WooCommerce < 4.6.2 – Guest Account Creation | Plugin Vulnerabilities

Description

Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.

Affects Plugins

Fixed in 4.6.2

References

URL

https://github.com/woocommerce/woocommerce/commit/e711a447feaf3d6020204e4319fdd5ba47c3f0b9

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Submitter

Ryan

Verified

No

WPVDB ID

3f3094ed-23ea-4bfb-847a-d06d8a7e7cee

Timeline

Publicly Published

2020-11-06 (about 5 years ago)

Added

2020-11-06 (about 5 years ago)

Last Updated

2021-01-19 (about 4 years ago)

Other

Published

Title

Published

2024-04-08

Title

GamiPress < 6.8.9 - Broken Access Control

Published

2021-09-20

Title

Multiple WooCommerce Add-Ons - Low Priv Arbitrary Blog Options Update/Access/Deletion & Plugin's Settings Update/Export/Import

Published

2021-08-23

Title

Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion

Published

2019-07-17

Title

Coming Soon Page & Maintenance Mode < 1.8.2 - Arbitrary Settings Reset

Published

2024-02-21

Title

Event Tickets and Registration < 5.8.2 - Missing Authorization