{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-3589","assignerOrgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","state":"PUBLISHED","assignerShortName":"WPScan","dateReserved":"2026-03-05T10:41:21.729Z","datePublished":"2026-03-06T09:11:10.949Z","dateUpdated":"2026-03-06T17:44:58.613Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","shortName":"WPScan","dateUpdated":"2026-03-06T09:11:10.949Z"},"title":"WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF","problemTypes":[{"descriptions":[{"description":"CWE-352 Cross-Site Request Forgery (CSRF)","lang":"en","type":"CWE"}]}],"affected":[{"vendor":"Automattic","product":"WooCommerce","versions":[{"status":"affected","versionType":"semver","version":"5.4.0","lessThan":"5.4.4"},{"status":"affected","versionType":"semver","version":"5.5.0","lessThan":"5.4.5"},{"status":"affected","versionType":"semver","version":"5.6.0","lessThan":"5.6.3"},{"status":"affected","versionType":"semver","version":"5.7.0","lessThan":"5.7.3"},{"status":"affected","versionType":"semver","version":"5.8.0","lessThan":"5.8.2"},{"status":"affected","versionType":"semver","version":"5.9.0","lessThan":"5.9.2"},{"status":"affected","versionType":"semver","version":"6.0.0","lessThan":"6.0.2"},{"status":"affected","versionType":"semver","version":"6.1.0","lessThan":"6.1.3"},{"status":"affected","versionType":"semver","version":"6.2.0","lessThan":"6.2.3"},{"status":"affected","versionType":"semver","version":"6.3.0","lessThan":"6.3.2"},{"status":"affected","versionType":"semver","version":"6.4.0","lessThan":"6.4.2"},{"status":"affected","versionType":"semver","version":"6.5.0","lessThan":"6.5.2"},{"status":"affected","versionType":"semver","version":"6.6.0","lessThan":"6.6.2"},{"status":"affected","versionType":"semver","version":"6.7.0","lessThan":"6.7.1"},{"status":"affected","versionType":"semver","version":"6.8.0","lessThan":"6.8.3"},{"status":"affected","versionType":"semver","version":"6.9.0","lessThan":"6.9.5"},{"status":"affected","versionType":"semver","version":"7.0.0","lessThan":"7.0.2"},{"status":"affected","versionType":"semver","version":"7.1.0","lessThan":"7.1.2"},{"status":"affected","versionType":"semver","version":"7.2.0","lessThan":"7.2.4"},{"status":"affected","versionType":"semver","version":"7.3.0","lessThan":"7.3.1"},{"status":"affected","versionType":"semver","version":"7.4.0","lessThan":"7.4.2"},{"status":"affected","versionType":"semver","version":"7.5.0","lessThan":"7.5.2"},{"status":"affected","versionType":"semver","version":"7.6.0","lessThan":"7.6.2"},{"status":"affected","versionType":"semver","version":"7.7.0","lessThan":"7.7.3"},{"status":"affected","versionType":"semver","version":"7.8.0","lessThan":"7.8.4"},{"status":"affected","versionType":"semver","version":"7.9.0","lessThan":"7.9.2"},{"status":"affected","versionType":"semver","version":"8.0.0","lessThan":"8.0.5"},{"status":"affected","versionType":"semver","version":"8.1.0","lessThan":"8.1.4"},{"status":"affected","versionType":"semver","version":"8.2.0","lessThan":"8.2.5"},{"status":"affected","versionType":"semver","version":"8.3.0","lessThan":"8.3.4"},{"status":"affected","versionType":"semver","version":"8.4.0","lessThan":"8.4.3"},{"status":"affected","versionType":"semver","version":"8.5.0","lessThan":"8.5.5"},{"status":"affected","versionType":"semver","version":"8.6.0","lessThan":"8.6.4"},{"status":"affected","versionType":"semver","version":"8.7.0","lessThan":"8.7.3"},{"status":"affected","versionType":"semver","version":"8.8.0","lessThan":"8.8.7"},{"status":"affected","versionType":"semver","version":"8.9.0","lessThan":"8.9.5"},{"status":"affected","versionType":"semver","version":"9.0.0","lessThan":"9.0.4"},{"status":"affected","versionType":"semver","version":"9.1.0","lessThan":"9.1.7"},{"status":"affected","versionType":"semver","version":"9.2.0","lessThan":"9.2.5"},{"status":"affected","versionType":"semver","version":"9.3.0","lessThan":"9.3.6"},{"status":"affected","versionType":"semver","version":"9.4.0","lessThan":"9.4.5"},{"status":"affected","versionType":"semver","version":"9.5.0","lessThan":"9.5.4"},{"status":"affected","versionType":"semver","version":"9.6.0","lessThan":"9.6.4"},{"status":"affected","versionType":"semver","version":"9.7.0","lessThan":"9.7.3"},{"status":"affected","versionType":"semver","version":"9.8.0","lessThan":"9.8.7"},{"status":"affected","versionType":"semver","version":"9.9.0","lessThan":"9.9.7"},{"status":"affected","versionType":"semver","version":"10.0.0","lessThan":"10.0.6"},{"status":"affected","versionType":"semver","version":"10.1.0","lessThan":"10.1.4"},{"status":"affected","versionType":"semver","version":"10.2.0","lessThan":"10.2.4"},{"status":"affected","versionType":"semver","version":"10.3.0","lessThan":"10.3.8"},{"status":"affected","versionType":"semver","version":"10.4.0","lessThan":"10.4.4"},{"status":"affected","versionType":"semver","version":"10.5.0","lessThan":"10.5.3"}],"defaultStatus":"unaffected","collectionURL":"https://wordpress.org/plugins"}],"descriptions":[{"lang":"en","value":"The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example."}],"references":[{"url":"https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/","tags":["exploit","vdb-entry","technical-description"]},{"url":"https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/","tags":["technical-description"]}],"credits":[{"lang":"en","value":"oolongeya","type":"finder"}],"source":{"discovery":"EXTERNAL"},"x_generator":{"engine":"WPScan CVE Generator"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-352","lang":"en","description":"CWE-352 Cross-Site Request Forgery (CSRF)"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.5,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"REQUIRED","attackComplexity":"HIGH","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-03-06T17:44:54.283745Z","id":"CVE-2026-3589","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-06T17:44:58.613Z"}}]}}