Develop WooCommerce

The official WooCommerce development blog

WooCommerce 2.6.9 Security/Fix Release Notes — December 7, 2016

WooCommerce 2.6.9 Security/Fix Release Notes

The WooCommerce 2.6.9 security/fix release is now available. You can download it on WordPress.org or as an automatic update in your administration panel.

~44 commits made it into this release fixing several minor issues and taking care of some security hardening.

The main change was that we updated WooCommerce for compatibility with WordPress 4.7 and the new Twenty Seventeen theme!

The full changelog for 2.6.9 is below.

* Theme - Added support for Twenty Seventeen Theme.
* Fix - Excluded webhook delivery logs from comments count.
* Fix - Included password strength meter in "Lost Password" page.
* Fix - Order fee currency in admin screen.
* Fix - Variation selection on Firefox 40.
* Fix - Don't prevent submission when table is not found on cart.
* Fix - Improved layered nav counts on attribute archives.
* Fix - Fixed pagination when removing layered nav items via widget.
* Fix - Default BE tax rate.
* Fix - Downloads should store variation ID rather than product if set. Also fixes link on account page.
* Fix - Use wp_list_sort instead of _usort_terms_by_ID to be compatible with 4.7.
* Fix - Only return empty string if empty for weight and dimension functions.
* Security - Wrapped admin tax rate table values in _escape to thwart evil CSVs an admin user could upload. Vulnerability was discovered by Fortinet’s FortiGuard Labs.
* Dev - API - Only update categories menu order and display if defined.
* Dev - Fixed when should deliver wp_trash_post webhooks.

If you spot any further issues, please report them to us in detail on GitHub so the development team can review – comments on this post are closed.

WooCommerce 2.6.4 Fix/Security Release Notes — July 26, 2016

WooCommerce 2.6.4 Fix/Security Release Notes

The WooCommerce 2.6.4 fix/security release is now available. You can download it on WordPress.org or as an automatic update in your administration panel.

~20 commits made it into this release fixing several minor issues. The main changes are as follows.

  • The REST API image upload feature has been locked down to only allow images, vs all supported WordPress MIME types.

  • There was an issue in COD where shipping method titles were missing.
  • WC_ROUNDING_PRECISION constant was removed but put back for plugin compatibility reasons.

The full changelog for 2.6.4 is below.

* Fix - Security - Only allow image MIME type upload via REST APIs.
* Fix - Shipping method title display in COD settings.
* Fix - Order date input in Edge browser.
* Fix - Ensure value is not null in variations to support empty show_option_none setting.
* Fix - get_the_title does not need escape in grouped template file.
* Fix - Ensure WC_ROUNDING_PRECISION is defined and use it as a low precision boundary in wc_get_rounding_precision().
* Fix - Response body should be a string in webhook class.
* Fix - Use h2 instead of h3 headings in profile screen.
* Dev - API - Allow Allow meta_key/value filters for products.
* Dev - CLI - Explode tags and category IDs to allow multiple comma separated values.
* Dev - add $order arg to woocommerce_admin_order_item_class and woocommerce_admin_html_order_item_class filters..

If you spot any further issues, please report them to us in detail on GitHub so the development team can review – comments on this post are closed.

WooCommerce 2.6.3 Fix/Security Release Notes — July 19, 2016

WooCommerce 2.6.3 Fix/Security Release Notes

The WooCommerce 2.6.3 fix/security release is now available. You can download it on WordPress.org or as an automatic update in your administration panel.

~104 commits made it into this release fixing several minor issues and a potential security issue. The main fixes/updates are as follows.

  • Securify reported an issue with the way captions were shown within PrettyPhoto. Due to double-escaping, captions could be treated as HTML allowing for XSS attacks. However, this would require the admin to upload a malicious image to exploit. The affected template files were patched and the version numbers bumped.

  • There was an issue with layered nav counts when used in conjunction with search.
  • We added transient based caching to the comment count functions to improve page loading speed in admin.

The full changelog for 2.6.3 is below.

* Fix - Security - Escape captions in product-thumbnail and product-image templates (template versions have been bumped).
* Fix - Fixed how we calculate shipping tax rates when using more than one tax class.
* Fix - When duplicating product variations, set title, name, and guid.
* Fix - Normalized 'read more' buttons.
* Fix - Add to cart notices for grouped products.
* Fix - Do not sanitize passwords in the settings API.
* Fix - Handle shipping zone location range conversion during update (dashes to ...).
* Fix - Always remove commas while processing flat rate costs.
* Fix - Ensures account page layout is only applied to desktop-sized displays.
* Fix - When getting layered nav counts, take search parameters into consideration.
* Fix - Free shipping show/hide javascript.
* Fix - Strip hash characters when exporting reports.
* Fix - Use permission id to revoke access to downloads to prevent removing wrong rows.
* Fix - When duplicating product variations, set title, name, and guid.
* Fix - Set more appropriate default rounding precision based on currency decimal places.
* Fix - Fix message styles for empty carts.
* Fix - Fixed the load of the WC_Email_Customer_On_Hold_Order class.
* Fix - Don't perform cart update on search submit.
* Dev - API - Added support for WP REST API with custom URL prefixes.
* Dev - API - Delete variations when deleting a variable product.
* Dev - API - Fixed how we check for product types.
* Dev - Added woocommerce_cart_id filter.
* Dev - Add shortcode name param to shortcode_atts function calls.
* Dev - Post custom data when fetching a variation via ajax.
* Dev - Include child prices in grouped_price_html filter.
* Dev - Allow filtering of variation stock quantity.
* Dev - Added $_product argument to 'woocommerce_restock_refunded_item' hook.
* Dev - Added a filter hook for the wc_ajax endpoint url.
* Tweak - Include account page link in new customer account emails.
* Tweak - Updated all URLs from WooThemes.com to WooCommerce.com.
* Tweak - Cache the result of WC_Comments::wp_count_comments() in a transient (improves performance).

If you spot any further issues, please report them to us in detail on GitHub so the development team can review – comments on this post are closed.