Categories
Core

WooCommerce 4.6.2 fix release

This release fixes a bug discovered recently that allows anonymous users to create an account during checkout even when the “Allow customers to create an account during checkout” setting is disabled. The fix to this bug can be found here.

We found this problem while investigating reports of a bot that is creating spam orders in some WooCommerce stores. We will publish another post with more information detailing what we know about the actions of this bot and how it is using the bug that is fixed in this release later today.

The gist of it is that the bot is able to create a user when placing an order exploiting the bug fixed by 4.6.2. After creating the user, the bot tries to find vulnerabilities in other plugins installed on the site that require an unprivileged authenticated account. Updating to WooCommerce 4.6.2 will stop the bot from creating a user account when the “Allow customers to create an account during checkout” setting is disabled, but it won’t stop it from creating orders. Removing user accounts created by the bot is recommended.

Here is the WooCommerce 4.6.2 changelog:

  • Prevent checkout from creating accounts when the related setting is disabled.

Thanks to everyone for reporting this issue promptly and helping out with the fix release.

You can download the latest release of WooCommerce here or visit Dashboard → Updates to update the plugin from your WordPress admin screen.

As usual, if you spot any other issues in WooCommerce, please log them in detail on GitHub. Found a security issue? Please submit a report via HackerOne.

By Rodrigo Primo

Software developer at Automattic

9 replies on “WooCommerce 4.6.2 fix release”

Hi Netris,

Just to clarify, the fix won’t prevent spam orders as this has the potential to impact orders from real users as well. It only prevents bots (or real users) from creating a user account when the “Allow customers to create an account during checkout” setting is disabled. Are you experiencing problems with user account creation by a bot when the related setting is disabled? If so, please create an issue on our GitHub repository, and we will investigate.

Regarding bots creating spam orders, some store owners might find it helpful to use some form of spam prevention on their site to deal with unwanted orders. There are a number of extensions that implement this protection in various ways. You can search the WooCommerce Marketplace to get an idea of what is available to you. As you weigh your options, do keep in mind that any measures you put in place to make it more difficult for bots to place orders might also affect real customers as well, which could ultimately lower a store’s conversion rate.

Like

Im currently running Version 4.7.1 and just received this same type of spam order, so clearly the fix doesnt work anymore

Like

Comments are closed.