CVE-2026-3589: WooCommerce CSRF Flaw Allows Unauthenticated

CVE-2026-3589: WooCommerce CSRF Flaw Allows Admin Account Creation

A cross-site request forgery (CSRF) vulnerability has been disclosed in the widely deployed WooCommerce plugin for WordPress, tracked as CVE-2026-3589 (CVSS 7.5, High). The flaw affects versions 5.4.0 through 10.5.2 and stems from improper handling of batch requests in WooCommerce's Store API — potentially allowing attackers to trick a logged-in site administrator into triggering privileged actions, including the creation of arbitrary administrator accounts.

Patches for all 52 affected versions began automatic rollout on March 2, 2026, and no in-the-wild exploitation has been observed to date.

Vulnerability Overview

Technical Background

WooCommerce's Store API includes a batch endpoint that can process multiple REST API requests in a single call. The vulnerability arises because this batch processing mechanism does not properly enforce CSRF protections when routing requests internally — meaning an unauthenticated REST endpoint call submitted via the batch API can potentially invoke non-Store/WC REST endpoints that would normally require authentication.

According to the official WooCommerce developer advisory, successful exploitation requires:

1. A logged-in WordPress administrator to visit a specially crafted malicious link or page
2. The administrator's browser to be in a non-Chrome browser, or a Chrome version with a specific legacy flag enabled
3. The malicious page to silently submit a cross-origin request that triggers the vulnerable batch endpoint

Under these conditions, an attacker could cause the administrator's session to perform privileged actions, including:

• Creating arbitrary administrator-level user accounts
• Creating posts or pages
• Modifying site configuration via administrative API calls

Attack Flow

1. Attacker crafts a malicious page containing a hidden form or JS fetch targeting the
   WooCommerce Store API batch endpoint
 
2. Attacker sends the victim admin a link to the malicious page (phishing email,
   social engineering, forum post, etc.)
 
3. Victim admin, currently logged into WordPress, visits the malicious link
 
4. The page silently submits a cross-origin request to the WooCommerce batch API
 
5. The batch API processes the request under the admin's authenticated session,
   routing it to a privileged non-WC endpoint
 
6. A new administrator account is created (or other privileged action executed)
   without the victim's knowledge
 
7. Attacker logs in using the newly created admin account and achieves full
   WordPress site control

Scope and Prevalence

WooCommerce is the most widely deployed e-commerce plugin for WordPress, with:

• Active installations across millions of WordPress sites globally
• 52 affected versions spanning from 5.4.0 to 10.5.2

Importantly, sites with WooCommerce auto-updates enabled began receiving the patch automatically from 14:00 UTC on March 2, 2026. Sites not enrolled in auto-updates require manual action.

Remediation

Primary Fix: Update WooCommerce

The patch is available in version 10.5.3 and all backport releases for affected version branches.

# Via WP-CLI
wp plugin update woocommerce
 
# Verify installed version
wp plugin get woocommerce --field=version

Or update via WordPress Admin > Plugins > WooCommerce > Update Now.

Verify Auto-Update Status

To check if auto-updates are active for WooCommerce:

1. Go to WordPress Admin > Plugins > Installed Plugins
2. Locate WooCommerce in the plugin list
3. Confirm "Enable auto-updates" is shown as active

Risk Reduction (Pre-Patch)

Even before patching, the attack surface can be reduced:

1. Use a dedicated browser profile for WordPress admin access — do not browse the open web while logged in as an administrator
2. Log out of WordPress admin when not actively managing the site
3. Verify all URLs before clicking links received via email, social media, or forums
4. Enable a WAF (Wordfence, Sucuri, Cloudflare) with CSRF protection rules
5. Restrict admin session duration using session timeout plugins

Detection

Monitor for unexpected administrator account creation, which may indicate exploitation:

# Check for recently created admin users via WP-CLI
wp user list --role=administrator --format=table
 
# Check user creation timestamps
wp user list --role=administrator --fields=user_login,user_registered --format=table
 
# Review recent REST API access in server logs for batch endpoint hits
grep "wc/store/v1/batch" /var/log/nginx/access.log | tail -100

Unexpected administrator accounts created around the time of site visits from unfamiliar IPs should be treated as potential compromise indicators.

Impact Assessment

The practical exploitation barrier — requiring a logged-in admin to visit a malicious URL — limits opportunistic mass exploitation but does not eliminate targeted attack risk, particularly for high-value WooCommerce stores.

Key Takeaways

1. CVE-2026-3589 affects WooCommerce versions 5.4.0–10.5.2 and allows CSRF-based admin account creation via the Store API batch endpoint
2. CVSS 7.5 (High) — exploitation requires a logged-in admin to visit an attacker-controlled link
3. Patches rolled out automatically on March 2, 2026 for sites with auto-updates enabled; manual update required otherwise
4. No in-the-wild exploitation has been confirmed as of the disclosure date
5. Immediate action: Update to WooCommerce 10.5.3+; adopt safe browsing hygiene for admin sessions

Sources

• CVE-2026-3589 — NIST NVD
• Store API Vulnerability Patched in WooCommerce 5.4+ — WooCommerce Developer Blog
• CVE-2026-3589: CWE-352 CSRF in Automattic WooCommerce — OffSeq Threat Radar
• CVE-2026-3589 — THREATINT