Spam Orders and Accounts from Bots


Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the “Allow customers to create an account during checkout” setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.

The details

There was a recent bot attack affecting WooCommerce stores wherein a bot would create spam orders and user accounts in an effort to gain system access and probe for the existence of vulnerabilities in other plugins on the site that require an authenticated user. For instance, one of those vulnerabilities present in some third-party plugins lets the attacker change the value of the siteurl option by performing the following request:


You can read more about how this recent attack works here.

In responding to this incident, our internal teams took the opportunity to assess the way we handle account creation and management. We discovered that WooCommerce allowed the createaccount POST parameter to create accounts during checkout regardless of the site’s settings. During our investigation, we learned that this vulnerability also affects the checkout block in WooCommerce Blocks.

In response to this incident, we released WooCommerce 4.6.2 and WooCommerce Blocks 3.7.1, which contain fixes that check the “Allow customers to create an account during checkout” setting before allowing passed POST parameters to trigger an account creation during checkout.

How can I tell if my store is affected by this vulnerability or has been attacked?

Stores running versions of WooCommerce prior to 4.6.2 are vulnerable to the unintended creation of user accounts during checkout since they allow passed POST parameters to circumvent the store setting that disables account creation during checkout. Likewise, stores that are running version 3.7.0 of the WooCommerce Blocks feature plugin are also vulnerable. However, this only applies to the feature plugin release of WooCommerce Blocks, as the checkout block is not functional in the release that is currently bundled with WooCommerce core.

As far as we know, the only evidence of the attack is the creation of spam orders and accounts. The orders this particular attack generates follow a pattern similar to the following:

Order info:
bbbbb bbbbb
74 xxxxxxx Rd
EX14 5HN
United Kingdom (UK)
xxx xxxx xxxx

On its own, the creation of the orders and users is not inherently problematic. More serious consequences would depend on the existence of other vulnerabilities in the site that the bot could exploit.

What steps do I need to take if I’m affected?

To protect your store from unexpected account creation, it’s recommended that you update to the latest version of WooCommerce (currently version 4.6.2).

We also recommend deleting any unintended accounts that may have been created by this bot. To delete unwanted user accounts, you can follow the instructions in this article.

For guidance on bulk deleting spam orders, follow the instructions in the WooCommerce docs and use the Bulk Actions to move the spurious orders to the trash.

Developer Tip

As a further precaution, you may find it helpful to use some form of spam prevention on your site for unwanted order creation as well. There are a number of extensions that implement this protection in various ways. You can search the WooCommerce Marketplace to get an idea of what is available to you. As you weigh your options, do keep in mind that any measures you put in place to make it more difficult for bots to place orders might also affect real customers as well, which could ultimately lower a store’s conversion rate.

As we learn more about this vulnerability and related effects, we will be sure to keep you updated. If you have questions or additional information, please don’t hesitate to share them with us in the comments below or in the #developers channel of the WooCommerce Community Slack.

Leave a Reply

Your email address will not be published. Required fields are marked *