Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site. In response to this incident, WooCommerce released WooCommerce 4.6.2 and WooCommerce Blocks 3.7.1, which contain fixes that check the "Allow customers to create an account during checkout" setting before allowing passed POST parameters to trigger an account creation during checkout.
2020-11-06 (about 2 years ago)
2020-11-06 (about 2 years ago)
2021-01-19 (about 2 years ago)