 – 10.3.8
- Automattic / WooCommerce10.4.0 – 10.4.4
- Automattic / WooCommerce10.5.0 – 10.5.3