CVE-2026-3589

low-risk

Published 2026-03-06

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / HIGH complexity

References (2)

https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-...

https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/

/ 100

low-risk

Severity 22/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal