WooCommerce 3.5.2 Security and Fix Update

·

·

WooCommerce 3.5.2 was released on November 28 as security, fix and compatibility update. It fixes a security issue in WooCommerce 3.5.1 and earlier which allowed XSS by users with write-access API keys. Besides the fixed vulnerability this update brings support for the latest PHP 7.3 and Twenty Nineteen theme.

The tweaks:

  • Updates the signature field type to «password» in PayPal settings for increased security.
  • Change the filter name in the /myaccount/lost-password-confirmation.php template to differentiate between other filter with same name and different message.
  • Reintroduce Preview button by popular demand with the understanding that the Preview will only work on some product fields.
  • Add tool to systems status tools for running the DB update routine.
  • Revert default behavior for `woocommerce_formatted_address_force_country_display` filter to maintain backwards compatibility.
  • Update products block notice for WP 5.0.
  • Use wp_kses_post instead of esc_html for sanitizing product titles to allow minimal HTML in product titles.
  • Use dedicated woocommerce_add_order_again_cart_item to filter cart item data when ordering again. Prevents issues with applying woocommerce_add_cart_item out of context.
  • Remove postal code for Angola, São Tomé and Príncipe since they don’t use postal codes and update locale info.

The fixes:

  • Metadata with array key of 0 can save properly.
  • Prevent deleting the default product category via REST API.
  • Fix ‹Table does not exist› messages on System Status Report in multisite.
  • Add dynamic SSL check to dashboard SSL notice to prevent misdiagnosing that sites aren’t set up with SSL.
  • Don’t show escaped HTML in admin order item details for fees.
  • Don’t include draft variable products in on sale product results.
  • Add woocommerce_hold_stock_minutes check back to stock check in cart/checkout.
  • Fix potential undefined index notice on checkout fields when comparing the sort order.
  • Throw an error when trying to set a variation as the parent of a variation in the CSV importer.
  • Make «account erasure request» text translatable.
  • Display notices on Order Pay page.
  • Fix tax rate uploading by file path.
  • Make wc_download_log_permission_id constraint creation work better on multisites and multiple sites using the same DB.
  • Don’t render undecoded HTML entities in variations dimensions.
  • Do not check for stock when not managing stock or have backorders enabled when paying through the order-pay page.
  • Apply priority field sorting on additional filters to make it apply on the edit address pages as well.
  • Fix export and edit of attribute labels with html encoded special characters in product CSV exporter.
  • Prevent fatal error when rendering plaintext customer invoice email.
  • Prevent fatal error when delivering webhooks using v3 API.
  • Prevent undefined variable notice in wc_increase_stock_levels.
  • Fix overescaping image output on product widget.
  • Croatian Kuna symbol should be lowercase.
  • Fixed an error when deleting logged entries when using the ‹WC_Log_Handler_DB› handler.
  • Update ShipStation plugin info so install works through setup wizard.
  • Use dynamic DB table name in product list table shipping class query.
  • Log file date/time should be in UTC and not site timezone as per the +00:00:00 string appended to it.
  • Set customer’s country to selling country when only selling to one country and default customer location is ’none›.
    Change new account email copy to be compatible with auto-generated accounts.
  • Correct Aria-Labelledby attribute for quantity selectors.
  • Show notices on lost password page.
  • Fix authentication errors when using the REST API with 3rd-party authentication.
  • Fix issues where potentially not all active plugins were included on the system status report.
  • Make PDT validation use the same rounding as the IPN validation to prevent erroneous totals mismatch.

Remember to create a backup before installing a update.

(Picture Courtesy of Yuri Samoilov)