Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
WooCommerce Plugin Allows Unauthenticated Users to Create Admin Accounts
CVE-2026-3589
Summary
The WooCommerce plugin has a security flaw that allows anyone to create admin accounts without logging in. This is a risk because an attacker could use this to gain access to your online store and make changes. Update WooCommerce to version 10.5.3 or later to fix the problem.
Original title
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endp...
Original description
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
nvd CVSS3.1
7.5
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026