The WooCommerce 2.6.4 fix/security release is now available. You can download it on or as an automatic update in your administration panel.

~20 commits made it into this release fixing several minor issues. The main changes are as follows.

  • The REST API image upload feature has been locked down to only allow images, vs all supported WordPress MIME types.

  • There was an issue in COD where shipping method titles were missing.
  • WC_ROUNDING_PRECISION constant was removed but put back for plugin compatibility reasons.

The full changelog for 2.6.4 is below.

* Fix - Security - Only allow image MIME type upload via REST APIs.
* Fix - Shipping method title display in COD settings.
* Fix - Order date input in Edge browser.
* Fix - Ensure value is not null in variations to support empty show_option_none setting.
* Fix - get_the_title does not need escape in grouped template file.
* Fix - Ensure WC_ROUNDING_PRECISION is defined and use it as a low precision boundary in wc_get_rounding_precision().
* Fix - Response body should be a string in webhook class.
* Fix - Use h2 instead of h3 headings in profile screen.
* Dev - API - Allow Allow meta_key/value filters for products.
* Dev - CLI - Explode tags and category IDs to allow multiple comma separated values.
* Dev - add $order arg to woocommerce_admin_order_item_class and woocommerce_admin_html_order_item_class filters..

If you spot any further issues, please report them to us in detail on GitHub so the development team can review – comments on this post are closed.