WooCommerce 3.5.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites as soon as possible.
Versions 3.5.3 and earlier are affected by issues related to file upload sanitization and customer user name disclosure. We’ve also hardened the order key generation and implemented a fix for the design flaw RipsTech outlined when WooCommerce is deactivated. We recommend all users running WooCommerce 3.x update to 3.5.4 to mitigate these issues. Thanks to Slavco and Vishal for reporting these issues.
~132 commits made it into this release and the full changelog is below.
* Fix - Security issues. * Tweak - Allow limited html in woocommerce_rating_filter_count filter. #21904 * Tweak - Remove 'on-hold' orders from admin tax reports for more logical reporting. #22419 * Tweak - Remove payment phrases from processing emails. #22418 * Tweak - Removed display of cost for local pickup when free. #22446 * Fix - Unescape CSV formulas in product attributes in CSV importer/exporter. #21938 * Fix - Remove use of non-existing
WC_REST_Dev_Setting_Options_Controllerclass. #22121 * Fix - Fix edge case where
get_pluginswould not have the custom WooCommerce plugin headers if
Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.