logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WooCommerce < 4.6.2 - Guest Account Creation

Description

Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.

Affects Plugins

woocommerce

Fixed in version 4.6.2

References

URL

https://developer.woocommerce.com/2020/11/05/developer-advisory-spam-orders-and-accounts-from-bots/

URL

https://github.com/woocommerce/woocommerce/commit/e711a447feaf3d6020204e4319fdd5ba47c3f0b9

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Submitter

Ryan

Verified

No

WPVDB ID

3f3094ed-23ea-4bfb-847a-d06d8a7e7cee

Timeline

Publicly Published

2020-11-06 (about 8 months ago)

Added

2020-11-06 (about 8 months ago)

Last Updated

2021-01-19 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin