Description
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Published: 2026-03-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via CSRF
Action: Immediate Patch
AI Analysis

Impact

The WooCommerce plugin, versions 5.4.0 through 10.5.2, incorrectly processes batch REST requests, allowing an unauthenticated attacker to execute a logged‑in admin call to non‑store WooCommerce endpoints. By forging a CSRF request, the attacker can create arbitrary administrator accounts. This flaw constitutes a Cross‑Site Request Forgery (CWE‑352) and results in complete privilege escalation on the affected WordPress site.

Affected Systems

The vulnerability affects the Automattic WooCommerce WordPress plugin. Impacted versions are 5.4.0, 5.4.1, 5.4.2, … up to 10.5.2. Users running any of these releases on a WordPress installation are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high level of severity, but the EPSS score of < 1% suggests that exploitation is unlikely at present. The flaw is not listed in CISA’s KEV catalog, yet it remains exploitable via a standard CSRF attack vector, requiring the victim to visit a malicious page while authenticated as an administrator. If an attacker can convince an admin to load a crafted page, they can create new admin users without any privilege checks.

Generated by OpenCVE AI on April 17, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WooCommerce to version 10.5.3 or later to eliminate the vulnerable batch request handling.
  • If an immediate upgrade is not possible, block or restrict access to the /wp-json/wc/v3/ REST endpoint that allows admin user creation using a firewall rule, a security plugin, or an .htaccess rule to prevent unauthenticated or CSRF requests from reaching the vulnerable code.
  • Audit the WordPress user database for newly created administrator accounts, investigate their origin, and immediately delete any accounts that appear to have been created without authorization. Enable alerts for new admin account creation to detect future attempts.

Generated by OpenCVE AI on April 17, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Automattic
Automattic woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Automattic
Automattic woocommerce
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Title WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF
References

Subscriptions

Automattic Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-06T17:44:58.613Z

Reserved: 2026-03-05T10:41:21.729Z

Link: CVE-2026-3589

cve-icon Vulnrichment

Updated: 2026-03-06T17:44:24.175Z

cve-icon NVD

Status : Deferred

Published: 2026-03-06T10:16:22.497

Modified: 2026-04-15T14:42:29.303

Link: CVE-2026-3589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses