Categories
WooCommerce Core

WooCommerce 3.5.10–6.3.1 Security releases

We’ve just started rolling out automatic updates with patches for WooCommerce 3.5–6.3. This fix contains important security improvements for the PayPal Standard payment gateway (deprecated since July 2021). Please make sure to update your site if you don’t get the update automatically.

For users who still run the PayPal Standard payment gateway, we strongly recommend switching to PayPal Payments plugin, as PayPal Standard is no longer actively developed. We’ve prepared a handy upgrade guide to make the migration process easier.

All users of older WooCommerce versions (pre-3.5) need to disable PayPal Standard and migrate to the PayPal Payments plugin to be safe, if they wish to continue using PayPal.

Please find below the list of fix releases:

Fix releases
6.3.1
6.2.2
6.1.2
6.0.1
5.9.1
5.8.1
5.7.2
5.6.2
5.5.4
5.4.4
5.3.3
5.2.5
5.1.3
5.0.3
4.9.5
4.8.3
4.7.4
4.6.5
4.5.5
4.4.4
4.3.6
4.2.5
4.1.4
4.0.4
3.9.5
3.8.3
3.7.3
3.6.7
3.5.10

55 replies on “WooCommerce 3.5.10–6.3.1 Security releases”

It would be best to check with the ‘Pay for Payment for WooCommerce’ plugin author to be sure. If it doesn’t, please let them know the PayPal Standard is no longer supported and they should start supporting the new plugin.

Like

By Post Author

You keep advertising the new PayPal plugin without any mention that one needs PayPal Reference Transactions to use it with WooCommerce Subscriptions. But Reference Transactions is only available after you personally call (!) PayPal and they deem you worthy of this feature. Small WooCommerce sites like mine are not able to get it. So this new PayPal plugin is useless for me. If you ever decide to end support for PayPal Standard, I will have to move my WooCommerce setup including WC Memberships, WC Subscriptions and Sensei to some other solution. I have mentioned this several times in different places and have never received any feedback on this. Am I the only WooCommerce customer with this problem? Are you aware of this problem?

Liked by 1 person

So, if anyone out there finds this: Instead of calling PayPal, you can use their “Messenger” feature. That is a superbly stupid chat bot at first, but if that bot can’t help you, the exchange is send to an actual person. So you start your conversation with that bot until it gives up. At the end you get an opportunity to clarify to the customer service person reading this what you actually want.

I got a message back with a bunch of questions:

Business information:
Business name
Business URL
Current/anticipated monthly sales via PayPal only
Number of repeat customers

Integration information:
Please describe what do you intend to use the product for?
Do you or your buyers need to initiate each subsequent payment themselves or are they processed automatically without any customer involvement?
Will this service be enabled within your website, mobile app integration, or both?
Are you integrating through another payment service provider, such as Worldpay or Ingenico?
Do you require the Reference Transactions product for use with your Shopping Cart to offer Subscriptions? (For example Woo-Commerce, Charge-Bee.)

I send them my answers back. I’m not very hopeful that they will give me Reference Transactions. But you never know and at least I didn’t have to deal with a call center and explain all of the above to some random person.

It can take up to 10 days for them to get back to me.

Liked by 1 person

i’m definitely shocked too at the direction woocommerce is moving in, scary when you look at the review ratings for the new paypal payments plugin, are we really suppose to be installing that on our live sites? 😨

Liked by 2 people

Thanks for letting me know. I wasn’t aware of that. I am pretty angry and frustrated I have to say. Other paid plugins using Reference Transactions actually help their customers. Not so much WooCommerce. I used to love WordPress. Have been using it since 2005. But the last few years have been very rough. I feel completely ignored as a user.

Like

The PayPal payments plugin is still buggy, to say the least. But the WooCommerce guys wouldn’t know that as they do not use it in their own store.

Like

I use Stripe and its listed as ‘use your credit card’. I’ve been using that for the last two years with no problems. After the customer chooses a service with a monthly contract, i have it set to automatically setup reoccurring payments, and send invoices and receipts through Stripe. And its all setup within the Stripe dashboard. Stripe is owned by Wells Fargo. By far the best to use; standard cc processing rates, automatic deposits to your bank next day, reoccurring subscriptions, nice invoices, integrates with Woo dashboard. No hassles.
Oh, BTW i use a signature plugin to capture authorization before it takes payment. If you do check my site, i apologize, a recent update move the signature fields and i just have to take the time to correct.

Like

Yes, Stripe is great. I have been using them parallel to PayPal for years now. Good service, fair prices. They offer a lot of other payment methods besides credit cards, too!

Like

If we have disabled Paypal Standard under the Payments tab, and are instead using a custom integration with Paypal… Are we still vulnerable here, or are we protected and should treat this update as a standard plugin update (as opposed to a “you better get this installed ASAP security update”)?

Liked by 1 person

As long as the PayPal integration of subscriptions isn’t working in the same way like in payPal Standard, it’s not possible to switch. We tried switching and users can’t order subscriptions anymore. I’m very sorry – I really would like to use the new PayPal Payments plugin.

Liked by 3 people

I’m absolutely furious that Woo is abandoning PayPal Standard when PayPal Payments is CLEARLY not ready for production. What the heck are you folks thinking? And why did you force install Woocommerce Payments in this release? Very heavy-handed.

Like

I’m absolutely furious that Woo is abandoning PayPal Standard when PayPal Payments is CLEARLY not ready for production. What are you people thinking?

And, why the heck did you force-install yet another payment gateway – WooCommerce Payments – in this release? This is very heavy-handed.

Liked by 2 people

Hi, sorry to hear you’re having issues with the PayPal Payments. Can you please be more specific about the way it’s not working for you so that we can work on improving it, please?

This is just a security update with no further changes. We didn’t force install WooCommerce Payments. It has been shown in the list of Payment options in Settings for several releases already with an Install button next to it. You should be able to hide it via the three dots menu to the left of the Install button. Hope that helps!

Thank you.

Like

By Post Author

This update has been applied automatically to my clients websites, despite the fact auto-updates are not enabled. I am not happy with this as I have some customisations and also I like to test any updates first.
Is this a one off or are we going to be getting more auto-updates without warning in the future?

Like

This was a one-off due to the security vulnerability. Also, we don’t plan to force update on all security fixes, only for the serious ones.

Like

By Post Author

OK, thank you for clarifying. Auto-updates cause a huge problem for me due to a customisation I’ve made. Is there a way of warning users instead so they can update themselves?

Like

No it is not a one-off. We had an automatic security update around version 5.8.1.

The update failed and broke a number of sites I am hosting where the WooCommerce plugin directory is a symbolic link. It was able to remove all files through the symbolic link, but unable to put the new ones in. Thus the plugin was effectively removed from all of my sites. In some cases the sites were broken with a white screen of death due to other plugins that depended on WooCommerce with code assuming availability of certain functions etc. This went unnoticed for several days.

Is there a mailing list I can join to be informed of this type of update before it is applied?

I will also log the issue on GitHub.

Liked by 1 person

Strictly speaking, you’re right it’s not a one-off. In the history of WooCommerce, I think there were 3 instances where we opted to backport a patch for security reasons.

As with every update, we need to consider and weigh the potential of breaking the plugin for some users to help others and this was one such instance, where we decided it’s probably better to patch more versions and roll out automatic updates. We’re sorry to hear it caused problems for you. Thanks for your feedback, we are considering giving a heads up before rolling out backports in the future and will keep our users informed via the dev blog.

Like

By Post Author

The issue has ben fixed in all versions listed in the blog post, so e.g. 6.2.2 is fixed, but 6.2.1 is vulnerable. Hope that makes it clear.

Like

By Post Author

Hi Peter,
Thanks for the reply. The linked article is only about the sec. fix for version 6.2.x while the last update from 10th march was also targeted for older versions. That’s why I ask: is the problem addressed in the sec. fix for 6.2.1 included in the updates for previous versions. For example in version 5.9.1 or 5.7.2.
Let me ask it differently, are versions like 5.9.1 or 5.7.2 vulnerable?

Like

Ah, I see what you mean now. The problem addressed in the 6.2.1 release is only fixed in later releases, i.e. 6.2.2, 6.3.0, and 6.3.1.

The security problem fixed by 6.2.1 has a lower potential impact, thus we didn’t backport it to the previous releases. In other words, that means e.g. 5.9.1 still has some security flaws. That’s why we always recommend running the latest version of WooCommerce.

Liked by 1 person

By Post Author

After this update, Woocommerce disappeared from my site, and displayed a critical error message. I had to remove the Woocommerce files from the plugins folder and reinstall. Then it came back. Any idea why this would happen?

Like

After this update, Woocommerce disappeared from my site, and displayed a critical error message. I had to remove the Woocommerce files from the plugins folder and reinstall. Then it came back. Any idea why this would happen?

Like

Sorry, no idea. If you still have the critical error message, please post it here or open an issue in GitHub so that we can investigate. Thank you!

Like

By Post Author

I had the same problem. It broke several sites and went unnoticed for several days. The automatic update process is clearly very bug -ridden and -riddled.

Like

Currently trying to make the switch to the PayPal Payments plugin but despite “Pay Later on Checkout” being unselected, clicking “Enable buttons on Checkout” enables both the PayPal and PayPal Later buttons. Am I missing something?

Like

Hi John!

I’m sorry you’re having trouble. I see why this can be confusing, as there’s a disconnect between the “Pay Later” button and the “Pay Later” message (the small line of text with offers from PayPal that you see above the buttons) which the settings screen doesn’t properly convey.

I’ve reported this to the developers (https://github.com/woocommerce/woocommerce-paypal-payments/issues/543) and hopefully we’ll make things clearer in a future version.

In the mean time, a workaround would be to completely disable the “Pay Later” button, which you can accomplish by going to WooCommerce > Settings > Payments > PayPal, scrolling down to “Hide Funding Source(s)” and choosing “Pay Later”.

Like

Given the fact the plugin mentioned has a current rating of 1.7/5 and hundreds of unsolved issues, I doubt many people will be willing to trial this on a production site.

Paypal are now ringing multiple times a week for the “fast and easy” switchover and their agents -literally do not know why-.

This has been extremely poorly planned and executed, and the proof is in the reviews.

Like

Given the fact the plugin mentioned has a current rating of 1.7/5 and hundreds of unsolved issues, I doubt many people will be willing to trial this on a production site.

Paypal are now ringing multiple times a week for the “fast and easy” switchover and their agents -literally do not know why-.

This has been extremely poorly planned and executed, and the proof is in the reviews.

Liked by 1 person

Paypal support is ridiculous, these days. As other people noted before, the NEW suggested versions don’t actually work properly (just check ratings and reviews!) and especially when used with subscriptions, Paypal will NOT enable “reference transactions” on your account if you don’t already make certain figures… basically they won’t enable a feature that would allow you to make money…. if you don’t already make plenty money. It’s a very dumb egg and chicken problem (if we want to think nicely) or a strategy to get rid of small customers on Paypal’s side…. they don’t want me? I don’t want them, then.

Liked by 1 person

So I contacted PayPal as described above via their “Messenger” service and I will not get Reference Transactions anytime soon.

Their response:

„Due to the nature in which payments are received via Reference Transactions, we tend to see a higher level of fraud and risk compared to our other payment flows. For this reason, the Reference Transaction Feature is considered a high-risk product. This requires us to have certain thresholds before we can consider applications. For example we require a minimum of $10,000 USD per month or more when processing. Since this requirement has not been met we can not continue forward with your application.“

$10,000 per month with PayPal alone … That’s a lot, at least for me. And that is only one “example threshold”.

I don’t know why WooCommerce thinks that it is a good idea to make this obscure PayPal feature mandatory for WooCommerce Subscriptions.

How can people like me voice their concerns about this in a way that is actually listened to @peterfabian1000

Liked by 2 people

From what I just learned: This is more PayPal’s fault than WooCommerce’s. Still a frustrating situation … But maybe we do have to drop PayPal. I wouldn’t miss them. Don’t like that company anyway 😦

Liked by 1 person

Thank you and sorry for getting angry. I understand that it’s hard to work on something and communicate it at the same time to a non-technical audience. Especially if you can’t talk freely about the details anyway. But still: It is very useful to understand the why behind a decision. This is why I follow channels like this one although I am not a developer.

We decided to drop PayPal for new subscriptions and we will „nudge“ existing subscribers towards a different payment method.

Liked by 2 people

También no me gusta paypal, pero al ver que la mayoría de clientes lo conoce, utilizo paypal estándar no se si hago bien o mal.

Pero si estaría muy feliz de poder dejar paypal, altas comisiones y mete demasiado la mano.

Like

We did the same. I suspect that paypal “suggested” to the woo folks to use this feature (which works by default in sandbox) without telling them they would be pushing back so much when customers actually want it enabled in production…. which means, for the time being “bye bye paypal”, for many. Maybe it’s part of a strategy on paypal side to actually get rid of customers…

Liked by 1 person

Since upgrading WooCommerce on/or around March 16 my online orders have been getting declined because the source IP (mine) and the customer IP on the transaction are the same (which it shouldn’t be it should be wherever the customer is) so the bank is declining transaction thinking it fraud. Hosting company says the PHP is returning proper IP addresses so thinks it is WooCommerce sending incorrect info. Anyone else with this issue or resolve?

Like

Bonjour, depuis cette mise à jour, mes clients voient un panier vide si ils ne sont pas connectés, cela me fait perdre nombre de transactions et de nouveaux clients. Comment résoudre le problème?

Like

Please confirm this is not another enforced ‘security update’ that will break my sites.

I have automatic updates swtiched off for a good reason – one of them being as described at https://github.com/woocommerce/woocommerce/issues/32111 and the associated WordPress bug https://core.trac.wordpress.org/ticket/15134 that has not been fixed in 11 years.

I have not had time to come up with a convenient solution to prevent security updates for specific plugins that are symlinked as described in https://wordpress.org/support/article/configuring-automatic-background-updates/#plugin-theme-updates-via-filter but really I think this is NMFP.

Given that Automattic now owns WooCommerce, if WooCommerce want to force-push certain updates, isn’t it about time that Automattic start fixing some of the years-old bugs in the WordPress update system?

Liked by 1 person

Thanks for your feedback. Unfortunately, there is really no way for us to be able to tell if this update will break your particular site. The number of reports about stuff breaking has been low for this set of releases.

We would of course welcome improvements to the WordPress update system, as we rely on it, but it depends on the community and the priorities of the open-source project.

We’re trying to use this force-update exception process very rarely so that it doesn’t break people’s sites.

Like

By Post Author

Scusate ma non mi è chiara una cosa, è obbligatorio passare a pay pal payments?Non si può mantenere quello standard?Da quello che leggo per attivarlo servirebbe un fatturato mensile che il mio sito non ha. Come faccio?

Like

Comments are closed.