WooCommerce 3.5.10–6.3.1 Security releases

We’ve just started rolling out automatic updates with patches for WooCommerce 3.5–6.3. This fix contains important security improvements for the PayPal Standard payment gateway (deprecated since July 2021). Please make sure to update your site if you don’t get the update automatically.

For users who still run the PayPal Standard payment gateway, we strongly recommend switching to PayPal Payments plugin, as PayPal Standard is no longer actively developed. We’ve prepared a handy upgrade guide to make the migration process easier.

All users of older WooCommerce versions (pre-3.5) need to disable PayPal Standard and migrate to the PayPal Payments plugin to be safe, if they wish to continue using PayPal.

Please find below the list of fix releases:

Fix releases
6.3.1
6.2.2
6.1.2
6.0.1
5.9.1
5.8.1
5.7.2
5.6.2
5.5.4
5.4.4
5.3.3
5.2.5
5.1.3
5.0.3
4.9.5
4.8.3
4.7.4
4.6.5
4.5.5
4.4.4
4.3.6
4.2.5
4.1.4
4.0.4
3.9.5
3.8.3
3.7.3
3.6.7
3.5.10

55 responses to “WooCommerce 3.5.10–6.3.1 Security releases”

  1. Will Pay for Payment for WooCommerce work with this plugin?

    1. Peter Fabian Avatar
      Peter Fabian

      It would be best to check with the ‘Pay for Payment for WooCommerce’ plugin author to be sure. If it doesn’t, please let them know the PayPal Standard is no longer supported and they should start supporting the new plugin.

      1. It does work since it’s in the payment tabs.

  2. Wcdev1.0 Avatar

    Unfortinatally, the support of PayPal Payments ist kind of useless.

  3. You keep advertising the new PayPal plugin without any mention that one needs PayPal Reference Transactions to use it with WooCommerce Subscriptions. But Reference Transactions is only available after you personally call (!) PayPal and they deem you worthy of this feature. Small WooCommerce sites like mine are not able to get it. So this new PayPal plugin is useless for me. If you ever decide to end support for PayPal Standard, I will have to move my WooCommerce setup including WC Memberships, WC Subscriptions and Sensei to some other solution. I have mentioned this several times in different places and have never received any feedback on this. Am I the only WooCommerce customer with this problem? Are you aware of this problem?

    1. And the guide on Reference Transactions has been outdated for a while now. PayPal does not have an “email form” to contact them anymore. You can delete that whole part. https://woo.com/document/paypal-reference-transactions/#section-1

      1. So, if anyone out there finds this: Instead of calling PayPal, you can use their “Messenger” feature. That is a superbly stupid chat bot at first, but if that bot can’t help you, the exchange is send to an actual person. So you start your conversation with that bot until it gives up. At the end you get an opportunity to clarify to the customer service person reading this what you actually want.

        I got a message back with a bunch of questions:

        Business information:
        Business name
        Business URL
        Current/anticipated monthly sales via PayPal only
        Number of repeat customers

        Integration information:
        Please describe what do you intend to use the product for?
        Do you or your buyers need to initiate each subsequent payment themselves or are they processed automatically without any customer involvement?
        Will this service be enabled within your website, mobile app integration, or both?
        Are you integrating through another payment service provider, such as Worldpay or Ingenico?
        Do you require the Reference Transactions product for use with your Shopping Cart to offer Subscriptions? (For example Woo-Commerce, Charge-Bee.)

        I send them my answers back. I’m not very hopeful that they will give me Reference Transactions. But you never know and at least I didn’t have to deal with a call center and explain all of the above to some random person.

        It can take up to 10 days for them to get back to me.

        1. Getting PayPal to turn on reference transactions is like pulling teeth. Avoid the chat and phone support, which is both worthless. Email them directly at payflow-support@paypal.com

          1. They did come back to me, but for starters they want to see at least $10,000 processed per month before even considering it.

    2. steveokk Avatar

      i’m definitely shocked too at the direction woocommerce is moving in, scary when you look at the review ratings for the new paypal payments plugin, are we really suppose to be installing that on our live sites? 😨

    3. They ended support for the older PayPal plugin this month. It is no longer actively developed.

      1. Thanks for letting me know. I wasn’t aware of that. I am pretty angry and frustrated I have to say. Other paid plugins using Reference Transactions actually help their customers. Not so much WooCommerce. I used to love WordPress. Have been using it since 2005. But the last few years have been very rough. I feel completely ignored as a user.

    4. you are not alone in this Jati, I will not accept new PayPal restrictions, they are fraudulent anyway holding my payments and sneak into my website

    5. picocodes Avatar
      picocodes

      The PayPal payments plugin is still buggy, to say the least. But the WooCommerce guys wouldn’t know that as they do not use it in their own store.

    6. I use Stripe and its listed as ‘use your credit card’. I’ve been using that for the last two years with no problems. After the customer chooses a service with a monthly contract, i have it set to automatically setup reoccurring payments, and send invoices and receipts through Stripe. And its all setup within the Stripe dashboard. Stripe is owned by Wells Fargo. By far the best to use; standard cc processing rates, automatic deposits to your bank next day, reoccurring subscriptions, nice invoices, integrates with Woo dashboard. No hassles.
      Oh, BTW i use a signature plugin to capture authorization before it takes payment. If you do check my site, i apologize, a recent update move the signature fields and i just have to take the time to correct.

      1. Yes, Stripe is great. I have been using them parallel to PayPal for years now. Good service, fair prices. They offer a lot of other payment methods besides credit cards, too!

  4. If we have disabled Paypal Standard under the Payments tab, and are instead using a custom integration with Paypal… Are we still vulnerable here, or are we protected and should treat this update as a standard plugin update (as opposed to a “you better get this installed ASAP security update”)?

    1. Peter Fabian Avatar
      Peter Fabian

      If you disable PayPal Standard, then you’re no longer vulnerable.

  5. As long as the PayPal integration of subscriptions isn’t working in the same way like in payPal Standard, it’s not possible to switch. We tried switching and users can’t order subscriptions anymore. I’m very sorry – I really would like to use the new PayPal Payments plugin.

  6. SteveD. Avatar

    I’m absolutely furious that Woo is abandoning PayPal Standard when PayPal Payments is CLEARLY not ready for production. What the heck are you folks thinking? And why did you force install Woocommerce Payments in this release? Very heavy-handed.

  7. Discipleship Ministries Store Avatar
    Discipleship Ministries Store

    I’m absolutely furious that Woo is abandoning PayPal Standard when PayPal Payments is CLEARLY not ready for production. What are you people thinking?

    And, why the heck did you force-install yet another payment gateway – WooCommerce Payments – in this release? This is very heavy-handed.

    1. Peter Fabian Avatar
      Peter Fabian

      Hi, sorry to hear you’re having issues with the PayPal Payments. Can you please be more specific about the way it’s not working for you so that we can work on improving it, please?

      This is just a security update with no further changes. We didn’t force install WooCommerce Payments. It has been shown in the list of Payment options in Settings for several releases already with an Install button next to it. You should be able to hide it via the three dots menu to the left of the Install button. Hope that helps!

      Thank you.

  8. This update has been applied automatically to my clients websites, despite the fact auto-updates are not enabled. I am not happy with this as I have some customisations and also I like to test any updates first.
    Is this a one off or are we going to be getting more auto-updates without warning in the future?

    1. Peter Fabian Avatar
      Peter Fabian

      This was a one-off due to the security vulnerability. Also, we don’t plan to force update on all security fixes, only for the serious ones.

      1. OK, thank you for clarifying. Auto-updates cause a huge problem for me due to a customisation I’ve made. Is there a way of warning users instead so they can update themselves?

      2. jakeqz47 Avatar

        No it is not a one-off. We had an automatic security update around version 5.8.1.

        The update failed and broke a number of sites I am hosting where the WooCommerce plugin directory is a symbolic link. It was able to remove all files through the symbolic link, but unable to put the new ones in. Thus the plugin was effectively removed from all of my sites. In some cases the sites were broken with a white screen of death due to other plugins that depended on WooCommerce with code assuming availability of certain functions etc. This went unnoticed for several days.

        Is there a mailing list I can join to be informed of this type of update before it is applied?

        I will also log the issue on GitHub.

        1. Peter Fabian Avatar
          Peter Fabian

          Strictly speaking, you’re right it’s not a one-off. In the history of WooCommerce, I think there were 3 instances where we opted to backport a patch for security reasons.

          As with every update, we need to consider and weigh the potential of breaking the plugin for some users to help others and this was one such instance, where we decided it’s probably better to patch more versions and roll out automatic updates. We’re sorry to hear it caused problems for you. Thanks for your feedback, we are considering giving a heads up before rolling out backports in the future and will keep our users informed via the dev blog.

  9. Olaf Lederer Avatar
    Olaf Lederer

    Is this issue also fixed by the (automatic) upgrade for the older versions?
    https://developer.woo.com/2022/02/22/woocommerce-6-2-1-security-fix/

    1. Peter Fabian Avatar
      Peter Fabian

      The issue has ben fixed in all versions listed in the blog post, so e.g. 6.2.2 is fixed, but 6.2.1 is vulnerable. Hope that makes it clear.

      1. Olaf Lederer Avatar
        Olaf Lederer

        Hi Peter,
        Thanks for the reply. The linked article is only about the sec. fix for version 6.2.x while the last update from 10th march was also targeted for older versions. That’s why I ask: is the problem addressed in the sec. fix for 6.2.1 included in the updates for previous versions. For example in version 5.9.1 or 5.7.2.
        Let me ask it differently, are versions like 5.9.1 or 5.7.2 vulnerable?

        1. Peter Fabian Avatar
          Peter Fabian

          Ah, I see what you mean now. The problem addressed in the 6.2.1 release is only fixed in later releases, i.e. 6.2.2, 6.3.0, and 6.3.1.

          The security problem fixed by 6.2.1 has a lower potential impact, thus we didn’t backport it to the previous releases. In other words, that means e.g. 5.9.1 still has some security flaws. That’s why we always recommend running the latest version of WooCommerce.

          1. Olaf Lederer Avatar
            Olaf Lederer

            Thanks Peter, that was exact the information I need 🙂

  10. After this update, Woocommerce disappeared from my site, and displayed a critical error message. I had to remove the Woocommerce files from the plugins folder and reinstall. Then it came back. Any idea why this would happen?

  11. After this update, Woocommerce disappeared from my site, and displayed a critical error message. I had to remove the Woocommerce files from the plugins folder and reinstall. Then it came back. Any idea why this would happen?

    1. Peter Fabian Avatar
      Peter Fabian

      Sorry, no idea. If you still have the critical error message, please post it here or open an issue in GitHub so that we can investigate. Thank you!

      1. jakeqz47 Avatar

        I had the same problem. It broke several sites and went unnoticed for several days. The automatic update process is clearly very bug -ridden and -riddled.

  12. Currently trying to make the switch to the PayPal Payments plugin but despite “Pay Later on Checkout” being unselected, clicking “Enable buttons on Checkout” enables both the PayPal and PayPal Later buttons. Am I missing something?

    1. Jorge A. Torres Avatar
      Jorge A. Torres

      Hi John!

      I’m sorry you’re having trouble. I see why this can be confusing, as there’s a disconnect between the “Pay Later” button and the “Pay Later” message (the small line of text with offers from PayPal that you see above the buttons) which the settings screen doesn’t properly convey.

      I’ve reported this to the developers (https://github.com/woocommerce/woocommerce-paypal-payments/issues/543) and hopefully we’ll make things clearer in a future version.

      In the mean time, a workaround would be to completely disable the “Pay Later” button, which you can accomplish by going to WooCommerce > Settings > Payments > PayPal, scrolling down to “Hide Funding Source(s)” and choosing “Pay Later”.

      1. johnphillips593 Avatar
        johnphillips593

        Hi Jorge. Thanks for replying – I’ve disabled the Pay Later option and it’s working as expected now. 🙂

  13. Given the fact the plugin mentioned has a current rating of 1.7/5 and hundreds of unsolved issues, I doubt many people will be willing to trial this on a production site.

    Paypal are now ringing multiple times a week for the “fast and easy” switchover and their agents -literally do not know why-.

    This has been extremely poorly planned and executed, and the proof is in the reviews.

  14. johnburrows958052538 Avatar
    johnburrows958052538

    Given the fact the plugin mentioned has a current rating of 1.7/5 and hundreds of unsolved issues, I doubt many people will be willing to trial this on a production site.

    Paypal are now ringing multiple times a week for the “fast and easy” switchover and their agents -literally do not know why-.
    
    This has been extremely poorly planned and executed, and the proof is in the reviews.
    
  15. Paypal support is ridiculous, these days. As other people noted before, the NEW suggested versions don’t actually work properly (just check ratings and reviews!) and especially when used with subscriptions, Paypal will NOT enable “reference transactions” on your account if you don’t already make certain figures… basically they won’t enable a feature that would allow you to make money…. if you don’t already make plenty money. It’s a very dumb egg and chicken problem (if we want to think nicely) or a strategy to get rid of small customers on Paypal’s side…. they don’t want me? I don’t want them, then.

    1. Exactly. PayPal told me they need to see at least $10,000 processed per month to even consider it …

  16. So I contacted PayPal as described above via their “Messenger” service and I will not get Reference Transactions anytime soon.

    Their response:

    „Due to the nature in which payments are received via Reference Transactions, we tend to see a higher level of fraud and risk compared to our other payment flows. For this reason, the Reference Transaction Feature is considered a high-risk product. This requires us to have certain thresholds before we can consider applications. For example we require a minimum of $10,000 USD per month or more when processing. Since this requirement has not been met we can not continue forward with your application.“

    $10,000 per month with PayPal alone … That’s a lot, at least for me. And that is only one “example threshold”.

    I don’t know why WooCommerce thinks that it is a good idea to make this obscure PayPal feature mandatory for WooCommerce Subscriptions.

    How can people like me voice their concerns about this in a way that is actually listened to @peterfabian1000

    1. From what I just learned: This is more PayPal’s fault than WooCommerce’s. Still a frustrating situation … But maybe we do have to drop PayPal. I wouldn’t miss them. Don’t like that company anyway 🙁

    2. Peter Fabian Avatar
      Peter Fabian

      We hear you, @jati. Thanks for following up here with the useful information. If you want to reach out, we have a community slack where we can discuss this more: https://woocommercecommunity.slack.com/

      I’m sure our development advocacy folks would be also happy to chat with you. cc @lsinger

      1. Thank you and sorry for getting angry. I understand that it’s hard to work on something and communicate it at the same time to a non-technical audience. Especially if you can’t talk freely about the details anyway. But still: It is very useful to understand the why behind a decision. This is why I follow channels like this one although I am not a developer.

        We decided to drop PayPal for new subscriptions and we will „nudge“ existing subscribers towards a different payment method.

        1. También no me gusta paypal, pero al ver que la mayoría de clientes lo conoce, utilizo paypal estándar no se si hago bien o mal.

          Pero si estaría muy feliz de poder dejar paypal, altas comisiones y mete demasiado la mano.

        2. We did the same. I suspect that paypal “suggested” to the woo folks to use this feature (which works by default in sandbox) without telling them they would be pushing back so much when customers actually want it enabled in production…. which means, for the time being “bye bye paypal”, for many. Maybe it’s part of a strategy on paypal side to actually get rid of customers…

  17. Since upgrading WooCommerce on/or around March 16 my online orders have been getting declined because the source IP (mine) and the customer IP on the transaction are the same (which it shouldn’t be it should be wherever the customer is) so the bank is declining transaction thinking it fraud. Hosting company says the PHP is returning proper IP addresses so thinks it is WooCommerce sending incorrect info. Anyone else with this issue or resolve?

  18. Bonjour, depuis cette mise à jour, mes clients voient un panier vide si ils ne sont pas connectés, cela me fait perdre nombre de transactions et de nouveaux clients. Comment résoudre le problème?

  19. jakeqz47 Avatar
    jakeqz47

    Please confirm this is not another enforced ‘security update’ that will break my sites.

    I have automatic updates swtiched off for a good reason – one of them being as described at https://github.com/woocommerce/woocommerce/issues/32111 and the associated WordPress bug https://core.trac.wordpress.org/ticket/15134 that has not been fixed in 11 years.

    I have not had time to come up with a convenient solution to prevent security updates for specific plugins that are symlinked as described in https://wordpress.org/support/article/configuring-automatic-background-updates/#plugin-theme-updates-via-filter but really I think this is NMFP.

    Given that Automattic now owns WooCommerce, if WooCommerce want to force-push certain updates, isn’t it about time that Automattic start fixing some of the years-old bugs in the WordPress update system?

    1. Peter Fabian Avatar
      Peter Fabian

      Thanks for your feedback. Unfortunately, there is really no way for us to be able to tell if this update will break your particular site. The number of reports about stuff breaking has been low for this set of releases.

      We would of course welcome improvements to the WordPress update system, as we rely on it, but it depends on the community and the priorities of the open-source project.

      We’re trying to use this force-update exception process very rarely so that it doesn’t break people’s sites.

  20. Scusate ma non mi è chiara una cosa, è obbligatorio passare a pay pal payments?Non si può mantenere quello standard?Da quello che leggo per attivarlo servirebbe un fatturato mensile che il mio sito non ha. Come faccio?

Leave a Reply

Your email address will not be published. Required fields are marked *