WooCommerce 3.6.5 security release

WooCommerce 3.6.5 is now available. Since this release contains fixes to harden security, we encourage you to update your stores as soon as possible.

~70 commits made it into this release and the full changelog is below.

* Security - Introduce file type check for tax rate importer.
* Security - Added nonce check to CSV importer actions.
* Enhancement - WordPress & PHP upgrade nudges when running older versions. #23975
* Fix - "Filter by price" widget excludes category when combined with a product attribute. #23720
* Fix - Add query parameter (GET) forwarding when processing batch API requests. #23769
* Fix - Fixed query of top rated products shortcode. #23771
* Fix - Typo in customers endpoint schema. #23812
* Fix - Update Emogrifier library to fix problem with nth-child pseudo selector. #23824
* Fix - Avoid outputting a rating of zero when product has comments without a review rating. #23828
* Fix - Do not throw a PHP notice if including the rest API handlers manually. #23840
* Fix - WooCommerce Tracker review count. #23849
* Fix - Coupon usage limit issue when applying coupon to order in the backend. #23851
* Fix - Fatal error when trying to apply virtual coupons to guest orders. #23877
* Fix - AJAX update order review doesn't reload the page. #23891
* Fix - Variation matching returns incorrect values when using a large number of variations combined with 0 values attributes. #23909
* Fix - Password mismatch when user registered with password containing a double quote. #23926
* Fix - Minor Shipping Zone UI issue due to conflict with some browser extensions. #23789
* Fix - Make Products->Categories active when clicked on "Make Default" link under any product category. #23936
* Fix - Update URL describing how to increase PHP memory limit on system status page. #23919
* Fix - Sets the position of the tracking image to fixed, so it doesn't affect page layout. #23953
* Fix - Button to manually update database in WooCommerce > Status > Tools. #23966
* Fix - Tracks blog ID retrieval from Jetpack options. #24028
* Fix - Fixed support to parentheses in phone numbers validation. #23967
* Tweak - Improve tooltip text describing the product sale dates in the product admin page. #23935
* Tweak - Made NL postcode validation more flexible, allowing lowercase and missing space. #23837
* Localization - Display city field as optional for Singapore addresses. #23878
* Dev - Add filters to file paths passed to the different xsendfile like backends. #23814

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.