WooCommerce 3.5.2 was released on November 28 as security, fix and compatibility update. It fixes a security issue in WooCommerce 3.5.1 and earlier which allowed XSS by users with write-access API keys. Besides the fixed vulnerability this update brings support for the latest PHP 7.3 and Twenty Nineteen theme.
The tweaks:
- Updates the signature field type to «password» in PayPal settings for increased security.
- Change the filter name in the /myaccount/lost-password-confirmation.php template to differentiate between other filter with same name and different message.
- Reintroduce Preview button by popular demand with the understanding that the Preview will only work on some product fields.
- Add tool to systems status tools for running the DB update routine.
- Revert default behavior for `woocommerce_formatted_address_force_country_display` filter to maintain backwards compatibility.
- Update products block notice for WP 5.0.
- Use wp_kses_post instead of esc_html for sanitizing product titles to allow minimal HTML in product titles.
- Use dedicated woocommerce_add_order_again_cart_item to filter cart item data when ordering again. Prevents issues with applying woocommerce_add_cart_item out of context.
- Remove postal code for Angola, São Tomé and Príncipe since they don’t use postal codes and update locale info.
The fixes:
- Metadata with array key of 0 can save properly.
- Prevent deleting the default product category via REST API.
- Fix ‹Table does not exist› messages on System Status Report in multisite.
- Add dynamic SSL check to dashboard SSL notice to prevent misdiagnosing that sites aren’t set up with SSL.
- Don’t show escaped HTML in admin order item details for fees.
- Don’t include draft variable products in on sale product results.
- Add woocommerce_hold_stock_minutes check back to stock check in cart/checkout.
- Fix potential undefined index notice on checkout fields when comparing the sort order.
- Throw an error when trying to set a variation as the parent of a variation in the CSV importer.
- Make «account erasure request» text translatable.
- Display notices on Order Pay page.
- Fix tax rate uploading by file path.
- Make wc_download_log_permission_id constraint creation work better on multisites and multiple sites using the same DB.
- Don’t render undecoded HTML entities in variations dimensions.
- Do not check for stock when not managing stock or have backorders enabled when paying through the order-pay page.
- Apply priority field sorting on additional filters to make it apply on the edit address pages as well.
- Fix export and edit of attribute labels with html encoded special characters in product CSV exporter.
- Prevent fatal error when rendering plaintext customer invoice email.
- Prevent fatal error when delivering webhooks using v3 API.
- Prevent undefined variable notice in wc_increase_stock_levels.
- Fix overescaping image output on product widget.
- Croatian Kuna symbol should be lowercase.
- Fixed an error when deleting logged entries when using the ‹WC_Log_Handler_DB› handler.
- Update ShipStation plugin info so install works through setup wizard.
- Use dynamic DB table name in product list table shipping class query.
- Log file date/time should be in UTC and not site timezone as per the +00:00:00 string appended to it.
- Set customer’s country to selling country when only selling to one country and default customer location is ’none›.
Change new account email copy to be compatible with auto-generated accounts. - Correct Aria-Labelledby attribute for quantity selectors.
- Show notices on lost password page.
- Fix authentication errors when using the REST API with 3rd-party authentication.
- Fix issues where potentially not all active plugins were included on the system status report.
- Make PDT validation use the same rounding as the IPN validation to prevent erroneous totals mismatch.
Remember to create a backup before installing a update.
(Picture Courtesy of Yuri Samoilov)
