WooCommerce 10.4.3: Dot Release

WooCommerce 10.4.3 patches a Store API security vulnerability affecting guest order data, fixes the cart shortcode “Undo” removal action, resolves an HPOS sync-on-read loop issue, and adds automatic BGN to EUR currency transition for Bulgarian stores ahead of the January 2026 Euro adoption.

What’s in this release

Fixes and Updates

Bulgaria Currency Transition: WooCommerce now automatically switches Bulgarian stores from BGN to EUR on January 1, 2026, when Bulgaria officially adopts the Euro. No action needed from store owners—the transition happens automatically based on server time. (#62478)

Cart Shortcode Undo Fix: 10.4.3 reverts an issue stemming from a regression in 10.4.2 where the “Undo” link after removing a cart item did not work in the cart shortcode. The removed_cart_contents data was being cleared too early, preventing item restoration. (#62529)

HPOS Sync-on-Read Fix: We resolved an issue where HPOS sync-on-read could trigger an infinite loop of webhooks and Analytics events. When the posts table’s modified date was ahead of the HPOS version, sync operations would repeatedly re-enqueue the same events. This fix ensures modified dates stay in sync and disables sync-on-read during Analytics import and webhook processing.(#62532)

Security Patch: Store API Guest Order Data Exposure

A vulnerability in WooCommerce’s Store API allowed authenticated users to access guest customer order details through a specific API endpoint. The issue affected versions 8.1 through 10.4.2 and has been patched in 10.4.3. Read our full developer advisory for more information.

Who should update?

Given the security patch, we encourage all stores to update to WooCommerce 10.4.3. All WooCommerce stores hosted by Automattic, including on WordPress.com, WordPress VIP, Pressable, or those hosted via WP Cloud, were automatically updated or patched once the patch was released.