Product Icon

WooCommerce

Sell online with the flexible, customizable eCommerce platform designed to grow with your business. From your first sale to millions in revenue, Woo is with you. See why merchants trust us to power 3.4 million online stores.

Security vulnerability related to user account creation

What I wanted to ask about is to see if there is a way to prevent user accounts from being created upon orders until AFTER the payment gateway accepts the payment. We’re having hacker users submit fake orders that get declined just so they can get user accounts established. We don’t want them to have a user account if their order failed. I’m currenlty having to manually delete these users each time a failed order happens.

We think the default functionality should be to delay the user account creation until after the payment gateway accepts the payment.

We have one hacker submitting MANY fake orders trying to get accounts established and/or testing credit card numbers fraudulently obtained to see if any go through. We don’t want this person to have an account on our site.

He’ll submit 15 different orders with different credit cards within the same minute on the time-stamp, so he has to have bot involvement on this in some way.

We’re worried that if he has an account on the site, he’ll be able to find some other vulnerability somewhere that will allow him to upgrade that account to having admin credentials.

Author

webgurufloridafreewheelerscom

Current Status

Open

Last updated: August 9, 2023

2 comments

Log in to comment on this feature request.

  1. usebrandable says:

    Same here, we have a few clients asking for this!

  2. aaronrehm says:

    Did you figure out anything here? I’m having the same problem.

Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.