WooCommerce 3.4.5 security/fix release notes.

WooCommerce 3.4.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites as soon as possible.

Versions 3.4.4 and earlier are affected by an issue where a function that updates attributes could lead to object injection. This is related to the WordPress 4.8.3 security release.

This issue can only be exploited by users who can edit attributes and should not be possible to exploit through the WordPress administrative screens, but we still recommend all users running WooCommerce 3.x upgrade to 3.4.5 to mitigate this issue. Thanks to slavco for responsibly disclosing the vulnerability to us.

As well as this security fix, ~23 commits made it into this release. The full changelog is below.

* Fix - Tweak sanitization when resetting password cookie. #20901
* Fix - Use `+` instead of `array_merge` when appending parent to tax class to fix issues with numeric tax class names. #20916
* Fix - Correct translation for North Khorasan. #20972
* Fix - Unify scroll-to notices for all browsers. #20992
* Fix - Prevent multiple slashing of variation's SKU. #21019
* Fix - Variation image in fullscreen now shows correct caption for the respective image. #21022
* Fix - Vertically center admin order action buttons. #21053
* Fix - Correct context for shipping packages translation. #21065
* Fix - Add permission checks for installing Jetpack on the setup wizard. #21072
* Fix - Use refund currency instead of store default currency when displaying refund amount in the edit order screen. #21106
* Fix - Fix a typo in REST API customer schema. #21171
* Fix - Use entire sentence for checkout address_2 placeholder string. #21186
* Fix - Only suppress comments number on unsupported theme shop page. #21191
* Fix - Don't allow users without manage_product_terms permissions to create categories using the product importer. #21192
* Fix - Correct sale coupon restriction logic. #21219

Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.

As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.


Keep yourself in the loop!

This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form


2 responses to “WooCommerce 3.4.5 security/fix release notes.”

  1. I dont understand this part “and should not be possible to exploit through the WordPress administrative screens”. Can you please clarify or rephrase?

    1. It shouldn’t be possible to exploit the vulnerability through the create/edit product admin screens.

Leave a Reply

Your email address will not be published. Required fields are marked *