MEDIUMCVE-2026-3589CVSS 4.3

CVE-2026-3589: XSRF in WooCommerce WordPress Plugin

Platform

wordpress

Component

woocommerce

Fixed in

5.4.4

5.4.5

5.6.3

5.7.3

5.8.2

5.9.2

6.0.2

6.1.3

6.2.3

6.3.2

6.4.2

6.5.2

6.6.2

6.7.1

6.8.3

6.9.5

7.0.2

7.1.2

7.2.4

7.3.1

7.4.2

7.5.2

7.6.2

7.7.3

7.8.4

7.9.2

8.0.5

8.1.4

8.2.5

8.3.4

8.4.3

8.5.5

8.6.4

8.7.3

8.8.7

8.9.5

9.0.4

9.1.7

9.2.5

9.3.6

9.4.5

9.5.4

9.6.4

9.7.3

9.8.7

9.9.7

10.0.6

10.1.4

10.2.4

10.3.8

10.4.4

10.5.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-3589 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to potentially execute unauthorized actions on a WordPress site if they can manipulate a site administrator into performing those actions. The vulnerability impacts all WooCommerce versions prior to 10.5.3 (exclusive). A patch is available in version 10.5.3.

Impact and Attack Scenarios

The core impact of CVE-2026-3589 lies in its ability to facilitate unauthorized actions within a WooCommerce-powered WordPress site. An attacker could craft malicious links or embed them in seemingly harmless content, such as emails or social media posts. If a site administrator clicks on such a link while logged into their WordPress account, the attacker can trigger actions as if they were the administrator. This could include modifying product details, processing fraudulent orders, or even altering site configurations. The blast radius is significant, potentially impacting the entire e-commerce operation and compromising sensitive customer data. The risk is amplified if the administrator has broad permissions within the WooCommerce system. This vulnerability shares similarities with other XSRF attacks, where user interaction is exploited to gain unauthorized access.

Exploitation Context

CVE-2026-3589 was published on March 10, 2026. Its CVSS score of 4.3 (MEDIUM) indicates a moderate level of severity. As of the publication date, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score. Active exploitation campaigns are not currently reported, but the XSRF nature of the vulnerability means it remains a potential threat, especially given the widespread use of WooCommerce.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports5 threat reports

NextGuard80% still vulnerable

EPSS

0.03% (10% percentile)

CVSS Vector

Affected Software

Componentwoocommerce

Vendorwordfence

Affected rangeFixed in

5.4.0 – 5.4.45.4.4

5.5.0 – 5.4.55.4.5

5.6.0 – 5.6.35.6.3

5.7.0 – 5.7.35.7.3

5.8.0 – 5.8.25.8.2

5.9.0 – 5.9.25.9.2

6.0.0 – 6.0.26.0.2

6.1.0 – 6.1.36.1.3

6.2.0 – 6.2.36.2.3

6.3.0 – 6.3.26.3.2

6.4.0 – 6.4.26.4.2

6.5.0 – 6.5.26.5.2

6.6.0 – 6.6.26.6.2

6.7.0 – 6.7.16.7.1

6.8.0 – 6.8.36.8.3

6.9.0 – 6.9.56.9.5

7.0.0 – 7.0.27.0.2

7.1.0 – 7.1.27.1.2

7.2.0 – 7.2.47.2.4

7.3.0 – 7.3.17.3.1

7.4.0 – 7.4.27.4.2

7.5.0 – 7.5.27.5.2

7.6.0 – 7.6.27.6.2

7.7.0 – 7.7.37.7.3

7.8.0 – 7.8.47.8.4

7.9.0 – 7.9.27.9.2

8.0.0 – 8.0.58.0.5

8.1.0 – 8.1.48.1.4

8.2.0 – 8.2.58.2.5

8.3.0 – 8.3.48.3.4

8.4.0 – 8.4.38.4.3

8.5.0 – 8.5.58.5.5

8.6.0 – 8.6.48.6.4

8.7.0 – 8.7.38.7.3

8.8.0 – 8.8.78.8.7

8.9.0 – 8.9.58.9.5

9.0.0 – 9.0.49.0.4

9.1.0 – 9.1.79.1.7

9.2.0 – 9.2.59.2.5

9.3.0 – 9.3.69.3.6

9.4.0 – 9.4.59.4.5

9.5.0 – 9.5.49.5.4

9.6.0 – 9.6.49.6.4

9.7.0 – 9.7.39.7.3

9.8.0 – 9.8.79.8.7

9.9.0 – 9.9.79.9.7

10.0.0 – 10.0.610.0.6

10.1.0 – 10.1.410.1.4

10.2.0 – 10.2.410.2.4

10.3.0 – 10.3.810.3.8

10.4.0 – 10.4.410.4.4

10.5.0 – 10.5.310.5.3

10.5.310.5.3

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2026-03-05
Published2026-03-10
Modified2026-03-19
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-3589 is to immediately upgrade the WooCommerce plugin to version 10.5.3 or later. Prior to upgrading, it's advisable to create a full backup of your WordPress site, including the database and plugin files, to facilitate a rollback if the upgrade introduces unforeseen compatibility issues. While awaiting the upgrade, consider implementing temporary protections such as a Web Application Firewall (WAF) configured to filter out suspicious requests containing potentially malicious parameters. Specifically, look for requests with unusual or unexpected URLs targeting WooCommerce endpoints. Additionally, educate administrators about the risks of clicking on unknown links and verify the legitimacy of any requests before confirming them. After upgrading to 10.5.3, confirm the fix by attempting to trigger a WooCommerce action (e.g., creating a test product) through a crafted URL; the action should be rejected due to proper nonce validation.

How to fix

Update to version 10.5.3, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-3589 in WooCommerce?

It's a Cross-Site Request Forgery (XSRF) vulnerability in the WooCommerce plugin for WordPress, allowing attackers to perform unauthorized actions if they can trick an administrator.

Am I affected by CVE-2026-3589 in WooCommerce?

If you're using WooCommerce version 10.5.3 or earlier, you are potentially affected by this vulnerability. Immediate action is required.

How do I fix CVE-2026-3589 in WooCommerce?

Upgrade your WooCommerce plugin to version 10.5.3 or later. Back up your site before upgrading to allow for rollback if needed.

Is CVE-2026-3589 being actively exploited?

As of the publication date, there are no publicly known active exploitation campaigns, but the vulnerability remains a potential threat.

Where can I find the official WooCommerce advisory for CVE-2026-3589?

Refer to the official WooCommerce security advisory and the NVD entry for CVE-2026-3589 for detailed information and updates.

NextGuard

Vulnerabilities

Package Information

Active installs: 7.0MPopular
Plugin rating

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.

4.5

Requires WordPress

6.8+

Compatible up to

6.9.4

Requires PHP

7.4+