WooCommerce 9.1.3 and 9.1.4 have been released
Current Stable Tag
In this latest release, we’ve reverted a tracking feature due to unexpected spikes in usage and implementing a fix in order to harden against XSS vulnerabilities in the Product Button.
Why did we skip 9.1.3 as a stable version?
Upon creating a version tag for 9.1.3, we realized we needed some additional changes in order to fully harden the unescaped input vulnerability detected in the Product Button. As a result, we have published the latest stable version, 9.1.4, which includes those changes.
What’s in this release
⏮️ Revert – “Fix terms counts in wcadmin_product_add_publish Tracks event” #49797
In 9.1.0, we added this change, meant to handle tracking for product updates for users who are explicitly opted in to `WC_Tracker`. However, this change has caused an unusual spike in the product_add_publish event, and we are reverting the change as a result.
🛠️ Fix – Hardening against XSS via the Product Button unescaped attribute #50010
We’ve implemented a hardening fix to address potential XSS vulnerabilities, primarily targeting the misuse of WordPress filtering functionalities by plugins that inject unescaped user-provided data or improperly handle filtered outputs to the woocommerce_product_add_to_cart_text filter.
🛠️ Fix – Enhance escaping for block attributes #50015
We further updated the above hardening fix to escape block names.
Leave a Reply