This release fixes a bug discovered recently that allows anonymous users to create an account during checkout even when the “Allow customers to create an account during checkout” setting is disabled. The fix to this bug can be found here.
We found this problem while investigating reports of a bot that is creating spam orders in some WooCommerce stores. We will publish another post with more information detailing what we know about the actions of this bot and how it is using the bug that is fixed in this release later today.
The gist of it is that the bot is able to create a user when placing an order exploiting the bug fixed by 4.6.2. After creating the user, the bot tries to find vulnerabilities in other plugins installed on the site that require an unprivileged authenticated account. Updating to WooCommerce 4.6.2 will stop the bot from creating a user account when the “Allow customers to create an account during checkout” setting is disabled, but it won’t stop it from creating orders. Removing user accounts created by the bot is recommended.
Here is the WooCommerce 4.6.2 changelog:
- Prevent checkout from creating accounts when the related setting is disabled.
Thanks to everyone for reporting this issue promptly and helping out with the fix release.
You can download the latest release of WooCommerce here or visit Dashboard → Updates to update the plugin from your WordPress admin screen.