Plattform
wordpress
Komponente
woocommerce
Behoben in
5.4.4
5.4.5
5.6.3
5.7.3
5.8.2
5.9.2
6.0.2
6.1.3
6.2.3
6.3.2
6.4.2
6.5.2
6.6.2
6.7.1
6.8.3
6.9.5
7.0.2
7.1.2
7.2.4
7.3.1
7.4.2
7.5.2
7.6.2
7.7.3
7.8.4
7.9.2
8.0.5
8.1.4
8.2.5
8.3.4
8.4.3
8.5.5
8.6.4
8.7.3
8.8.7
8.9.5
9.0.4
9.1.7
9.2.5
9.3.6
9.4.5
9.5.4
9.6.4
9.7.3
9.8.7
9.9.7
10.0.6
10.1.4
10.2.4
10.3.8
10.4.4
10.5.3
10.5.3
CVE-2026-3589 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to potentially execute unauthorized actions on a WordPress site if they can manipulate a site administrator into performing those actions. The vulnerability impacts all WooCommerce versions prior to 10.5.3 (exclusive). A patch is available in version 10.5.3.
The core impact of CVE-2026-3589 lies in its ability to facilitate unauthorized actions within a WooCommerce-powered WordPress site. An attacker could craft a malicious link that, when clicked by an administrator, triggers unintended actions such as modifying product details, processing fraudulent orders, or even altering site configurations. The blast radius extends to any sensitive data or functionality managed through the WooCommerce plugin, potentially leading to financial loss, reputational damage, and compromised user accounts. This vulnerability is particularly concerning given the widespread use of WooCommerce for e-commerce.
CVE-2026-3589 was publicly disclosed on 2026-03-10. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of CSRF vulnerabilities suggests that a PoC could emerge. The EPSS score is likely to be medium, reflecting the potential for widespread exploitation given the popularity of WooCommerce. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.03% (10% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-3589 is to immediately upgrade the WooCommerce plugin to version 10.5.3 or later. Prior to upgrading, it's advisable to create a full backup of the WordPress site, including the database and plugin files, to facilitate a rollback if the upgrade introduces unforeseen compatibility issues. While a direct workaround isn't available, implementing a Web Application Firewall (WAF) with CSRF protection rules can provide an additional layer of defense. Regularly review WordPress user roles and permissions to minimize the potential impact of a successful attack.
Aktualisieren Sie auf Version 10.5.3 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Cross-Site Request Forgery (XSRF) vulnerability in the WooCommerce plugin for WordPress, allowing attackers to perform unauthorized actions if they can trick an administrator.
If you're using WooCommerce version 10.5.3 or earlier, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade your WooCommerce plugin to version 10.5.3 or later. Back up your site before upgrading to allow for rollback if needed.
As of the publication date, there are no publicly known active exploitation campaigns, but the vulnerability remains a potential threat.
Refer to the official WooCommerce security advisory and the NVD entry for CVE-2026-3589 for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.