oolongeya

•Experience

•Vulnerabilities

• CVE-2026-3589

  Woocomerce Arbitrary Admin User Creation via CSRF

  (7.5) High+
  The plugin does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

• KVE-2026-0321

  Admin Privilege Escalation

  (7.5) High+
  By taking over admin privileges, restricted features can be controlled.

• KVE-2026-0318

  Admin Privilege Escalation

  (7.5) High+
  By taking over admin privileges, restricted features can be controlled.

•Bug Bounty

• Private Program

  Improper Access Control

  (8.7) High$2,938+
  bypassing authorization checks on an internal write endpoint.

• PayPal

  Open Redirect

  (3.4) Low$400+
  A malicious phishing link under a PayPal domain can be generated and redirect users to a malicious site when clicked.

• Automattic

  Improper Access Control

  (7.5) High$400+
  The plugin does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

• Automattic

  Cross-Site Request Forgery (CSRF)

  (3.9) Low$100+
  CSRF is possible via a nonce-bypass request.