WooCommerce 7.0.1 is available for download.
- With WordPress 6.1 just around the corner which introduces the new TT3 (Twenty Twenty-Three) theme, we’ve added compatibility changes to this release so that everything will look nice with that theme. (#35306)
- Simplify and reduce size of payload supplied by the woocommerce_get_customer_details ajax endpoint which addresses a security concern relating to handling of user information that is exploitable by shop managers and above. Thanks for highlighting this David Anderson.
- Updated WooCommerce Blocks to version 8.5.2 which includes compatibility with TT3 (Twenty Twenty-Three) theme. (#35423)
You can download the latest release of WooCommerce here or visit Dashboard → Updates to update the plugin from your WordPress admin screen.
As usual, if you spot issues in WooCommerce core, please log them in detail on GitHub. Found a security issue? Please submit a report via HackerOne.
One reply on “WooCommerce 7.0.1 Patch Release”
This is to say, previous versions of WooCommerce contain an information leaking vulnerability. A user with “shop manager” privileges can gain access to information that would not normally be accessible to anyone below the “administrator” level. Specifically, such a user can obtain access to all contents of the WordPress “usermeta” table. Potentially this could include secret keys, API keys or other sensitive data, depending on what plugins are in use on the site.
So, if your site has shop managers who are not administrators, then you are vulnerable, and should upgrade as soon as possible.
I was expecting Automattic to publish this information for the benefit of store owners with much more clarity than the above. Without specific information, it is hard for store owners to know how urgent upgrading may or may not be for them.