Mobile App Refresh Campaign [Banner] 2024

Product Icon

WooCommerce

by  Woo
Sell online with the flexible, customizable eCommerce platform designed to grow with your business. From your first sale to millions in revenue, Woo is with you. See why merchants trust us to power 3.4 million online stores.

Security vulnerability related to user account creation

What I wanted to ask about is to see if there is a way to prevent user accounts from being created upon orders until AFTER the payment gateway accepts the payment. We’re having hacker users submit fake orders that get declined just so they can get user accounts established. We don’t want them to have a user account if their order failed. I’m currenlty having to manually delete these users each time a failed order happens.

We think the default functionality should be to delay the user account creation until after the payment gateway accepts the payment.

We have one hacker submitting MANY fake orders trying to get accounts established and/or testing credit card numbers fraudulently obtained to see if any go through. We don’t want this person to have an account on our site.

He’ll submit 15 different orders with different credit cards within the same minute on the time-stamp, so he has to have bot involvement on this in some way.

We’re worried that if he has an account on the site, he’ll be able to find some other vulnerability somewhere that will allow him to upgrade that account to having admin credentials.

Author

webgurufloridafreewheelerscom

Current Status

Open

Last updated: August 9, 2023

0 comments

Log in to comment on this feature request.