WooCommerce 3.5.2 Security and Fix Update

WooCommerce 3.5.2 was released on November 28 as security, fix and compatibility update. It fixes a security issue in WooCommerce 3.5.1 and earlier which allowed XSS by users with write-access API keys. Besides the fixed vulnerability this update brings support for the latest PHP 7.3 and Twenty Nineteen theme.

The tweaks:

• Updates the signature field type to «password» in PayPal settings for increased security.
• Change the filter name in the /myaccount/lost-password-confirmation.php template to differentiate between other filter with same name and different message.
• Reintroduce Preview button by popular demand with the understanding that the Preview will only work on some product fields.
• Add tool to systems status tools for running the DB update routine.
• Revert default behavior for `woocommerce_formatted_address_force_country_display` filter to maintain backwards compatibility.
• Update products block notice for WP 5.0.
• Use wp_kses_post instead of esc_html for sanitizing product titles to allow minimal HTML in product titles.
• Use dedicated woocommerce_add_order_again_cart_item to filter cart item data when ordering again. Prevents issues with applying woocommerce_add_cart_item out of context.
• Remove postal code for Angola, São Tomé and Príncipe since they don’t use postal codes and update locale info.

The fixes:

• Metadata with array key of 0 can save properly.
• Prevent deleting the default product category via REST API.
• Fix ‹Table does not exist› messages on System Status Report in multisite.
• Add dynamic SSL check to dashboard SSL notice to prevent misdiagnosing that sites aren’t set up with SSL.
• Don’t show escaped HTML in admin order item details for fees.
• Don’t include draft variable products in on sale product results.
• Add woocommerce_hold_stock_minutes check back to stock check in cart/checkout.
• Fix potential undefined index notice on checkout fields when comparing the sort order.
• Throw an error when trying to set a variation as the parent of a variation in the CSV importer.
• Make «account erasure request» text translatable.
• Display notices on Order Pay page.
• Fix tax rate uploading by file path.
• Make wc_download_log_permission_id constraint creation work better on multisites and multiple sites using the same DB.
• Don’t render undecoded HTML entities in variations dimensions.
• Do not check for stock when not managing stock or have backorders enabled when paying through the order-pay page.
• Apply priority field sorting on additional filters to make it apply on the edit address pages as well.
• Fix export and edit of attribute labels with html encoded special characters in product CSV exporter.
• Prevent fatal error when rendering plaintext customer invoice email.
• Prevent fatal error when delivering webhooks using v3 API.
• Prevent undefined variable notice in wc_increase_stock_levels.
• Fix overescaping image output on product widget.
• Croatian Kuna symbol should be lowercase.
• Fixed an error when deleting logged entries when using the ‹WC_Log_Handler_DB› handler.
• Update ShipStation plugin info so install works through setup wizard.
• Use dynamic DB table name in product list table shipping class query.
• Log file date/time should be in UTC and not site timezone as per the +00:00:00 string appended to it.
• Set customer’s country to selling country when only selling to one country and default customer location is ’none›.
  Change new account email copy to be compatible with auto-generated accounts.
• Correct Aria-Labelledby attribute for quantity selectors.
• Show notices on lost password page.
• Fix authentication errors when using the REST API with 3rd-party authentication.
• Fix issues where potentially not all active plugins were included on the system status report.
• Make PDT validation use the same rounding as the IPN validation to prevent erroneous totals mismatch.

Remember to create a backup before installing a update.

(Picture Courtesy of Yuri Samoilov)