Critical WooCommerce Vulnerability Patched: CSRF Flaw Could Create Rogue Admin Accounts

What Happened

On March 2, 2026, the WooCommerce team disclosed and patched a critical Cross-Site Request Forgery (CSRF) vulnerability that affected 52 WooCommerce versions — from 5.4 all the way through 10.5.2. The flaw was found in the Store API and could have allowed attackers to create administrator accounts and gain full control of a WordPress site.

The attack worked like this: if a logged-in administrator visited a malicious link while using a specific browser configuration, the attacker could exploit the CSRF flaw to create a rogue admin account — without the site owner knowing. Once in, the attacker would have access to:

• Customer order information (names, emails, phone numbers, addresses)
• Types of payment methods used
• Items purchased and associated metadata

WooCommerce confirmed that passwords and credit card data were not exposed through this vulnerability. The team also stated they found "no evidence of the vulnerability being used or exploited" outside of their own internal security testing.

Automatic patches for all 52 affected versions were rolled out starting at 14:00 UTC on March 2. If your WooCommerce auto-updates are enabled, the patch should have been applied automatically.

Why It Matters

This is one of the widest-reaching WooCommerce security patches in recent memory — 52 versions spanning years of releases. Any WooCommerce store that was not running the absolute latest version was potentially vulnerable.

The CSRF attack vector is particularly dangerous because it requires only a simple click — no login credentials stolen, no brute force needed. A site administrator visiting a malicious page in their browser could unknowingly grant full admin access to an attacker.

For store owners handling customer data, this is exactly the kind of vulnerability that privacy regulations like GDPR take seriously. Even though WooCommerce found no evidence of exploitation, the potential for customer data exposure means affected stores should review their access logs.

What You Should Do

• Check your WooCommerce version — Go to Plugins > Installed Plugins and verify your WooCommerce version. The patched versions include 5.4.5, 5.5.5, 6.0.2, and all the way through 10.5.3 (depending on your major version).
• Look for suspicious admin accounts — Go to Users > All Users and filter by Administrator role. If you see any accounts you do not recognize, investigate immediately.
• Check your auto-update settings — WooCommerce pushes critical security patches automatically. Make sure auto-updates are not disabled for WooCommerce specifically.
• Use separate browsers — WooCommerce's official recommendation: use a separate browser for WordPress admin tasks and general browsing. This limits CSRF attack exposure.
• Update to WooCommerce 10.6.1 — The latest version includes all security fixes plus new features. If you're still on an older major version, consider upgrading.

Sources

• Store API Vulnerability Patched in WooCommerce 5.4+ — WooCommerce Developer Blog
• WooCommerce 10.6: Enhanced Blocks and a Faster Dashboard — WooCommerce Developer Blog