WooCommerce 4.6.2 fixes Vulnerability that Allowed Spam Orders

If you have a WooCommerce store, we have some big news for you. WooCommerce has just released a patch that fixes a vulnerability that allowed bots to create spam orders. In this post, you’ll learn more about the vulnerability in WooCommerce 4.6.2, how to know if you’re affected, and what to do to fix it.

What does this WooCommerce vulnerability do?

The vulnerability allows guest users to create accounts during the checkout process even if the option Allow customers to create an account during checkout was disabled. So, bots could create accounts, obtain system access, and place fake orders to look for vulnerabilities in other plugins on the site. The issue was discovered after several users reported receiving spam or “failed orders” in their stores.

Additionally, the WooCommerce team also found out that the vulnerability also affected the checkout block in WooCommerce Blocks.

Which WooCommerce versions are vulnerable?

All the WooCommerce versions prior to 4.6.2 and WooCommerce Blocks v3.7.0 are at risk of this vulnerability. It’s worth mentioning that for WooCommerce Blocks, the vulnerability only applies to the feature plugin release of WooCommerce Blocks and not to the block that is bundled with WooCommerce.

How long has the vulnerability been active?

The first time a user reported the issue was on October 27th, 2020. It took WooCommerce 9 days to update to version 4.6.2 and fix the exploit. So, during that time, many users had their site’s URL changed and different attempts to hack their stores.

How can you know if you’ve been affected by this vulnerability?

As we mentioned before, every site using WooCommerce 4.6.1 and under and WooCommcerce Blocks 3.7.0 is vulnerable. So far, the only evidence of an attack is a sudden creation of spam accounts and fake orders. According to the report that WooCommerce released, the orders that the attack creates follow this pattern:

Order info:
bbbbb bbbbb
bbbbb
74 xxxxxxx Rd
xxxxxxx
EX14 5HN
United Kingdom (UK)
xxx xxxx xxxx
[email protected]

Even though the creation of fake accounts and orders doesn’t cause many issues in itself, it can have more serious consequences if the bot finds other vulnerabilities in other plugins that it could exploit.

For more information about the specifics of the exploit, you can have a look at this thread.

WooCommerce 4.6.2 patches the vulnerability

To protect your store, you should update WooCommerce to the latest version 4.6.2 that fixes this vulnerability. Additionally, if you use WooCommerce Blocks, you should update to version 3.7.1. These new releases contain fixes that check the Allow customers to create an account during checkout settings and don’t allow the user to create an account creation during checkout if that option is disabled.

On top of that, we recommend you remove any unwanted or suspicious user accounts. Additionally, to keep your store clean, you can delete all the spam orders that the bot might have created.

How to avoid problems like this in the future?

Prevention is better than cure, so to avoid issues like this in the future, we recommend you use some plugins such as Advanced noCaptcha & Invisible Captcha, Fake customer blocker, or Fraud Prevention for WooCommerce. Another option if you don’t sell many products is to manually review and approve your orders. It’s true that this adds an extra manual step, but it also adds an extra layer of safety to your store.

For more information about how to prevent spam and fake orders in WooCommerce, check out this guide.

Conclusion

All in all, store with WooCommerce v4.6.1 and under and WooCommerce Blocks 3.7.0 are at risk of vulnerability. The exploit allows guest users to create an account during the checkout and place fake orders. The good news is that the new version WooCommerce 4.6.2 fixes the vulnerability. Additionally, WooCommerce also released Blocks 3.7.1 to patch the exploit.

So, if you have a WooCommerce store, update to the latest version 4.6.2 as soon as possible to make sure your site is safe. To avoid issues like this in the future, make sure you follow some of our recommendations to avoid spam and fake orders in your store.

Have you been affected by this exploit? Did you have any issues in your WooCommerce store? Let us know in the comments section below!