Develop WooCommerce

The official WooCommerce development blog

WooCommerce 3.5.2 security/fix/compatibility release notes — November 29, 2018

WooCommerce 3.5.2 security/fix/compatibility release notes

WooCommerce 3.5.2 is now available. This release patches a number of bugs, adds compatibility with the Twenty Nineteen theme and with PHP 7.3, and fixes one security issue. Versions 3.5.1 and earlier are affected by a stored XSS vulnerability through the API which can be exploited by users with write-access API keys, and we recommend all users running WooCommerce 3.x upgrade to 3.5.2 to mitigate it. Thanks to Karim for disclosing this vulnerability.

Important: If you will be using the Twenty Nineteen theme included with WordPress 5.0 or if you will be using PHP 7.3, you should also be using WooCommerce 3.5.2+. In this release we’ve added the necessary styling for stores to look nice in the Twenty Nineteen theme and made backwards-compatible code tweaks to prevent notices and warnings when running PHP 7.3.

~87 commits made it into this release and the full changelog is below.

* Enhancement - Added compatibility for Twenty Nineteen theme. #21970
* Update - Prepare WooCommerce for PHP 7.3. #22009
* Tweak - Updates the signature field type to "password" in PayPal settings for increased security. #21715
* Tweak - Change the filter name in the /myaccount/lost-password-confirmation.php template to differentiate between other filter with same name and different message. #21829
* Tweak - Reintroduce Preview button by popular demand with the understanding that the Preview will only work on some product fields. It was removed from pubished products in 3.5.0 to prevent confusion. #21838
* Tweak - Add tool to systems status tools for running the DB update routine. #21923
* Tweak - Revert default behavior for `woocommerce_formatted_address_force_country_display` filter to maintain backwards compatibility. #21865
* Tweak - Update products block notice for WP 5.0. #21930
* Tweak - Use wp_kses_post instead of esc_html for sanitizing product titles to allow minimal HTML in product titles. #21936
* Tweak - Use dedicated woocommerce_add_order_again_cart_item to filter cart item data when ordering again. Prevents issues with applying woocommerce_add_cart_item out of context. #21947
* Tweak - Remove postal code for Angola, São Tomé and Príncipe since they don't use postal codes and update locale info. #21984 #21985 #21987
* Fix - Metadata with array key of 0 can save properly. #21641
* Fix - Prevent deleting the default product category via REST API. #21696
* Fix - Fix 'Table does not exist' messages on System Status Report in multisite. #21706
* Fix - Add dynamic SSL check to dashboard SSL notice to prevent misdiagnosing that sites aren't set up with SSL. #21738
* Fix - Don't show escaped HTML in admin order item details for fees. #21769
* Fix - Don't include draft variable products in on sale product results. #21778
* Fix - Add woocommerce_hold_stock_minutes check back to stock check in cart/checkout. #21797 #22050
* Fix - Fix potential undefined index notice on checkout fields when comparing the sort order. #21801
* Fix - Throw an error when trying to set a variation as the parent of a variation in the CSV importer. #21810
* Fix - Make "account erasure request" text translatable. #21812
* Fix - Display notices on Order Pay page. #21821
* Fix - Fix tax rate uploading by file path. #21831
* Fix - Make wc_download_log_permission_id constraint creation work better on multisites and multiple sites using the same DB. #21836 #21940
* Fix - Don't render undecoded HTML entities in variations dimensions. #21844
* Fix - Do not check for stock when not managing stock or have backorders enabled when paying through the order-pay page. #21849
* Fix - Apply priority field sorting on additional filters to make it apply on the edit address pages as well. #21856
* Fix - Fix export and edit of attribute labels with html encoded special characters in product CSV exporter. #21864
* Fix - Prevent fatal error when rendering plaintext customer invoice email. #21879
* Fix - Prevent fatal error when delivering webhooks using v3 API. #21921
* Fix - Prevent undefined variable notice in wc_increase_stock_levels. #21928
* Fix - Fix overescaping image output on product widget. #21929
* Fix - Croatian Kuna symbol should be lowercase. #21934
* Fix - Fixed an error when deleting logged entries when using the 'WC_Log_Handler_DB' handler. #21949
* Fix - Update ShipStation plugin info so install works through setup wizard. #21953
* Fix - Use dynamic DB table name in product list table shipping class query. #21954
* Fix - Log file date/time should be in UTC and not site timezone as per the +00:00:00 string appended to it. #21981
* Fix - Set customer's country to selling country when only selling to one country and default customer location is 'none'. #21995
* Fix - Change new account email copy to be compatible with auto-generated accounts. #21999
* Fix - Correct Aria-Labelledby attribute for quantity selectors. #22000
* Fix - Show notices on lost password page. #22001
* Fix - Fix authentication errors when using the REST API with 3rd-party authentication. #22013
* Fix - Fix issues where potentially not all active plugins were included on the system status report. #22057
* Fix - Make PDT validation use the same rounding as the IPN validation to prevent erroneous totals mismatch. #21729

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.

WooCommerce 3.5.1 release notes — October 31, 2018

WooCommerce 3.5.1 release notes

WooCommerce 3.5.1 is now available. This release patches the highest priority bugs introduced in the WC 3.5.0 release and updates WooCommerce to work nicely with WordPress 5.0.

Important: If you will be using WordPress 5.0, you should also be using WooCommerce 3.5.1+. WordPress 5.0 changed the name of a filter used to force the classic editor on the Edit Product screens, and this release updates WooCommerce to use the latest filter. You can read more about this change here.

~67 commits made it into this release and the full changelog is below.

* Fix - Use CRUD method to get product images to fix custom tables missing images. #21608
* Fix - Use HTML entity for times sign when outputting dimensions to fix RTL support. #21633
* Fix - Fix India address format to look nice in the shipping calculator. #21647
* Fix - Don't default gallery variation images to gallery thumbnail size if flexslider is disabled. #21655
* Fix - Revert show shipping behavior change to prevent missing shipping line on Cart page. #21658
* Fix - Removed non-existing WC_Product_Simple->set_date_created_gmt method. #21675
* Fix - Use correct comment_type when fetching recent reviews for widget. #21689
* Fix - Do not include strong tags as part of translation string on subscriptions disconnect message. #21690
* Fix - Make it possible to send webhooks with the v3 API. #21745
* Fix - Fix get_cart_from_session infinite loop when filters used. #21749
* Fix - Use array instead of string to define class for address line 2 input on checkout. #21757
* Fix - Make checkout fields priority work correctly again. #21763
* Tweak - Remove mentions of deprecated live shipping rates from setup wizard. #21645
* Tweak- Update product block editor hook for WP 5.0. #21703
* Tweak - Merged similar strings to reduce number of translatable strings. #21704
* Tweak - Remove hated "Over to you" text from emails. #21709
* Tweak - Revert problematic customer as post author change. #21740

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.

WooCommerce 3.5 is here! — October 23, 2018

WooCommerce 3.5 is here!

Today we’re excited to release WooCommerce 3.5 into the wild! 3.5 has been in development since May, and has had over 1512 commits from 98 contributors.

3.5 is a “minor” release; this version should be backwards compatible with sites running versions of WooCommerce greater than or equal to 3.0. We do of course recommend ensuring your extensions and themes are compatible before upgrading, and making backups for peace of mind–see this handy guide for more details.

Continue reading

WooCommerce 3.4.7 fix release notes — October 18, 2018

WooCommerce 3.4.7 fix release notes

WooCommerce 3.4.7 is now available. This is the last WooCommerce 3.4.x release, and it patches a couple issues introduced in WC 3.4.6 on certain site setups. ~9 commits made it into this release and the full changelog is below.

* Fix - Simplify importer file path check to cause less issues. #21573
* Fix - Better role checking for user editing capabilities. #21569 #21575

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.

Important update: WooCommerce 3.5 will now be released October 23rd. — October 16, 2018

Important update: WooCommerce 3.5 will now be released October 23rd.

We have delayed the release of WooCommerce 3.5 by one week in order to do extra testing and QA on the release. The testing regimen for WooCommerce releases is very thorough and covers a variety of servers, and themes, and running the prerelease version in staging and production on live sites. This will help ensure the upcoming release is a smooth upgrade for all stores before the busy holiday season.

The new release date for WooCommerce 3.5.0 is October 23rd.

You can read more about the upcoming changes and features planned for WC 3.5.0 at the beta post.