WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WooCommerce Blocks < 3.7.1 - Guest Account Creation

Description

Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.

In response to this incident, WooCommerce released WooCommerce 4.6.2 and WooCommerce Blocks 3.7.1, which contain fixes that check the "Allow customers to create an account during checkout" setting before allowing passed POST parameters to trigger an account creation during checkout.

Affects Plugins

woo-gutenberg-products-block
Fixed in version 3.7.1

References

URL
https://developer.woocommerce.com/2020/11/05/developer-advisory-spam-orders-and-accounts-from-bots/
URL
https://github.com/woocommerce/woocommerce-gutenberg-products-block/pull/3371

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Submitter

Ryan

Verified

No

WPVDB ID
74423832-5d10-4366-92ce-518be6555f59

Timeline

Publicly Published

2020-11-06 (about 1 years ago)

Added

2020-11-06 (about 1 years ago)

Last Updated

2021-01-19 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin