WooCommerce 3.5.5 security/fix release

WooCommerce 3.5.5 is now available. Since this release contains fixes to harden security, we encourage you to update your sites as soon as possible.

~89 commits made it into this release and the full changelog is below. Thanks to Zhouyuan Yang of Fortinet’s FortiGuard Labs for reporting the Photoswipe caption issue.

* Fix - Fix allow product low stock threshold be the WC settings default. #22777
* Fix - Fix error on product category when sorting by multiple fields. #22066
* Fix - Recalculate coupon totals after adding a coupon to an order. #22580
* Fix - Include refunded orders in top sellers, earners sales by product. #22581
* Fix - Fix issue where "Any" attributes on variable products not always selectable on front end. #22067
* Fix - Ensure partial refunds fire order.updated webhooks. #22072
* Fix - Reload the cart page when the cart is empty. #22114
* Fix - Always show the price filter widget when filtering products by price. #22303
* Fix - Added body `{padding: 0;}` CSS rule to the email-styles.php to fix the iOS emails layout issue. #22309
* Fix - Update variable product default attributes to reflect attribute terms slug edit. #22398
* Fix - Adds all 3 callback arguments to the `woocommerce_order_item_display_meta_value` filter called from the `get_formatted_legacy` method of the WC_Order_Item_Meta class. #22411
* Fix - Remove html from add coupon error alert during manual order entry. #22424
* Fix - Include tax in subtotals when validating coupon minimum and maximum in manual order entry. #22464
* Fix - Fix ssl check in case shop page no longer exists. #22531
* Fix - Exclude `paged` from price slider and rating filter. #22533
* Fix - Limit bulk variation percentage price adjustment to decimal places in pricing settings. #22537
* Fix - Fix category image `name` field to be used for API POST/PUT. #22553
* Fix - Fix remote request test in `get_environment_info()`. #22551
* Fix - Fix notices when images have no metadata or their metadata is removed. #22562
* Fix - Check for presence of 'save' entry in post data when determining whether to save settings. #22572
* Fix - Additional CSS support for more input types on variations panel in admin. #22590
* Fix - Over escaping rating widget html. #22593
* Fix - Update cron sale price removal to remove the price at midnight after the sale ends. #22609
* Fix - WC_Log_Handler_File::remove - fix for MS Windows #22624
* Fix - Only require flat shipping rate when shipping method is enabled in the On-Boarding Wizard. #22599
* Fix - Fix wrong variable check in `add_uncropped_metadata`. #22638
* Fix - No alert for mis-matched password reset. #22642
* Fix - Hold-stock behavior between simple products and variable products was different. #22646
* Fix - OBW: Offer Storefront when WP 5.0 default theme is active #22649
* Fix - Add novalidate attribute to payment form to prevent hidden fields preventing submission. #22662
* Fix - Switch span to paragraph for descriptions in admin user profile view to correct spacing. #22663
* Fix - Added POST variable check in product data meta box. #22681
* Fix - PayPal item name encoding. #22684
* Fix - Move PayPal BN partner ID. #22763
* Fix - The "for" attribute of a label for a radio input is invalid in `woocommerce_form_field`. #22690
* Fix - Custom payment options sections was not loading settings. #22704
* Fix - Breadcrumbs on custom post types was using the singular name instead of plural. #22705
* Fix - Fixed generate webhook signature when secret contains special chars. #22722
* Fix - Set correct item meta after restocking items with refunds. #22729
* Fix - Sales by Product to consistently calculate net sales counts and amounts. #22711
* Fix - Importer - Variations cannot be drafts so set to private. #22736
* Fix - Next/previous links for orders REST endpoint when `status` query parameter is present. #22741
* Fix - Default value passed to sorting dropdown #22677
* Tweak - Updates Mailchimp branding in setup wizard. #22514
* Tweak - Refactor `@id` generation for product structured data to prevent plugin conflicts. #22554
* Tweak - Keep count of the number of times custom coupons apply. #22529
* Tweak - Change WooCommerce emails footer from `Powered by WooCommerce` to `Built with WooCommerce`. #22530
* Security - Improved escaping for Photoswipe captions.
* Security - Improved escaping for JSON attributes and structured data.

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.


Keep yourself in the loop!

This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form