WooCommerce 9.4.3 and WooCommerce 9.3.4 available now

WooCommerce 9.4.3 has been released

This release focuses on crucial security improvements affecting URL handling, event data validation, and guest checkout controls.

Weโ€™ve also released WooCommerce 9.3.4 (backport).

Current Stable Tag

WooCommerce 9.4.3

Also available:

WooCommerce 9.3.4

Whatโ€™s in this release

Harden wc_get_cart_url output against XSS vulnerabilities

๐Ÿ› ๏ธ Update wc_get_cart_url() to only return permalinks rather than building the current URL manually (#53409)

In version 9.3, we modified the behavior of the wc_get_cart_url function. Previously, it returned only the cart pageโ€™s permalink. With the update, the function began including the query string as part of the returned URL. While wc_get_cart_url was never explicitly documented to return an escaped URL, many plugins in the ecosystem were already properly escaping its output during rendering. However, for plugins that did not escape the output correctly, this change inadvertently increased the potential for vulnerabilities.

With an abundance of caution due to awareness of how this function is used in the ecosystem, weโ€™ve reconsidered the implementation of wc_get_cart_url to harden against XSS vulnerabilities and weโ€™re backporting to WooCommerce 9.3. However, we strongly recommend all plugin and extension developers ensure they are properly escaping URLs returned from functions like wc_get_cart_url.


Important Note About WooCommerce 9.3.4

If youโ€™re running WooCommerce 9.3.x, you may not see an automatic prompt to update to 9.3.4. To manually update to this security patch, please download WooCommerce 9.3.4 directly from WordPress.org.

While you may see a prompt to update to 9.4.2, we recommend applying this security patch to your current version first if youโ€™re not ready to upgrade to 9.4.x.


Other updates in 9.4.3

The following items are also included in 9.4.3:

๐Ÿ› ๏ธ Validate and sanitize event data to prevent XSS attacks in Customize Your Store flow (#53405)

 ๐Ÿ› ๏ธ Fix/prevent guest checkout on Store API endpoint when guest checkout is disabled (#53407)

Reposted from WooCommerce

If you have a care plan with 7th Circle Designs this update will be taken care of based on your plan’s schedule. If you do not have a care plan, sign up now.