WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WooCommerce < 4.6.2 - Guest Account Creation

Description

Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.

Affects Plugins

woocommerce
Fixed in version 4.6.2

References

URL
https://developer.woocommerce.com/2020/11/05/developer-advisory-spam-orders-and-accounts-from-bots/
URL
https://github.com/woocommerce/woocommerce/commit/e711a447feaf3d6020204e4319fdd5ba47c3f0b9

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Submitter

Ryan

Verified

No

WPVDB ID
3f3094ed-23ea-4bfb-847a-d06d8a7e7cee

Timeline

Publicly Published

2020-11-06 (about 2 years ago)

Added

2020-11-06 (about 2 years ago)

Last Updated

2021-01-19 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin