This release fixes a bug discovered recently that allows anonymous users to create an account during checkout even when the “Allow customers to create an account during checkout” setting is disabled. The fix to this bug can be found here.
We found this problem while investigating reports of a bot that is creating spam orders in some WooCommerce stores. We will publish another post with more information detailing what we know about the actions of this bot and how it is using the bug that is fixed in this release later today.
The gist of it is that the bot is able to create a user when placing an order exploiting the bug fixed by 4.6.2. After creating the user, the bot tries to find vulnerabilities in other plugins installed on the site that require an unprivileged authenticated account. Updating to WooCommerce 4.6.2 will stop the bot from creating a user account when the “Allow customers to create an account during checkout” setting is disabled, but it won’t stop it from creating orders. Removing user accounts created by the bot is recommended.
Here is the WooCommerce 4.6.2 changelog:
- Prevent checkout from creating accounts when the related setting is disabled.
Thanks to everyone for reporting this issue promptly and helping out with the fix release.
You can download the latest release of WooCommerce here or visit Dashboard → Updates to update the plugin from your WordPress admin screen.
As usual, if you spot any other issues in WooCommerce, please log them in detail on GitHub. Found a security issue? Please submit a report via HackerOne.
9 replies on “WooCommerce 4.6.2 fix release”
Thanks for the fix!
The woocommerce 4.6.2 is having issues, we are unable to do buld edit products
Thanks for your comment. I’m not seeing any issues when trying to bulk edit products in 4.6.2. Per the instructions in the post, if you believe you found a bug in WooCommerce core, could you please create an issue in the link below, making sure to follow the steps described in the issue template?
Ha! Jokes on you, it didn’t fix it. The orders started happening again.
Just to clarify, the fix won’t prevent spam orders as this has the potential to impact orders from real users as well. It only prevents bots (or real users) from creating a user account when the “Allow customers to create an account during checkout” setting is disabled. Are you experiencing problems with user account creation by a bot when the related setting is disabled? If so, please create an issue on our GitHub repository, and we will investigate.
Regarding bots creating spam orders, some store owners might find it helpful to use some form of spam prevention on their site to deal with unwanted orders. There are a number of extensions that implement this protection in various ways. You can search the WooCommerce Marketplace to get an idea of what is available to you. As you weigh your options, do keep in mind that any measures you put in place to make it more difficult for bots to place orders might also affect real customers as well, which could ultimately lower a store’s conversion rate.
Im currently running Version 4.7.1 and just received this same type of spam order, so clearly the fix doesnt work anymore
Clintk, please see my reply above to Netris’ comment.
Hello, everything is updated and the famous bbbb spammer is still alive.
Li-An, please see my reply above to Netris’ comment.