CVE-2026-3589: WooCommerce WordPress Plugin CSRF Vulnerability

CVE-2026-3589 Overview

CVE-2026-3589 is a Cross-Site Request Forgery (CSRF) vulnerability in the WooCommerce WordPress plugin affecting versions 5.4.0 through 10.5.2. The vulnerability exists due to improper handling of batch requests, which allows unauthenticated attackers to leverage a logged-in administrator's session to call non-store/WC REST endpoints. This flaw can be exploited to create arbitrary administrator user accounts through a CSRF attack.

Critical Impact
Successful exploitation allows unauthenticated attackers to create rogue administrator accounts on vulnerable WordPress sites running affected WooCommerce versions, potentially leading to complete site compromise.

Affected Products

WooCommerce WordPress plugin versions 5.4.0 through 10.5.2
WordPress installations with vulnerable WooCommerce plugin versions
E-commerce sites utilizing the affected WooCommerce REST API batch endpoints

Discovery Timeline

2026-03-02 - WooCommerce releases security patch (per security advisory)
2026-03-06 - CVE-2026-3589 published to NVD
2026-03-09 - Last updated in NVD database

Technical Details for CVE-2026-3589

Vulnerability Analysis

This vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and affects the batch request handling mechanism in WooCommerce's REST API. The flaw allows an attacker to craft malicious requests that, when executed by an authenticated administrator, bypass the intended authorization controls for non-store WooCommerce REST endpoints.

The attack requires network access and user interaction (the administrator must visit a malicious page or click a crafted link while authenticated). Once triggered, the attacker can leverage the administrator's session to execute unauthorized actions, including the creation of new administrator accounts with attacker-controlled credentials.

Root Cause

The root cause of CVE-2026-3589 lies in insufficient CSRF token validation when processing batch API requests. The WooCommerce plugin fails to properly verify that batch requests targeting non-store REST endpoints originate from legitimate authenticated sessions with valid anti-CSRF tokens. This oversight allows attackers to construct cross-origin requests that are executed with the privileges of an authenticated administrator.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker crafts a malicious webpage containing a hidden form or JavaScript code that automatically submits a batch request to the vulnerable WooCommerce REST API endpoint. When an authenticated WordPress administrator visits this malicious page, their browser automatically includes session cookies, causing the batch request to execute with administrative privileges.

The attacker can structure the batch request to call WordPress REST endpoints for user creation, specifying administrator-level roles for the newly created account. Once the rogue administrator account is created, the attacker can log in directly and take full control of the WordPress site.

Detection Methods for CVE-2026-3589

Indicators of Compromise

Unexpected administrator user accounts appearing in WordPress user management
Unfamiliar user accounts with administrative privileges created without proper authorization
Suspicious REST API requests to /wp-json/wc/ batch endpoints in server access logs
Administrator accounts created during timeframes when legitimate admins were not actively managing the site

Detection Strategies

Monitor WordPress user creation events, especially those creating administrator-level accounts
Implement web application firewall (WAF) rules to detect and block suspicious batch API requests
Review server access logs for unusual patterns of REST API calls to WooCommerce endpoints
Deploy endpoint detection solutions to identify CSRF attack patterns targeting WordPress sites

Monitoring Recommendations

Enable and review WordPress audit logs for user creation and privilege escalation events
Configure alerts for new administrator account creation in your WordPress security monitoring solution
Implement real-time monitoring of REST API endpoint access patterns
Regularly audit administrator accounts and remove any unauthorized users

How to Mitigate CVE-2026-3589

Immediate Actions Required

Update WooCommerce to a patched version immediately (versions after 10.5.2)
Review existing administrator accounts for any unauthorized users and remove them
Force password resets for all legitimate administrator accounts as a precaution
Implement additional CSRF protection mechanisms at the WAF or application level

Patch Information

WooCommerce has released a security patch addressing this vulnerability. Site administrators should update to the latest patched version as documented in the WooCommerce Security Advisory. Additional technical details are available in the WPScan Vulnerability Report.

Workarounds

Temporarily disable the WooCommerce REST API batch endpoint functionality if not required for operations
Implement strict Content Security Policy (CSP) headers to mitigate CSRF attack vectors
Use a web application firewall to filter malicious batch API requests
Require multi-factor authentication for all WordPress administrator accounts to reduce the impact of account creation attacks

bash

# Example: Disable REST API access for unauthenticated users via .htaccess
# Add to WordPress .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wc/
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>