The WooCommerce 2.5.3 fix release is now available. You can download it on WordPress.org or as an automatic update in your administration panel.
The most notable change is to customer details on the thanks page. The thanks page has an obscure URL making it impossible to guess/find and see other user’s orders, however, if someone did discover the URL they’d see the customer address along with order details. To maintain privacy this is now hidden if the user viewing the page is a guest, or does not own the order.
A total of ~34 commits made it into this release fixing several minor issues and making some small tweaks. The changelog for 2.5.3 is below.
* Fix - Correct the 'unavailable template' call for variations so the message is displayed correctly, fixing a JS error.
* Fix - Add 'media-models' dependency to write panel scripts.
* Fix - Fix hide empty check in category walkers.
* Fix - Current class fix on some servers when empty.
* Fix - Multibyte safe trim string function.
* Fix - Prevent a notice by stopping a loop in woocommerce_products_will_display from stomping on other variables.
* Fix - If an attribute meta key is not set, technically its 'any', so should match. Prevents issues when meta data is missing after renaming attributes.
* Fix - Make wc_get_product_variation_attributes ignore non variation attributes.
* Fix - Notice when no order notes exist.
* Fix - Removed extra tab from plain email shipping address.
* Fix - Round shipping after tax calculation instead of before to prevent wrong taxes being calculated.
* Fix - State input box was not reappearing when switching from a hidden input to a text input.
* Fix - Don't duplicate rating and review counts.
* Fix - CLI - Allow setting of a single category.
* Fix - API - Replace term_taxonomy_id for term_id whilst creating/editing terms.
* Fix - API - Fix parent_id and menu_order for variations.
* Fix - Combine update post calls when update_status is ran.
* Fix - Total number of comments in the admin panel.
* Tweak - Show customer details for logged in users only on thanks page to prevent customer details being revealed if someone finds out the URL.
* Tweak - Wrap status report in backticks to stop people breaking .org forums.
* Tweak - Error handling for screen ids.
* Tweak - Use $wpdb->replace instead of doing a select and then deciding to do an update or insert in session handler.
* Tweak - Added check for private WooCommerce pages in status report.
* Tweak - Transactional emails for failed -> on hold.
* Dev - Include new triggers when removing and adding the password strength meter.
* Dev - Allow pass objects and arrays as webhook callbacks.
If you spot any further issues, please report them to us in detail on Github so the development team can review – comments on this post are closed.