The WooCommerce 2.6.3 fix/security release is now available. You can download it on or as an automatic update in your administration panel.

~104 commits made it into this release fixing several minor issues and a potential security issue. The main fixes/updates are as follows.

  • Securify reported an issue with the way captions were shown within PrettyPhoto. Due to double-escaping, captions could be treated as HTML allowing for XSS attacks. However, this would require the admin to upload a malicious image to exploit. The affected template files were patched and the version numbers bumped.

  • There was an issue with layered nav counts when used in conjunction with search.
  • We added transient based caching to the comment count functions to improve page loading speed in admin.

The full changelog for 2.6.3 is below.

* Fix - Security - Escape captions in product-thumbnail and product-image templates (template versions have been bumped).
* Fix - Fixed how we calculate shipping tax rates when using more than one tax class.
* Fix - When duplicating product variations, set title, name, and guid.
* Fix - Normalized 'read more' buttons.
* Fix - Add to cart notices for grouped products.
* Fix - Do not sanitize passwords in the settings API.
* Fix - Handle shipping zone location range conversion during update (dashes to ...).
* Fix - Always remove commas while processing flat rate costs.
* Fix - Ensures account page layout is only applied to desktop-sized displays.
* Fix - When getting layered nav counts, take search parameters into consideration.
* Fix - Free shipping show/hide javascript.
* Fix - Strip hash characters when exporting reports.
* Fix - Use permission id to revoke access to downloads to prevent removing wrong rows.
* Fix - When duplicating product variations, set title, name, and guid.
* Fix - Set more appropriate default rounding precision based on currency decimal places.
* Fix - Fix message styles for empty carts.
* Fix - Fixed the load of the WC_Email_Customer_On_Hold_Order class.
* Fix - Don't perform cart update on search submit.
* Dev - API - Added support for WP REST API with custom URL prefixes.
* Dev - API - Delete variations when deleting a variable product.
* Dev - API - Fixed how we check for product types.
* Dev - Added woocommerce_cart_id filter.
* Dev - Add shortcode name param to shortcode_atts function calls.
* Dev - Post custom data when fetching a variation via ajax.
* Dev - Include child prices in grouped_price_html filter.
* Dev - Allow filtering of variation stock quantity.
* Dev - Added $_product argument to 'woocommerce_restock_refunded_item' hook.
* Dev - Added a filter hook for the wc_ajax endpoint url.
* Tweak - Include account page link in new customer account emails.
* Tweak - Updated all URLs from to
* Tweak - Cache the result of WC_Comments::wp_count_comments() in a transient (improves performance).

If you spot any further issues, please report them to us in detail on GitHub so the development team can review – comments on this post are closed.