WooCommerce 3.5.2 is now available. This release patches a number of bugs, adds compatibility with the Twenty Nineteen theme and with PHP 7.3, and fixes one security issue. Versions 3.5.1 and earlier are affected by a stored XSS vulnerability through the API which can be exploited by users with write-access API keys, and we recommend all users running WooCommerce 3.x upgrade to 3.5.2 to mitigate it. Thanks to Karim for disclosing this vulnerability.
Important: If you will be using the Twenty Nineteen theme included with WordPress 5.0 or if you will be using PHP 7.3, you should also be using WooCommerce 3.5.2+. In this release we’ve added the necessary styling for stores to look nice in the Twenty Nineteen theme and made backwards-compatible code tweaks to prevent notices and warnings when running PHP 7.3.
~87 commits made it into this release and the full changelog is below.
* Enhancement - Added compatibility for Twenty Nineteen theme. #21970 * Update - Prepare WooCommerce for PHP 7.3. #22009 * Tweak - Updates the signature field type to "password" in PayPal settings for increased security. #21715 * Tweak - Change the filter name in the /myaccount/lost-password-confirmation.php template to differentiate between other filter with same name and different message. #21829 * Tweak - Reintroduce Preview button by popular demand with the understanding that the Preview will only work on some product fields. It was removed from pubished products in 3.5.0 to prevent confusion. #21838 * Tweak - Add tool to systems status tools for running the DB update routine. #21923 * Tweak - Revert default behavior for `woocommerce_formatted_address_force_country_display` filter to maintain backwards compatibility. #21865 * Tweak - Update products block notice for WP 5.0. #21930 * Tweak - Use wp_kses_post instead of esc_html for sanitizing product titles to allow minimal HTML in product titles. #21936 * Tweak - Use dedicated woocommerce_add_order_again_cart_item to filter cart item data when ordering again. Prevents issues with applying woocommerce_add_cart_item out of context. #21947 * Tweak - Remove postal code for Angola, São Tomé and Príncipe since they don't use postal codes and update locale info. #21984 #21985 #21987 * Fix - Metadata with array key of 0 can save properly. #21641 * Fix - Prevent deleting the default product category via REST API. #21696 * Fix - Fix 'Table does not exist' messages on System Status Report in multisite. #21706 * Fix - Add dynamic SSL check to dashboard SSL notice to prevent misdiagnosing that sites aren't set up with SSL. #21738 * Fix - Don't show escaped HTML in admin order item details for fees. #21769 * Fix - Don't include draft variable products in on sale product results. #21778 * Fix - Add woocommerce_hold_stock_minutes check back to stock check in cart/checkout. #21797 #22050 * Fix - Fix potential undefined index notice on checkout fields when comparing the sort order. #21801 * Fix - Throw an error when trying to set a variation as the parent of a variation in the CSV importer. #21810 * Fix - Make "account erasure request" text translatable. #21812 * Fix - Display notices on Order Pay page. #21821 * Fix - Fix tax rate uploading by file path. #21831 * Fix - Make wc_download_log_permission_id constraint creation work better on multisites and multiple sites using the same DB. #21836 #21940 * Fix - Don't render undecoded HTML entities in variations dimensions. #21844 * Fix - Do not check for stock when not managing stock or have backorders enabled when paying through the order-pay page. #21849 * Fix - Apply priority field sorting on additional filters to make it apply on the edit address pages as well. #21856 * Fix - Fix export and edit of attribute labels with html encoded special characters in product CSV exporter. #21864 * Fix - Prevent fatal error when rendering plaintext customer invoice email. #21879 * Fix - Prevent fatal error when delivering webhooks using v3 API. #21921 * Fix - Prevent undefined variable notice in wc_increase_stock_levels. #21928 * Fix - Fix overescaping image output on product widget. #21929 * Fix - Croatian Kuna symbol should be lowercase. #21934 * Fix - Fixed an error when deleting logged entries when using the 'WC_Log_Handler_DB' handler. #21949 * Fix - Update ShipStation plugin info so install works through setup wizard. #21953 * Fix - Use dynamic DB table name in product list table shipping class query. #21954 * Fix - Log file date/time should be in UTC and not site timezone as per the +00:00:00 string appended to it. #21981 * Fix - Set customer's country to selling country when only selling to one country and default customer location is 'none'. #21995 * Fix - Change new account email copy to be compatible with auto-generated accounts. #21999 * Fix - Correct Aria-Labelledby attribute for quantity selectors. #22000 * Fix - Show notices on lost password page. #22001 * Fix - Fix authentication errors when using the REST API with 3rd-party authentication. #22013 * Fix - Fix issues where potentially not all active plugins were included on the system status report. #22057 * Fix - Make PDT validation use the same rounding as the IPN validation to prevent erroneous totals mismatch. #21729
Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.
As usual, if you spot any other issues in WooCommerce core please log them in detail on Github, and to disclose a security issue to our team, please submit a report via HackerOne here. Comments on this post are closed.