WooCommerce 9.4.3 and WooCommerce 9.3.4 available now

Harden wc_get_cart_url output against XSS vulnerabilities

🛠️ Update wc_get_cart_url() to only return permalinks rather than building the current URL manually (#53409)

In version 9.3, we modified the behavior of the wc_get_cart_url function. Previously, it returned only the cart page’s permalink. With the update, the function began including the query string as part of the returned URL. While wc_get_cart_url was never explicitly documented to return an escaped URL, many plugins in the ecosystem were already properly escaping its output during rendering. However, for plugins that did not escape the output correctly, this change inadvertently increased the potential for vulnerabilities.

With an abundance of caution due to awareness of how this function is used in the ecosystem, we’ve reconsidered the implementation of wc_get_cart_url to harden against XSS vulnerabilities and we’re backporting to WooCommerce 9.3. However, we strongly recommend all plugin and extension developers ensure they are properly escaping URLs returned from functions like wc_get_cart_url.

Important Note About WooCommerce 9.3.4

If you’re running WooCommerce 9.3.x, you may not see an automatic prompt to update to 9.3.4. To manually update to this security patch, please download WooCommerce 9.3.4 directly from WordPress.org.

While you may see a prompt to update to 9.4.2, we recommend applying this security patch to your current version first if you’re not ready to upgrade to 9.4.x.

Other updates in 9.4.3

The following items are also included in 9.4.3:

🛠️ Validate and sanitize event data to prevent XSS attacks in Customize Your Store flow (#53405)

Credits: Reported by Antonio Spataro (@antoniospataro) and Antonio (@Antonio-R1).

 🛠️ Fix/prevent guest checkout on Store API endpoint when guest checkout is disabled (#53407)