If you have a WooCommerce store, we have some big news for you. WooCommerce has just released a patch that fixes a vulnerability that allowed bots to create spam orders. In this post, you’ll learn more about the vulnerability in WooCommerce 4.6.2, how to know if you’re affected, and what to do to fix it.

What does this WooCommerce vulnerability do?

The vulnerability allows guest users to create accounts during the checkout process even if the option Allow customers to create an account during checkout was disabled. So, bots could create accounts, obtain system access, and place fake orders to look for vulnerabilities in other plugins on the site. The issue was discovered after several users reported receiving spam or “failed orders” in their stores.

Additionally, the WooCommerce team also found out that the vulnerability also affected the checkout block in WooCommerce Blocks.

Which WooCommerce versions are vulnerable?

All the WooCommerce versions prior to 4.6.2 and WooCommerce Blocks v3.7.0 are at risk of this vulnerability. It’s worth mentioning that for WooCommerce Blocks, the vulnerability only applies to the feature plugin release of WooCommerce Blocks and not to the block that is bundled with WooCommerce.

How long has the vulnerability been active?

The first time a user reported the issue was on October 27th, 2020. It took WooCommerce 9 days to update to version 4.6.2 and fix the exploit. So, during that time, many users had their site’s URL changed and different attempts to hack their stores.

How can you know if you’ve been affected by this vulnerability?

As we mentioned before, every site using WooCommerce 4.6.1 and under and WooCommcerce Blocks 3.7.0 is vulnerable. So far, the only evidence of an attack is a sudden creation of spam accounts and fake orders. According to the report that WooCommerce released, the orders that the attack creates follow this pattern:

Order info:
bbbbb bbbbb
bbbbb
74 xxxxxxx Rd
xxxxxxx
EX14 5HN
United Kingdom (UK)
xxx xxxx xxxx
[email protected]

Even though the creation of fake accounts and orders doesn’t cause many issues in itself, it can have more serious consequences if the bot finds other vulnerabilities in other plugins that it could exploit.

For more information about the specifics of the exploit, you can have a look at this thread.

WooCommerce 4.6.2 patches the vulnerability

To protect your store, you should update WooCommerce to the latest version 4.6.2 that fixes this vulnerability. Additionally, if you use WooCommerce Blocks, you should update to version 3.7.1. These new releases contain fixes that check the Allow customers to create an account during checkout settings and don’t allow the user to create an account creation during checkout if that option is disabled.

On top of that, we recommend you remove any unwanted or suspicious user accounts. Additionally, to keep your store clean, you can delete all the spam orders that the bot might have created.

How to avoid problems like this in the future?