7.5
CVE-2026-3589
- EPSS 0.03%
- Veröffentlicht 06.03.2026 09:11:10
- Zuletzt bearbeitet 09.03.2026 13:35:34
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerAutomattic
≫
Produkt
WooCommerce
Default Statusunaffected
Version <
5.4.4
Version
5.4.0
Status
affected
Version <
5.4.5
Version
5.5.0
Status
affected
Version <
5.6.3
Version
5.6.0
Status
affected
Version <
5.7.3
Version
5.7.0
Status
affected
Version <
5.8.2
Version
5.8.0
Status
affected
Version <
5.9.2
Version
5.9.0
Status
affected
Version <
6.0.2
Version
6.0.0
Status
affected
Version <
6.1.3
Version
6.1.0
Status
affected
Version <
6.2.3
Version
6.2.0
Status
affected
Version <
6.3.2
Version
6.3.0
Status
affected
Version <
6.4.2
Version
6.4.0
Status
affected
Version <
6.5.2
Version
6.5.0
Status
affected
Version <
6.6.2
Version
6.6.0
Status
affected
Version <
6.7.1
Version
6.7.0
Status
affected
Version <
6.8.3
Version
6.8.0
Status
affected
Version <
6.9.5
Version
6.9.0
Status
affected
Version <
7.0.2
Version
7.0.0
Status
affected
Version <
7.1.2
Version
7.1.0
Status
affected
Version <
7.2.4
Version
7.2.0
Status
affected
Version <
7.3.1
Version
7.3.0
Status
affected
Version <
7.4.2
Version
7.4.0
Status
affected
Version <
7.5.2
Version
7.5.0
Status
affected
Version <
7.6.2
Version
7.6.0
Status
affected
Version <
7.7.3
Version
7.7.0
Status
affected
Version <
7.8.4
Version
7.8.0
Status
affected
Version <
7.9.2
Version
7.9.0
Status
affected
Version <
8.0.5
Version
8.0.0
Status
affected
Version <
8.1.4
Version
8.1.0
Status
affected
Version <
8.2.5
Version
8.2.0
Status
affected
Version <
8.3.4
Version
8.3.0
Status
affected
Version <
8.4.3
Version
8.4.0
Status
affected
Version <
8.5.5
Version
8.5.0
Status
affected
Version <
8.6.4
Version
8.6.0
Status
affected
Version <
8.7.3
Version
8.7.0
Status
affected
Version <
8.8.7
Version
8.8.0
Status
affected
Version <
8.9.5
Version
8.9.0
Status
affected
Version <
9.0.4
Version
9.0.0
Status
affected
Version <
9.1.7
Version
9.1.0
Status
affected
Version <
9.2.5
Version
9.2.0
Status
affected
Version <
9.3.6
Version
9.3.0
Status
affected
Version <
9.4.5
Version
9.4.0
Status
affected
Version <
9.5.4
Version
9.5.0
Status
affected
Version <
9.6.4
Version
9.6.0
Status
affected
Version <
9.7.3
Version
9.7.0
Status
affected
Version <
9.8.7
Version
9.8.0
Status
affected
Version <
9.9.7
Version
9.9.0
Status
affected
Version <
10.0.6
Version
10.0.0
Status
affected
Version <
10.1.4
Version
10.1.0
Status
affected
Version <
10.2.4
Version
10.2.0
Status
affected
Version <
10.3.8
Version
10.3.0
Status
affected
Version <
10.4.4
Version
10.4.0
Status
affected
Version <
10.5.3
Version
10.5.0
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.095 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.