CVE-2026-3589

Description

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

CVSS breakdown

Affected products

• Automattic / WooCommerce7.5.0 – 7.5.2
• Automattic / WooCommerce7.6.0 – 7.6.2
• Automattic / WooCommerce5.4.0 – 5.4.4
• Automattic / WooCommerce5.5.0 – 5.4.5
• Automattic / WooCommerce5.6.0 – 5.6.3
• Automattic / WooCommerce5.7.0 – 5.7.3
• Automattic / WooCommerce5.8.0 – 5.8.2
• Automattic / WooCommerce5.9.0 – 5.9.2
• Automattic / WooCommerce6.0.0 – 6.0.2
• Automattic / WooCommerce6.1.0 – 6.1.3
• Automattic / WooCommerce6.2.0 – 6.2.3
• Automattic / WooCommerce6.3.0 – 6.3.2
• Automattic / WooCommerce6.4.0 – 6.4.2
• Automattic / WooCommerce6.5.0 – 6.5.2
• Automattic / WooCommerce6.6.0 – 6.6.2
• Automattic / WooCommerce6.7.0 – 6.7.1
• Automattic / WooCommerce6.8.0 – 6.8.3
• Automattic / WooCommerce6.9.0 – 6.9.5
• Automattic / WooCommerce7.0.0 – 7.0.2
• Automattic / WooCommerce7.1.0 – 7.1.2
• Automattic / WooCommerce7.2.0 – 7.2.4
• Automattic / WooCommerce7.3.0 – 7.3.1
• Automattic / WooCommerce7.4.0 – 7.4.2
• Automattic / WooCommerce7.7.0 – 7.7.3
• Automattic / WooCommerce7.8.0 – 7.8.4
• Automattic / WooCommerce7.9.0 – 7.9.2
• Automattic / WooCommerce8.0.0 – 8.0.5
• Automattic / WooCommerce8.1.0 – 8.1.4
• Automattic / WooCommerce8.2.0 – 8.2.5
• Automattic / WooCommerce8.3.0 – 8.3.4
• Automattic / WooCommerce8.4.0 – 8.4.3
• Automattic / WooCommerce8.5.0 – 8.5.5
• Automattic / WooCommerce8.6.0 – 8.6.4
• Automattic / WooCommerce8.7.0 – 8.7.3
• Automattic / WooCommerce8.8.0 – 8.8.7
• Automattic / WooCommerce8.9.0 – 8.9.5
• Automattic / WooCommerce9.0.0 – 9.0.4
• Automattic / WooCommerce9.1.0 – 9.1.7
• Automattic / WooCommerce9.2.0 – 9.2.5
• Automattic / WooCommerce9.3.0 – 9.3.6
• Automattic / WooCommerce9.4.0 – 9.4.5
• Automattic / WooCommerce9.5.0 – 9.5.4
• Automattic / WooCommerce9.6.0 – 9.6.4
• Automattic / WooCommerce9.7.0 – 9.7.3
• Automattic / WooCommerce9.8.0 – 9.8.7
• Automattic / WooCommerce9.9.0 – 9.9.7
• Automattic / WooCommerce10.0.0 – 10.0.6
• Automattic / WooCommerce10.1.0 – 10.1.4
• Automattic / WooCommerce10.2.0 – 10.2.4
• Automattic / WooCommerce10.3.0 – 10.3.8
• Automattic / WooCommerce10.4.0 – 10.4.4
• Automattic / WooCommerce10.5.0 – 10.5.3

References

• MISChttps://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/
• MISChttps://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/