Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the “Allow customers to create an account during checkout” setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.
In response to this incident, the WooCommerce team released WooCommerce 4.6.2 and WooCommerce Blocks 3.7.1, which contain fixes that check the “Allow customers to create an account during checkout” setting before allowing passed information to trigger an account creation during checkout.
How can I tell if my store is affected by this vulnerability or has been attacked?
Stores running versions of WooCommerce prior to 4.6.2 are vulnerable to the unintended creation of user accounts during checkout since they allow passed POST parameters to circumvent the store setting that disables account creation during checkout. Likewise, stores that are running version 3.7.0 of the WooCommerce Blocks feature plugin are also vulnerable. However, this only applies to the feature plugin release of WooCommerce Blocks, as the checkout block is not functional in the release that is currently bundled with WooCommerce core.
On its own, the creation of the orders and users is not inherently problematic. More serious consequences would depend on the existence of other vulnerabilities in the site that the bot could exploit.
What steps do I need to take if I’m affected?
To protect your store from unexpected account creation, it’s recommended that you update to the latest version of WooCommerce (currently version 4.6.2).
The WooCommerce team also recommends deleting any unintended accounts that may have been created by this bot. To delete unwanted user accounts, you can follow the instructions in this article.
For guidance on bulk deleting spam orders, follow the instructions in the WooCommerce docs and use the Bulk Actions to move the spurious orders to the trash.
Preventing spam orders and accounts
We can help prevent spam orders, WordPress accounts, and contact form submissions by using a Captcha on your website. Find out more here!