WooCommerce 3.2.4 security/fix release notes

WooCommerce 3.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites as soon as possible.

Versions 3.2.3 and earlier are affected by an issue where cached queries within shortcodes could lead to object injection. This is related to the recent WordPress 4.8.3 security release.

This issue can only be exploited by users who can edit content and add shortcodes, but we still recommend all users running WooCommerce 3.x upgrade to 3.2 to mitigate this issue.

Additionally, it has recently come to attention that versions 3.0 and 3.1 suffered from a bug which could allow someone to look up coupon codes from IDs using brute force.

Coupon codes are not confidential information (they can be shared), and cannot be used without placing an order so we feel this is relatively low risk. This is however another good reason to update to 3.2 since it’s not affected by the bug.

As well as these security fixes, ~78 commits made it into this release. The full changelog is below.

* Fix - Cache IDs in shortcodes rather than query objects.
* Fix - Fix float rounding issues in cart with currencies like Bitcoin.
* Fix - Prevent slashes appearing in shipping fields and inside meta keys when using quotes.
* Fix - Check valid data when filtering `wp_nav_menu_objects` to prevent conflicts.
* Fix - `get_total_ex_tax` should exclude fee taxes.
* Fix - Fix orders count in tax reports.
* Fix - Allow removing coupons from the cart, even if coupons are disabled.
* Fix - Prevent calculate_totals totals running too often.
* Fix - Set attributes during variation creation so all options are correctly displayed in cart forms.
* Fix - Grab description directly to pass through wc_format_content to prevent double sanitization.
* Fix - Fix db warnings when using the "Add Order Indexes" tool.
* Fix - Remove unnecessary html formatting in variation dimensions field.
* Fix - Fix WC_Customer_Download isset method.
* Fix - Removed class within class in admin meta boxes HTML.
* Fix - Fixed wrong `flex-control-nav` selector scope in `add-to-cart-variation.js`
* Fix - Allow variations to be added to cart from query string.
* Fix - Use `add_filter` for `comment_feed_where` hook.
* Fix - Change nocache_headers hook firing in the cache helper.
* Fix - Coupon min/max spend based on displayed subtotal.
* Fix - Fix event propagation on click in setup wizard and improve validation.
* Fix - API - Change how line items are saved in API so calculations are correct.
* Tweak - Hide downloads from admin emails.
* Tweak - Set placeholder for variation lxwxh field to that of the parent.
* Tweak - Improve the Add Payment Methods display so buttons are not shown when no payment methods support the feature.
* Localization - Update NJ tax rate.
* Localization - Add Belarusian ruble BYN.

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.


Keep yourself in the loop!

This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form