logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WooCommerce Blocks < 3.7.1 - Guest Account Creation

Description

Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.

In response to this incident, WooCommerce released WooCommerce 4.6.2 and WooCommerce Blocks 3.7.1, which contain fixes that check the "Allow customers to create an account during checkout" setting before allowing passed POST parameters to trigger an account creation during checkout.

Affects Plugins

woo-gutenberg-products-block

Fixed in version 3.7.1

References

URL

https://developer.woocommerce.com/2020/11/05/developer-advisory-spam-orders-and-accounts-from-bots/

URL

https://github.com/woocommerce/woocommerce-gutenberg-products-block/pull/3371

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Submitter

Ryan

Verified

No

WPVDB ID

74423832-5d10-4366-92ce-518be6555f59

Timeline

Publicly Published

2020-11-06 (about 8 months ago)

Added

2020-11-06 (about 8 months ago)

Last Updated

2021-01-19 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin