WooCommerce 9.7.1 has been released
This release includes important security fixes and hardening measures.
We’ve released important security improvements to enhance the protection of WooCommerce against XSS vulnerabilities. These updates focus on hardening the Cart and Checkout experiences by preventing potential attacks.
What’s in this release
Product Name XSS Fix – We’ve removed decodeEntities from product names used in the Cart & Checkout. This prevents cases where harmful scripts could be injected via product names. (#56048). Thanks to savphill for reporting this.
Safer Coupon Notices in Shortcodes – Instead of appending text directly, we now append elements, reducing the risk of XSS in coupon notices. (#56047) – Thanks to kamilsevi for reporting this.
Refactored String-Based HTML in JavaScript – We replaced concatenated string-based HTML elements with createElement(), making the codebase more secure against potential script injection. (#56047)
Leave a Reply