WooCommerce 3.4.6 security/fix release notes

WooCommerce 3.4.6 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites as soon as possible.

Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions. These issues can be exploited by users with Shop Manager capabilities or greater, and we recommend all users running WooCommerce 3.x upgrade to 3.4.6 to mitigate them. Thanks to Simon Scannell, Karim, and Slavco for reporting the issues.

~30 commits made it into this release. The full changelog is below:

* Fix - Security issues
* Fix - Allow percent coupons with sale restrictions to apply to carts with sale items in them. #21241
* Fix - Prevent multiple slashing of variation's SKU. #21019

Download the latest release of WooCommerce here or venture over to Dashboard โ†’ Updates to update your plugins from WordPress.

There is one breaking change in this release. Previously, Shop Managers were allowed to edit all roles except admins. This was much more permission than Shop Managers needed for their role. With this release, Shop Managers can only edit users with the Customer role by default, and there is a whitelist of roles that Shop Managers can edit.

We’ve designed it to be easy for extensions that register custom roles to add roles to the whitelist if they want Shop Managers to be able to edit those users. There is a straightforward filter. Here is an example of how to add new roles to the Shop Manager user edit whitelist:

/**
 * Allow Shop Managers to edit and promote users with the Editor role 
 * using the 'woocommerce_shop_manager_editable_roles' filter.
 *
 * @param array $roles Array of role slugs for users Shop Managers can edit.
 * @return array
 */
function myextension_shop_manager_role_edit_capabilities( $roles ) {
    $roles[] = 'editor';
    return $roles;
}
add_filter( 'woocommerce_shop_manager_editable_roles', 'myextension_shop_manager_role_edit_capabilities' ); 

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here.

Comments on this post are closed.


Keep yourself in the loop!

This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form