WooCommerce 10.8: What’s coming for developers

Shani Banerjee Avatar
Shani Banerjee

β€’

WooCommerce 10.8 is beta is now live! Time to test!

This post is an overview of the features, updates, fixes, and advisories present in the beta release of WooCommerce 10.8. We encourage either downloading the latest zip or using the WooCommerce Beta Tester plugin to test-drive the upcoming release. Please add feedback directly to this post, join us on Slack, or create a discussion on GitHub.

Release Schedule:

Hey folks, on May 4th, we kicked-off our Beta ahead of the release of WooCommerce 10.8 As we begin the testing phase, and get the release ready, we wanted to share some spoilers and document any updates to the expected release timeline. 

Check back here for more updates ahead of the WooCommerce 10.8 release, scheduled for May 19, 2026.

What’s coming in 10.8

Orders REST API now guards against type mismatches

The Orders REST endpoint in 10.8 will reject PUT updates when the persisted order type isn’t shop_order, instead of silently coercing them. This is a correctness fix for data integrity, but a notable behavior change to validate (#64050).

If your extension or integration has been updating subscriptions or other custom order types through the orders endpoint, those calls will now return a rejection. We recommend running through your test suite against 10.8 beta and updating any code that relied on the old, more permissive behavior to use the appropriate endpoint for the order type in question.

A new product.published webhook topic

10.8 adds a product.published webhook topic, giving extensions and external systems a clean signal when a product transitions to published status (#63555).

This is useful for catalog sync, search indexing, downstream automation, and any workflow that previously had to poll or listen for broader product update events and filter for the publish transition. Existing product.created and product.updated webhooks continue to behave as they do today.

Performance: bounded filter caches and leaner draft order flows

Layered navigation and related caches are now capped by default to protect wp_options from unbounded growth under bot-driven filter exploration. A new filter, woocommerce_product_filter_cache_max_entries, controls the cap (default 1000, set to 0 for uncapped behavior) (#64039).

Draft checkout flows also avoid redundant DELETE queries when line items are cleared before the order exists, trimming unnecessary SQL during checkout sessions (#63890). Broader performance work continues across admin and storefront paths in this release.

Transactional email continues to mature

Work on the block-based email editor and transactional email pipeline continues, with refinements to the email renderer, template sync behavior, coupon-code flows with integration hooks, and REST/schema touchpoints for fulfillments and notes. This release also continues to lay groundwork for richer extensibility in the email editor ahead of broader rollout.

Shipping, blocks, and the long tail

10.8 includes a substantial volume of work across shipping partner suggestions and guided flows, cart and checkout block robustness (including emoji and DOM edge cases), classic cart template safety with filtered products, and reliability fixes aligned with WordPress 7.0. Watch the changelog for the full set.

Experimental features

GraphQL feature flag registration aligned with WordPress loading rules: For sites and extensions using the dual-code GraphQL infrastructure, feature flag registration has been deferred to rest_api_init to avoid early textdomain loads (#64332). This brings registration timing in line with WordPress loading expectations and resolves a class of warnings. The GraphQL dual code feature can now be explicitly enabled; however, due to this being WIP, we suggest not experimenting with it quite yet. Read more about the work in progress here (#63772).

Developer advisories

Orders REST API behavior change: As noted above, PUT requests to the Orders REST endpoint will now reject non–shop_order order types (#64050). If you maintain an extension that updates subscriptions or other custom order types, please re-test against 10.8 beta and migrate any affected code paths to the correct endpoint.

Security fix for guest fulfillment authorization: 10.8 includes a security fix for an authorization issue affecting guest order fulfillments over the REST API (#64130). The previous permission check compared get_current_user_id() to customer_id; for guests, both values were 0, which caused the check to evaluate true universally. Sites exposing fulfillment REST data should plan to upgrade promptly as part of normal patching.

Monorepo: pnpm 10: Contributors working in the WooCommerce monorepo should align their local tooling; the repo has moved from pnpm 9 to pnpm 10 with supply-chain-oriented settings (#63964). This doesn’t affect store runtime, only contributor and CI environments.

API Changes

Store API and Cart/Checkout API

  • extensionCartUpdate per-address control: overwriteDirtyCustomerData now accepts an object ({ shipping_address?: boolean, billing_address?: boolean }) in addition to a boolean, giving extensions finer-grained control over which address fields get overwritten. (#64032)
  • Checkout evidence validation: Prevents unintended order completion for orders without checkout context. (#62843)
  • Cached filter combinations cap: Limits transient growth from bot enumeration of filter URLs. (#64039)
  • Filter query var normalization: Equivalent filter combinations (e.g., filter_color=red,blue vs blue,red) now share the same cache entry. (#64041)

REST API

One behavior change to validate before upgrading clients:

  • Checkout-draft orders excluded from default order queries: REST API order queries with status=any no longer return checkout-draft orders. Consumers relying on draft orders appearing in unfiltered listings will need to explicitly pass status=checkout-draft. (#63743)

Schema and field updates:

  • Tax clarity in Orders REST schema: Schema descriptions now clarify tax inclusion/exclusion, and total_tax is added to inline refund data. (#63692)
  • Null meta handling in POST/PUT endpoints: Missing handling for null meta keys/values is fixed. (#63971)
  • New product.published webhook topic: Fires when a product is published β€” useful for integrations that previously had to listen to product.updated and filter. (#63555)

Security hardening:

  • PUT orders no longer convert other order types: PUT /wc/v(2|3)/orders/{id} will no longer convert non-shop_order records into orders. (#64050)
  • Guest fulfillment endpoint hardening: Unauthenticated access to guest order fulfillments via REST API has been closed. (#64130)
  • V4 products endpoint scope tightening: Sensitive fields (downloads, COGS, purchase note) are now stripped for users without product management capabilities. (#63895)
  • Store API related parameter: No longer allows arbitrary product IDs to bloat transients. (#63846)

Database updates

Schema changes: WooCommerce 10.8 includes four database migrations that run automatically on update. No action is required, but if you maintain client stores or extensions that touch order meta, analytics options, or transactional emails, here’s what’s running under the hood:

  • wc_update_1080_backfill_email_template_sync_meta β€” Backfills template sync metadata onto pre-existing block email posts so the new divergence detector can safely classify legacy installs as in-sync, core-updated-uncustomized, or core-updated-customized after future plugin updates. (#64364)
  • wc_update_1080_migrate_analytics_import_option β€” Migrates the scheduled analytics import preference to its renamed option, restoring scheduled imports for stores that updated through the 10.5.0 option rename. (#63808)
  • wc_update_1080_slim_orders_meta_key_index β€” Slims the meta_key_value index on wp_wc_orders_meta to track only the meta_key column, reducing index size and improving write performance on the HPOS orders meta table. (#63897)
  • wc_update_1080_create_review_order_page β€” Creates the new Review Order page used by the updated checkout flow. (#64628)

As always, back up your database before updating and test on staging first β€” especially if you have a large wp_wc_orders_meta table, since the index rebuild is the most resource-intensive of the four.

Data integrity and fixes

  • Periodic cleanup for place-order debug logs: Adds cleanup for debug log files and dangling order meta the existing batch processor didn’t cover. (#63756)
  • Duplicate wc_customer_lookup rows fix: Prevents duplicates when a guest registers via delayed account creation on the order confirmation page. (#63989)
  • HPOS cache cross-bleed fix: Resolves data cache bleed between order data store subclasses. (#64067)
  • Coupon lookup case sensitivity: Restores case-insensitive coupon lookups on databases with case-sensitive collations. (#63800)
  • Stale lookup table data on scheduled sales: Scheduled sale actions no longer leave lookup table data stale. (#63856)
  • Sale event scheduling on direct meta writes: Sale events now get scheduled when sale date meta is written directly, so sales activate on time for importers and integrations that bypass WooCommerce CRUD. (#64140)
  • Suppressed duplicate-key errors on table creation: Harmless duplicate key database errors logged during table creation on update are now suppressed. (#64188)

Changelog

View the full changelog.

Update timeline

Release calendar

Leave a Reply

Your email address will not be published. Required fields are marked *