The WooCommerce 2.6.4 fix/security release is now available. You can download it on WordPress.org or as an automatic update in your administration panel.
~20 commits made it into this release fixing several minor issues. The main changes are as follows.
The REST API image upload feature has been locked down to only allow images, vs all supported WordPress MIME types.
- There was an issue in COD where shipping method titles were missing.
- WC_ROUNDING_PRECISION constant was removed but put back for plugin compatibility reasons.
The full changelog for 2.6.4 is below.
* Fix - Security - Only allow image MIME type upload via REST APIs.
* Fix - Shipping method title display in COD settings.
* Fix - Order date input in Edge browser.
* Fix - Ensure value is not null in variations to support empty show_option_none setting.
* Fix - get_the_title does not need escape in grouped template file.
* Fix - Ensure WC_ROUNDING_PRECISION is defined and use it as a low precision boundary in wc_get_rounding_precision().
* Fix - Response body should be a string in webhook class.
* Fix - Use h2 instead of h3 headings in profile screen.
* Dev - API - Allow Allow meta_key/value filters for products.
* Dev - CLI - Explode tags and category IDs to allow multiple comma separated values.
* Dev - add $order arg to woocommerce_admin_order_item_class and woocommerce_admin_html_order_item_class filters..
If you spot any further issues, please report them to us in detail on GitHub so the development team can review – comments on this post are closed.