WooCommerce 4.6.2 fix release

This release fixes a bug discovered recently that allows anonymous users to create an account during checkout even when the “Allow customers to create an account during checkout” setting is disabled. The fix to this bug can be found here.

We found this problem while investigating reports of a bot that is creating spam orders in some WooCommerce stores. We will publish another post with more information detailing what we know about the actions of this bot and how it is using the bug that is fixed in this release later today.

The gist of it is that the bot is able to create a user when placing an order exploiting the bug fixed by 4.6.2. After creating the user, the bot tries to find vulnerabilities in other plugins installed on the site that require an unprivileged authenticated account. Updating to WooCommerce 4.6.2 will stop the bot from creating a user account when the “Allow customers to create an account during checkout” setting is disabled, but it won’t stop it from creating orders. Removing user accounts created by the bot is recommended.

Here is the WooCommerce 4.6.2 changelog:

Prevent checkout from creating accounts when the related setting is disabled.

Thanks to everyone for reporting this issue promptly and helping out with the fix release.

You can download the latest release of WooCommerce here or visit Dashboard → Updates to update the plugin from your WordPress admin screen.

As usual, if you spot any other issues in WooCommerce, please log them in detail on GitHub. Found a security issue? Please submit a report via HackerOne.

Keep yourself in the loop!

9 responses to “WooCommerce 4.6.2 fix release”

Daniel

November 5, 2020

Thanks for the fix!

Reply
1. Omkar
  
  November 7, 2020
  
  The woocommerce 4.6.2 is having issues, we are unable to do buld edit products
  
  Reply
  1. Rodrigo Primo
    
    November 11, 2020
    
    Hi Omkar,
    
    Thanks for your comment. I’m not seeing any issues when trying to bulk edit products in 4.6.2. Per the instructions in the post, if you believe you found a bug in WooCommerce core, could you please create an issue in the link below, making sure to follow the steps described in the issue template?
    
    https://github.com/woocommerce/woocommerce/issues/new/choose
    
    Thanks
    
    Reply
Netris

December 30, 2020

Ha! Jokes on you, it didn’t fix it. The orders started happening again.

Reply
1. Rodrigo Primo
  
  January 6, 2021
  
  Hi Netris,
  
  Just to clarify, the fix won’t prevent spam orders as this has the potential to impact orders from real users as well. It only prevents bots (or real users) from creating a user account when the “Allow customers to create an account during checkout” setting is disabled. Are you experiencing problems with user account creation by a bot when the related setting is disabled? If so, please create an issue on our GitHub repository, and we will investigate.
  
  Regarding bots creating spam orders, some store owners might find it helpful to use some form of spam prevention on their site to deal with unwanted orders. There are a number of extensions that implement this protection in various ways. You can search the WooCommerce Marketplace to get an idea of what is available to you. As you weigh your options, do keep in mind that any measures you put in place to make it more difficult for bots to place orders might also affect real customers as well, which could ultimately lower a store’s conversion rate.
  
  Reply
Clintk

December 31, 2020

Im currently running Version 4.7.1 and just received this same type of spam order, so clearly the fix doesnt work anymore

Reply
1. Rodrigo Primo
  
  January 6, 2021
  
  Clintk, please see my reply above to Netris’ comment.
  
  Reply
Li-An

January 3, 2021

Hello, everything is updated and the famous bbbb spammer is still alive.

Reply
1. Rodrigo Primo
  
  January 6, 2021
  
  Li-An, please see my reply above to Netris’ comment.
  
  Reply