WooCommerce 4.6.2 Advisory / Vulnerability

Short Version

Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the “Allow customers to create an account during checkout” setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.

The details

There was a recent bot attack affecting WooCommerce stores wherein a bot would create spam orders and user accounts in an effort to gain system access and probe for the existence of vulnerabilities in other plugins on the site that require an authenticated user. For instance, one of those vulnerabilities present in some third-party plugins lets the attacker change the value of the siteurl option by performing the following request:


You can read more about how this recent attack works here.

In responding to this incident, our internal teams took the opportunity to assess the way we handle account creation and management. We discovered that WooCommerce allowed the createaccount POST parameter to create accounts during checkout regardless of the site’s settings. During our investigation, we learned that this vulnerability also affects the checkout block in WooCommerce Blocks.

In response to this incident, we released WooCommerce 4.6.2 and WooCommerce Blocks 3.7.1, which contain fixes that check the “Allow customers to create an account during checkout” setting before allowing passed POST parameters to trigger an account creation during checkout.

How can I tell if my store is affected by this vulnerability or has been attacked?

Stores running versions of WooCommerce prior to 4.6.2 are vulnerable to the unintended creation of user accounts during checkout since they allow passed POST parameters to circumvent the store setting that disables account creation during checkout. Likewise, stores that are running version 3.7.0 of the WooCommerce Blocks feature plugin are also vulnerable. However, this only applies to the feature plugin release of WooCommerce Blocks, as the checkout block is not functional in the release that is currently bundled with WooCommerce core.

As far as we know, the only evidence of the attack is the creation of spam orders and accounts. The orders this particular attack generates follow a pattern similar to the following:

Order info:
bbbbb bbbbb
74 xxxxxxx Rd
EX14 5HN
United Kingdom (UK)
xxx xxxx xxxx

On its own, the creation of the orders and users is not inherently problematic. More serious consequences would depend on the existence of other vulnerabilities in the site that the bot could exploit.

What steps do I need to take if I’m affected?

To protect your store from unexpected account creation, it’s recommended that you update to the latest version of WooCommerce (currently version 4.6.2).

We also recommend deleting any unintended accounts that may have been created by this bot. To delete unwanted user accounts, you can follow the instructions in this article.

For guidance on bulk deleting spam orders, follow the instructions in the WooCommerce docs and use the Bulk Actions to move the spurious orders to the trash.

More Info: https://developer.woocommerce.com/2020/11/05/developer-advisory-spam-orders-and-accounts-from-bots/

Start typing and press Enter to search