7.5
CVE-2026-3589
- EPSS 0.04%
- Veröffentlicht 06.03.2026 09:11:10
- Zuletzt bearbeitet 15.04.2026 14:42:29
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF
WooCommerce < 10.5.3 - Cross-Site Request Forgery
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Mögliche Gegenmaßnahme
WooCommerce: Update to version 10.5.3, or a newer patched version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerAutomattic
≫
Produkt
WooCommerce
Default Statusunaffected
Version
5.4.0
Version <
5.4.4
Status
affected
Version
5.5.0
Version <
5.4.5
Status
affected
Version
5.6.0
Version <
5.6.3
Status
affected
Version
5.7.0
Version <
5.7.3
Status
affected
Version
5.8.0
Version <
5.8.2
Status
affected
Version
5.9.0
Version <
5.9.2
Status
affected
Version
6.0.0
Version <
6.0.2
Status
affected
Version
6.1.0
Version <
6.1.3
Status
affected
Version
6.2.0
Version <
6.2.3
Status
affected
Version
6.3.0
Version <
6.3.2
Status
affected
Version
6.4.0
Version <
6.4.2
Status
affected
Version
6.5.0
Version <
6.5.2
Status
affected
Version
6.6.0
Version <
6.6.2
Status
affected
Version
6.7.0
Version <
6.7.1
Status
affected
Version
6.8.0
Version <
6.8.3
Status
affected
Version
6.9.0
Version <
6.9.5
Status
affected
Version
7.0.0
Version <
7.0.2
Status
affected
Version
7.1.0
Version <
7.1.2
Status
affected
Version
7.2.0
Version <
7.2.4
Status
affected
Version
7.3.0
Version <
7.3.1
Status
affected
Version
7.4.0
Version <
7.4.2
Status
affected
Version
7.5.0
Version <
7.5.2
Status
affected
Version
7.6.0
Version <
7.6.2
Status
affected
Version
7.7.0
Version <
7.7.3
Status
affected
Version
7.8.0
Version <
7.8.4
Status
affected
Version
7.9.0
Version <
7.9.2
Status
affected
Version
8.0.0
Version <
8.0.5
Status
affected
Version
8.1.0
Version <
8.1.4
Status
affected
Version
8.2.0
Version <
8.2.5
Status
affected
Version
8.3.0
Version <
8.3.4
Status
affected
Version
8.4.0
Version <
8.4.3
Status
affected
Version
8.5.0
Version <
8.5.5
Status
affected
Version
8.6.0
Version <
8.6.4
Status
affected
Version
8.7.0
Version <
8.7.3
Status
affected
Version
8.8.0
Version <
8.8.7
Status
affected
Version
8.9.0
Version <
8.9.5
Status
affected
Version
9.0.0
Version <
9.0.4
Status
affected
Version
9.1.0
Version <
9.1.7
Status
affected
Version
9.2.0
Version <
9.2.5
Status
affected
Version
9.3.0
Version <
9.3.6
Status
affected
Version
9.4.0
Version <
9.4.5
Status
affected
Version
9.5.0
Version <
9.5.4
Status
affected
Version
9.6.0
Version <
9.6.4
Status
affected
Version
9.7.0
Version <
9.7.3
Status
affected
Version
9.8.0
Version <
9.8.7
Status
affected
Version
9.9.0
Version <
9.9.7
Status
affected
Version
10.0.0
Version <
10.0.6
Status
affected
Version
10.1.0
Version <
10.1.4
Status
affected
Version
10.2.0
Version <
10.2.4
Status
affected
Version
10.3.0
Version <
10.3.8
Status
affected
Version
10.4.0
Version <
10.4.4
Status
affected
Version
10.5.0
Version <
10.5.3
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WooCommerce
Version
[*, 10.5.3)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.13 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.