Exploitation Research Plan: CVE-2026-3589 (WooCommerce CSRF)

1. Vulnerability Summary

The WooCommerce plugin (versions < 10.5.3) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is located in the Store API's batch processing route. The Automattic\WooCommerce\StoreApi\Routes\V1\Batch class registers a /batch REST API endpoint that allows multiple Store API requests to be bundled into a single HTTP POST request.

The vulnerability exists because the /batch endpoint does not implement nonce validation on the "container" request, and its permission_callback is set to __return_true. While individual Store API routes (like adding items to a cart) typically require a wc_store_api nonce for state-changing operations, the batching mechanism executes these requests internally via rest_get_server()->serve_batch_request_v1(), effectively bypassing the nonce requirement if the container request is accepted. An attacker can trick an authenticated administrator into making a request to this endpoint to perform actions within the Store API context.

2. Attack Vector Analysis

• Endpoint: POST /wp-json/wc/store/v1/batch (The namespace wc/store/v1 is inferred from standard WooCommerce Store API structure and the file path src/StoreApi/Routes/V1/Batch.php).
• HTTP Parameter: requests (an array of request objects).
• Authentication: Unauthenticated (the endpoint is public via __return_true), but the attack targets the session of an authenticated user (e.g., Administrator).
• Preconditions: A victim (Administrator) must be logged in and tricked into visiting a malicious page that triggers a cross-origin POST request to the vulnerable endpoint.

3. Code Flow

1. Entry Point: The REST API server receives a POST request to /wc/store/v1/batch.
2. Registration: Automattic\WooCommerce\StoreApi\Routes\V1\Batch::get_args() defines the route. Note the permission_callback:

   'permission_callback' => '__return_true',
   

3. Processing: The request is handled by Batch::get_response( WP_REST_Request $request ).
4. Validation: The code checks if all nested request paths contain wc/store:

   foreach ( $request['requests'] as $args ) {
       if ( ! stristr( $args['path'], 'wc/store' ) ) {
           throw new RouteException( 'woocommerce_rest_invalid_path', ... );
       }
   }
   

5. Internal Dispatch: The requests are passed to the WordPress core batch server:

   $response = rest_get_server()->serve_batch_request_v1( $request );
   

6. Sink: serve_batch_request_v1 dispatches the sub-requests (e.g., POST /wc/store/v1/cart/add-item) internally. Because the container request passed its permission check and no specific nonce check was performed in get_response, the sub-requests are processed using the victim's session cookies.

4. Nonce Acquisition Strategy

The vulnerability is specifically that the /batch endpoint does not verify a nonce. However, to verify the impact, one might need to know what a "valid" request looks like or how the Store API normally behaves.

If a nonce were required for other Store API endpoints, it is typically the wc_store_api nonce.

• Shortcode: [woocommerce_cart] or the Cart Block.
• Page Creation: wp post create --post_type=page --post_status=publish --post_content='[woocommerce_cart]' --post_title='Cart'
• JS Variable: In modern WooCommerce (v9.0+), Store API nonces are often found in the wcSettings global object.
• Extraction:
  1. browser_navigate("/cart")
  2. browser_eval("window.wcSettings?.nonce") or browser_eval("window.wc_cart_params?.nonce")

Note: For this specific exploit, the goal is to show that we can bypass this requirement via the /batch route.

5. Exploitation Strategy

We will perform a CSRF attack that adds an item to the Administrator's cart. This demonstrates a state-changing action performed without the required wc_store_api nonce.

1. Step 1: Setup Data: Create a simple product to add to the cart.
2. Step 2: Identify Endpoint: Target http://localhost:8080/wp-json/wc/store/v1/batch.
3. Step 3: Craft Payload: Create a JSON payload for the requests parameter.

   {
     "requests": [
       {
         "method": "POST",
         "path": "/wc/store/v1/cart/add-item",
         "body": {
           "id": 123,
           "quantity": 1
         }
       }
     ]
   }
   

4. Step 4: Execute Request: Use http_request to send a POST request. We must include the Administrator's cookies to simulate the CSRF scenario where the browser automatically attaches them, but omit any Store API nonce headers (like X-WC-Store-API-Nonce).
5. Step 5: Verify: Check the administrator's cart to see if the product was added.

6. Test Data Setup

1. Create Product:

   wp product create --name="Exploit Product" --regular_price="100" --status="publish" --porcelain
   

   Note the returned Product ID (e.g., 123).
2. Create Cart Page (for verification):

   wp post create --post_type=page --post_title="Cart" --post_content='[woocommerce_cart]' --post_status=publish
   

7. Expected Results

• The HTTP request to /wc/store/v1/batch returns a 200 OK or 207 Multi-Status.
• The response body contains a successful response for the nested add-item request.
• The administrator's cart now contains the "Exploit Product".
• Most importantly: The action succeeded despite the absence of the X-WC-Store-API-Nonce header which is mandatory for direct POST /wc/store/v1/cart/add-item requests.

8. Verification Steps

1. Check Cart via CLI:

   # WooCommerce stores cart data in the session or user meta. 
   # A reliable way to check is to use the Store API via CLI or check the DB.
   wp eval "echo json_encode(WC()->cart->get_cart());"
   

2. Alternative Verification:
   Navigate to the cart page as admin and check if the product is visible:

   browser_navigate("/cart");
   browser_eval("document.body.innerText.includes('Exploit Product')");
   

9. Alternative Approaches

If cart/add-item is restricted, try other state-changing Store API routes:

• POST /wc/store/v1/cart/update-item: Requires a key (cart item key) which can be retrieved via a preceding GET /wc/store/v1/cart in the same batch.
• POST /wc/store/v1/checkout: Attempting to process a checkout (higher impact).
• DELETE /wc/store/v1/cart/items: Clearing the cart.

If the wc/store/v1 namespace differs, check the WooCommerce versioning and route registrations in src/StoreApi/Routes/V1/. In v10.5.2, V1 is the current stable Store API version.