WooCommerce 2.3.11 was released tonight. Be careful and make really sure to create a backup of your site. Out of personal experience, it is to be said that the update process seems to be a little buggy. When I updated from 2.3.9 to 2.3.11 my database became corrupted. Patching to 2.3.10 first solved this problem.
Still, this is a very important update because a mayor security leak called, ‹Object Injection Vulnerability› caused by PayPal. In this way it is possible to get direct access on files on the server, including the wp-config.php that contains the database password and location. In that way it is highly recommended to update immediately or deactivate PayPal until you can do this.
Changelog:
- Fix – Check if rating is enabled before check if rating is required to a review.
- Fix – get_discounted_price needs to check if taxes are enabled.
- Fix – Fixed filetype check for digital downloads.
- Fix – Newfoundland and Labrador state rename.
- Fix – Escaped js in widget layered nav when use the dropdown option.
- Fix – Switch the permissions check for json_search_products to use the read_product capability.
- Fix – Fixed the addition of variable products using the Order API.
- Fix – Sale item exclusion logic for variations.
- Fix – Clear correct variation stock transients when setting stock.
- Fix – Switch to JSON to avoid unserializing untrusted data when handling responses from PayPal.
- Fix – API – Fixed the sanitization for downloadable files on products endpoint.
- Tweak – woocommerce_downloadable_file_exists filter.
