Donate Telegram

CVE-2026-3589

HIGH CVSS 3.1: 7.5

Mar 06, 2026

Updated Mar 06, 2026

WordPress

Parameter	Value
CVSS	7.5 (HIGH)
Affected Versions	5.4.0 — 10.5.2
Type	CWE-352 (Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов))
Vendor	WordPress
Public PoC	No

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

High

Сложно эксплуатировать

Privileges Required

None

Права не нужны

User Interaction

Required

Нужно действие пользователя

Impact Assessment

Confidentiality

High

Полная утечка данных

Integrity

High

Полная модификация данных

Availability

High

Полный отказ в обслуживании

CVSS Vector v3.1

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов)

References 2

https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in…

contact@wpscan.com

https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/

contact@wpscan.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-2433

WordPress

CVE-2026-2420

WordPress

CVE-2026-1825

WordPress

CVE-2026-1824

WordPress

CVE-2026-1823

WordPress

CVE Details

CVE ID

CVE-2026-3589

Published Date

Mar 06, 2026

Vendor

WordPress

Severity

HIGH

CVSS v3.1 Score

7.5

High severity. Prioritize patching.

Attack Analysis

Exploitability 1.6/10

How easy to exploit

Impact 5.9/10

Severity of consequences

Impact

Full data disclosure

Complete data modification

Denial of Service

Source

Editor's Choice