Unauthorized User Creation Triggered When Editing Orders

  • Resolved nmsuser

    (@nmsuser)


    4 months ago

    Hello,

    We are experiencing a critical security issue on a WooCommerce installation.

    When opening certain suspicious (fake) orders in the admin panel, a new WordPress user is automatically created via the REST API endpoint:

    POST /wp-json/wp/v2/users

    From debugging logs we confirmed:

    • The user is created through WP_REST_Users_Controller->create_item()
    wp_insert_user() is triggered from the REST API
    • The request URI is /wp-json/wp/v2/users
    • Immediately after, a role is assigned and an auth cookie is set

    Backtrace shows normal WordPress REST execution flow:

    wp_insert_user WP_REST_Users_Controller->create_item WP_REST_Server->dispatch rest_api_loaded

    The unusual behavior is:

    • The user creation is triggered when editing specific fake WooCommerce orders
    • It does NOT happen when editing legitimate orders
    • The suspicious orders were created via WooCommerce Store API endpoints (/wp-json/wc/store/v1/...)
    • Server logs show automated cart and checkout API calls from specific IP ranges

    We would like to clarify:

    1. Is there any known vulnerability in WooCommerce Store API or order handling that could allow a malicious payload to trigger REST user creation?
    2. Could order meta or Store API data inject something that triggers REST execution in admin context?
    3. Is there any known interaction between WooCommerce admin screens and the WP REST users endpoint?

    We have already:

    • Verified WordPress core integrity
    • Logged REST calls and confirmed the user creation happens via REST
    • Isolated that this is not standard WooCommerce behavior

    Any guidance would be appreciated, especially regarding possible Store API exploitation or order meta injection vectors.

Viewing 3 replies - 1 through 3 (of 3 total)
  • LovingBro (woo-hc)

    (@lovingbro)

    4 months ago

    Hi @nmsuser,

    Thank you for taking the time to outline this in such detail. I can see how concerning this behavior is, especially when user creation is being triggered in connection with suspicious orders. You’ve clearly done solid debugging already, and we definitely want to help you narrow this down.

    To clarify first, WooCommerce core and the Store API do not contain any known functionality that would trigger a POST /wp-json/wp/v2/users request simply by viewing or editing an order in the admin. The WordPress REST users endpoint requires proper authentication and capability checks, so it should not be callable anonymously through order data alone.

    A few important points to consider:

    1. Editing an order in wp-admin does not, by default, trigger any REST request to /wp-json/wp/v2/users. If that call is occurring during order edit, something in the environment is programmatically initiating it.
    2. The WooCommerce Store API endpoints such as /wp-json/wc/store/v1/... are designed for cart and checkout operations and do not interact with the WordPress users REST controller.
    3. Order meta data alone cannot execute code unless a plugin, custom snippet, or compromised file is explicitly processing that data in an unsafe way.

    Given that the issue only happens with specific fake orders, this strongly suggests one of the following:

    • A vulnerable or compromised plugin reacting to specific order meta
    • Malicious code injected into the database or theme
    • A compromised admin session where a script is executing in the background
    • A server level compromise or injected JavaScript making authenticated REST calls

    At this stage, we would recommend the following next steps:

    • Temporarily disable all plugins except WooCommerce and switch to a default theme such as Storefront to test whether the behavior persists.
    • Check the Users REST route permissions by confirming that unauthenticated requests to /wp-json/wp/v2/users are blocked.
    • Inspect the suspicious orders’ meta data directly in the database to look for unexpected serialized payloads.
    • Scan the site files and database using your hosting provider’s malware scanner or a security plugin.
    • Review server access logs to confirm which IP and authentication context is making the REST call.

    From what you’ve described, this does not match standard WooCommerce behavior, and there is no known Store API vector that would allow order data to directly trigger WordPress user creation in admin context without additional compromised code being involved.

    If you’re able to share a sanitized System Status Report via https://pastebin.com or https://gist.github.com, that would also help us review the environment more closely. We’ll be glad to continue digging with you.

    Thread Starter nmsuser

    (@nmsuser)

    4 months ago

    Thank you for the prompt response, the problem has been found.

    We have identified and fixed a security vulnerability (XSS) older versions of our plugin (≤12.4.0.3).

    We strongly recommend updating immediately to version 12.4.1.

    Under specific conditions, this vulnerability could allow an attacker to execute malicious scripts within an authenticated administrator session. In some cases, this may have enabled unauthorized creation of WooCommerce REST API keys or orders with falsified data.

    The vulnerability has been fully patched in the latest version of the plugin.

    Required Actions:

    • Update the plugin to the latest version immediately.
    • Reset all administrator passwords.
    • Review the list of administrator users and remove any unfamiliar accounts.
    • Review WooCommerce → Advanced → REST API and delete any unknown or suspicious API keys.
    • As an extra precaution, you can also regenerate existing REST API keys. Replace them in the services that use them.

    As a precaution, we also recommend enabling two-factor authentication (2FA) for all administrator accounts.

    The free version of the PixelYourSite plugin is not affected.

    If you no longer have access to updates and you still use an older version of the PixelYourSite Pro plugin, replace it with the free plugin instead.

    Plugin Support shahzeen(woo-hc)

    (@shahzeenfarooq)

    4 months ago

    Hi there,

    Thank you for the update and for sharing these important details — we really appreciate you letting us know once the root cause was identified.

    We’re glad to hear that the vulnerability has been fully patched in the latest release and that you’ve already taken steps to address it. Your outlined actions are absolutely appropriate, and we strongly agree with the recommendations to update immediately and review administrator access and REST API keys as a precaution.

    Before you go, If you found WooCommerce helpful in setting up your store, we would really appreciate it if you could leave a five-star review:https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/#new-post. Your feedback helps us improve and lets other users know how WooCommerce can support their business.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.