What’s in this release

Fixed attribute options being incorrectly disabled in the Add to Cart with Options block for variable products whose attribute slugs contain hyphens. The issue occurred because PHP passes attribute names as slugs (e.g., some-name) while the Store API returns labels with spaces (e.g., some name), causing strict comparisons to fail. The fix updates normalizeAttributeName() to replace hyphens with spaces, ensuring consistent normalization across all comparison points. #63647

Newly installed payment gateways now appear above offline payment methods instead of being placed at the bottom of the list. Previously, installed gateways were buried below others, preventing them from being expanded by default on checkout. The updated placement logic inserts new gateways above the offline payment group unless merchants have customized the ordering. #63648

Shipping package titles in the shortcode now displays as “Shipment” instead of “Shipment 1” when only one package is present. The get_shipping_package_name() method now receives the total package count, allowing it to conditionally name single packages as “Shipment” while multiple packages continue to show numbered labels like “Shipment 1” and “Shipment 2”. #63649

The post WooCommerce 10.6.1: Dot Release appeared first on The WooCommerce Developer Blog.

What’s Coming in 10.6

• What’s Coming in 10.6
• Product Collections get more intuitive
• Visual refinements on Cart and Checkout Blocks
• Our commitment to improving performance continues
• More new features and updates
• API Updates
• Other important information
• Database updates
• Changelog
• Get WooCommerce 10.6
• Code Contributors

Product Collections get more intuitive

• Product Collection: Handpicked Products should start with product picker #62989
• Products by Brand: journey starts with brand picker #63023
• Products by Tag/Category: journey starts with taxonomy picker #62993

New updates to Product Collections include more collection options (including Products by Brand) and a better interface for selecting products, categories, or other configurations when adding a new collection to a page.

Visual refinements on Cart and Checkout Blocks

• Position the remove button to the right of the quantity picker and use trash icon instead of text #62965
• Move product sale badge alongside individual prices in cart and update design #63012

The Cart and Checkout Blocks continue to get design polish and improvements, including a new trash icon for removing items from the cart, cleaner font sizes and spacing for more compact product meta information, and an updated price savings badge.

Our commitment to improving performance continues

• Recent Reviews widget: address slow SQL query (take 2) #63224
• Products: reduce the number of SQLs when rendering related/upsell products. #63006
• Admin: optimize SQL fetching dates for month filter on orders page #63039
  and many others

Database efficiency improves across the board in WooCommerce 10.6. Checkout and admin pages execute fewer SQL queries through smarter caching and deferred cleanup tasks. The Recent Reviews widget now loads asynchronously to prevent admin lockouts, while product pages benefit from consolidated cache management that reduces redundant queries for related and upsell products.

More new features and updates

Menu Order Sorting for Product Filters

• Taxonomy Filters: add option to order terms by menu_order #62940

Product Filters blocks now respect custom taxonomy ordering, allowing merchants to display categories and brands in the exact order they’ve set via drag-and-drop in the WordPress admin.

See more info

Tax calculations can now include shipping costs for stores needing compliance

• Add filter for tax-inclusive shipping prices #62944

A new filter enables tax-inclusive shipping pricing for EU compliance, allowing merchants to display fixed shipping costs that remain constant regardless of VAT rate—essential for meeting consumer protection laws in Germany, Switzerland, and other EU countries.

See more info

Use the filter to always return true, or else add custom logic based on the customer’s location:

add_filter( 'woocommerce_shipping_prices_include_tax', '__return_true' );

add_filter( 'woocommerce_shipping_prices_include_tax', '__return_true' );CopyCopied

API Updates

Other important information

Changelog

Code Contributors

The post WooCommerce 10.6: Enhanced blocks and a faster dashboard appeared first on The WooCommerce Developer Blog.

Looking to grow your network and connect with others in the ecommerce space? Join us for a 60-minute panel discussion with community leaders who’ve built thriving networks and want to help you do the same. We’re excited to welcome Amber Hinds (Equalize Digital), Mary Hubbard (Executive Director, WordPress), and Raquel Manriquez (PressConf)—people with real experience organizing meetups, running conferences, and bringing professionals together across ecosystems. We’ll have an honest conversation about what makes events worth attending, how to build meaningful connections, and practical ways to grow your community and your store.

Whether you’re an agency looking to connect with merchants, a freelancer searching for collaborators, or a developer who’s never felt like a “community person,” you’ll walk away with concrete ideas you can act on. We’ll cover how to start or reboot a meetup, get more value from conferences, and tap into networks that lead to real outcomes—clients, hires, partners, and solutions to tough builds. Stick around for live Q&A at the end and bring your questions!

NOTE: This event will be recorded and posted for those who can’t make it. Feel free to pre-submit questions in the comments below or in our Community Slack.

The post Join us for our “Building Ecommerce Community” Live Event appeared first on The WooCommerce Developer Blog.

What’s in this release

Improves Store API batch endpoint security by fixing path validation that could allow malicious requests to bypass nonce checks. The fix properly parses the URL path and validates that it starts with /wc/store, ensuring batch requests only reach intended Store API endpoints. #63501

For more information on this update, please read our full advisory: Store API Vulnerability Patched in WooCommerce 5.4+ – What You Need To Know.

The post WooCommerce 10.5.3: Dot release appeared first on The WooCommerce Developer Blog.

The vulnerability was reported through Automattic’s bug bounty program. As soon as the vulnerability was reported, we began investigating whether it had been exploited and initiated development of patches for all affected versions.

Our engineering team has developed patches for all 52 affected versions of WooCommerce and has worked with the WordPress.org Plugins Team to auto-update impacted sites. As of 14:00 UTC, March 02, 2026, the update is being automatically rolled out to stores that are opted in to auto updates. All WooCommerce stores hosted by Automattic, including on WordPress.com, WordPress VIP, Pressable, or those hosted via WP Cloud, were automatically updated or patched once the patch was released.

What information could be exposed?

If exploited, the vulnerability could have exposed full admin access, including customer order information such as names, email addresses, phone numbers, shipping and billing addresses, types of payment methods used, items purchased, and associated metadata (such as product customizations). 

No passwords, credit cards, or other financial details would have been exposed.

What actions do I need to take?

Check your WooCommerce version:

1. From your WordPress Admin dashboard, click the Plugins menu item, or select “Updates.”
2. Look for WooCommerce in your list of plugins.
3. The version number should be displayed in the Description column next to the plugin name.
4. If you are running WooCommerce version 5.3 or earlier, you are not affected by this vulnerability.
5. If your current version of WooCommerce is 10.5.3, no further action is necessary.
6. If you are running WooCommerce version 5.4 to 10.5.2, please update immediately.

If a new version is available for download, you should see a notice guiding you to update WooCommerce — please update as soon as possible.

How do I know if my version is up to date?

Below you can find the full list of patched versions of WooCommerce. If you are running an unpatched version of WooCommerce, please update to a patched version immediately.

Patched WooCommerce versions

Unpatched version					Patched version
5.4.0 — 10.5.2

5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4                          -> 5.4.5
5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4                          -> 5.5.5
5.6.0, 5.6.1, 5.6.2                                        -> 5.6.3
5.7.0, 5.7.1, 5.7.2                                        -> 5.7.3
5.8.0, 5.8.1                                               -> 5.8.2
5.9.0, 5.9.1                                               -> 5.9.2
6.0.0, 6.0.1                                               -> 6.0.2
6.1.0, 6.1.1, 6.1.2                                        -> 6.1.3
6.2.0, 6.2.1, 6.2.2                                        -> 6.2.3
6.3.0, 6.3.1                                               -> 6.3.2
6.4.0, 6.4.1                                               -> 6.4.2
6.5.0, 6.5.1                                               -> 6.5.2
6.6.0, 6.6.1                                               -> 6.6.2
6.7.0                                                      -> 6.7.1
6.8.0, 6.8.1, 6.8.2                                        -> 6.8.3
6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4                          -> 6.9.5
7.0.0, 7.0.1                                               -> 7.0.2
7.1.0, 7.1.1                                               -> 7.1.2
7.2.0, 7.2.1, 7.2.2, 7.2.3                                 -> 7.2.4
7.3.0                                                      -> 7.3.1
7.4.0, 7.4.1                                               -> 7.4.2
7.5.0, 7.5.1                                               -> 7.5.2
7.6.0, 7.6.1                                               -> 7.6.2
7.7.0, 7.7.1, 7.7.2                                        -> 7.7.3
7.8.0, 7.8.1, 7.8.2, 7.8.3                                 -> 7.8.4
7.9.0, 7.9.1                                               -> 7.9.2
8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4                          -> 8.0.5
8.1.0, 8.1.1, 8.1.2, 8.1.3                                 -> 8.1.4
8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4                          -> 8.2.5
8.3.0, 8.3.1, 8.3.2, 8.3.3                                 -> 8.3.4
8.4.0, 8.4.1, 8.4.2                                        -> 8.4.3
8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4                          -> 8.5.5
8.6.0, 8.6.1, 8.6.2, 8.6.3                                 -> 8.6.4
8.7.0, 8.7.1, 8.7.2                                        -> 8.7.3
8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5, 8.8.6            -> 8.8.7
8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.9.4                          -> 8.9.5
9.0.0, 9.0.1, 9.0.2, 9.0.3                                 -> 9.0.4
9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5                   -> 9.1.6
9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4                          -> 9.2.5
9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5                   -> 9.3.6
9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4                          -> 9.4.5
9.5.0, 9.5.1, 9.5.2, 9.5.3                                 -> 9.5.4
9.6.0, 9.6.1, 9.6.2, 9.6.3                                 -> 9.6.4
9.7.0, 9.7.1, 9.7.2                                        -> 9.7.3
9.8.0, 9.8.1, 9.8.2, 9.8.3, 9.8.4, 9.8.5, 9.8.6            -> 9.8.7
9.9.0, 9.9.1, 9.9.2, 9.9.3, 9.9.4, 9.9.5, 9.9.6            -> 9.9.7
10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5             -> 10.0.6
10.1.0, 10.1.1, 10.1.2, 10.1.3                             -> 10.1.4
10.2.0, 10.2.1, 10.2.2, 10.2.3                             -> 10.2.4
10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7   -> 10.3.8
10.4.0, 10.4.1, 10.4.2, 10.4.3                             -> 10.4.4
10.5.0, 10.5.1, 10.5.2                                     -> 10.5.3

Has customer data been compromised?

At this time, we have no evidence that orders or customer data were accessed as a result of this issue.

I’m a developer, agency, or hosting provider. Should I alert my clients?

Yes. We strongly encourage anyone who supports or develops for WooCommerce merchants to:

• Share this information with clients running WooCommerce 5.4 or higher.
• Verify that all client sites are updated to patched versions.
• Monitor client sites for any suspicious activity related to this vulnerability.

Hosting providers may want to consider proactive outreach to affected customers and expedited auto-updates where possible.

What’s the best approach to running a secure WooCommerce store?

While security vulnerabilities can arise in any software, we work diligently to identify, patch, and communicate about them as quickly as possible. The WooCommerce team takes security seriously and maintains active bug bounty programs to encourage responsible disclosure of vulnerabilities. We recommend that merchants use the most up-to-date, patched version of WooCommerce.

This particular vulnerability highlights the importance of being vigilant about links you click while logged into WordPress admin. CSRF attacks rely on tricking administrators into visiting malicious pages through suspicious emails, fake support requests, or compromised websites. To reduce your risk, consider using a separate browser or profile exclusively for WordPress admin access, log out when not actively managing your site, and always verify URLs before clicking links — especially those from unexpected emails, social media, or forum posts. If you suspect you’ve been targeted, immediately change your admin password and review recently created user accounts for unauthorized additions.

To keep your store secure:

• Always keep WooCommerce and all plugins up to date.
• Use strong passwords and two-factor authentication.
• Regularly back up your site.
• Monitor your site for unusual activity.

I have other questions

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help. Open a support ticket.

We will continue to update this post as more information becomes available.

The post Store API Vulnerability Patched in WooCommerce 5.4+ – What You Need To Know appeared first on The WooCommerce Developer Blog.

Maintenance schedule

Who is affected?

This maintenance will impact users of the Mailchimp for WooCommerce extension as well as any custom integrations that use the Mailchimp API to sync WooCommerce data. If you’ve built an extension that syncs customer information, orders, or triggers automated workflows through Mailchimp’s API, your integration will experience brief interruptions during this window.

Expected impact

During each 10-minute interruption, integrations will encounter API connection failures including 503 Service Unavailable responses and timeout errors. Customer subscription requests may fail temporarily, order data sync will be delayed, and abandoned cart emails may not trigger during the interruption. Users may see connection error messages in their WordPress admin dashboard.

Additional resources

Check Mailchimp’s status page at status.mailchimp.com for real-time updates during the maintenance window. The official Mailchimp for WooCommerce extension is available on the WooCommerce Marketplace.

If you’re still seeing issues after the scheduled maintenance windows, please reach out to Mailchimp Support.

Note: This is a third-party service maintenance event. WooCommerce and WordPress core are not affected. Only integrations communicating with Mailchimp’s API will experience temporary interruptions.

The post Mailchimp API Maintenance on February 28, 2026 appeared first on The WooCommerce Developer Blog.

Hey folks, on Monday, February 16, 2026, we kicked-off our Feature Freeze ahead of the release of WooCommerce 10.6. As we begin the testing phase, and get the release ready, we wanted to share some spoilers and document any updates to the expected release timeline. 

Check back here for more updates ahead of the WooCommerce 10.6 release, scheduled for March 10, 2026. 

What’s coming in 10.6

Performance optimizations continue to deliver measurable improvements

Database efficiency sees notable gains, with checkout pages executing fewer SQL queries through deferred transient deletion #63118, while admin pages benefit from additional query reduction via options priming.

The Recent Reviews widget now loads asynchronously, preventing admin lockout scenarios when review data causes errors #63224. Cache priming has been consolidated across product data stores, reducing redundant queries when loading related and upsell products #62998, #62999.

Additional optimizations include product attribute lookup tables for downloadable product checks #62966, posts cache priming in order retrieval #63006, and streamlined month filter SQL on the orders page #63039.

Product Collection user experience improvements

WooCommerce 10.6 replaces “No products to display” placeholder with immediate, intuitive product selection interfaces. When inserting Hand-picked Products, Products by Category, Products by Tag, or Products by Brand collections, users now see searchable picker interfaces right away instead of empty states #62989, #63023.

Brands now have first-class support through a dedicated collection type with the new ProductBrandControl component #63023.

Builders and theme developers building product grids will find block configuration significantly more intuitive, while extension developers can reference these patterns for creating custom collection types with searchable, hierarchical selection interfaces.

Additional block refinements

Product Filters blocks now support menu order sorting for core taxonomies that allow custom ordering #62940.

The Product Reviews block has been updated to properly display admin replies to reviews #63161.

Cart and Checkout block refinements

Work continues on visual improvements to the block-based Cart and Checkout.

The remove item control has been redesigned as a trash icon positioned to the right of the quantity picker, replacing the previous text link below items #62965. Sale badges now appear inline beside total prices with updated styling instead of below individual line items #63012, while product variations and metadata display inline with separators rather than as vertical lists for more compact presentation #62873.

A new font-x-small-locked CSS mixin leveraging --wp--preset--font-size--x-small provides consistent small text sizing across cart components #62866.

API changes & experimental features

The Add to Cart with Options (Beta) block is now fully integrated with the product store for all product types, ensuring consistent data handling and state management #62880. The block now also includes better support for product variations, including options to handle pre-selected options and disabled options #61389.

Experimental REST API caching improvements
Caching capabilities are being extended to more endpoints. This release adds caching for taxes, currencies, countries, and continents endpoints along with additional validation. Learn more about this beta feature by reading Call for testing: Experimental REST API Caching in WooCommerce 10.5

Experimental block-based email editing improvements
Work on our block-based email editor continues to move forward with key improvements including a new SlotFill for extensibility, full-width alignment support for product images, better Product Collection block rendering with two-column layouts, VideoPress embed support, and fixes for template selection modal responsiveness.

Introduced a new woocommerce_shipping_prices_include_tax filter enabling tax-inclusive shipping pricing for EU compliance. Previously, WooCommerce always treated shipping costs as net prices with tax added on top, making it impossible to display fixed shipping costs required by consumer protection laws in Germany, Switzerland, and other EU countries. This filter allows developers to calculate shipping costs as gross (tax-inclusive), ensuring customers pay exactly the advertised amount regardless of whether 19% or 7% VAT applies. #62944

Developer Advisories

Product images are now lazy-loaded by default in WooCommerce 10.6 – WooCommerce 10.6 introduces lazy loading for Product Image block by default. Developers can customize this behavior using the new woocommerce_product_image_loading_attr filter.

Second parameter of woocommerce_get_breadcrumb may be null for Core Breadcrumbs block in WooCommerce 10.6 – WooCommerce 10.6 introduces an integration with the WordPress Core Breadcrumbs block, but developers using this filter may need to add a null check.

Restricting per_page for Product and ProductReview Store API Requests in WooCommerce 10.6 – WooCommerce 10.6 introduces a minimum per_page value of 1 for products StoreAPI endpoints. Developers using per_page=0 will need to implement pagination instead.

Changelog

View the full changelog.

Update timeline

The post WooCommerce 10.6: What’s coming for developers appeared first on The WooCommerce Developer Blog.

How can developers tell if they are affected?

Since the default per_page has always been 10, the only people affected are those intentionally calling these endpoints with per_page=0. After updating, the REST API will begin returning 400 status codes indicating that per_page must be between 1 and 100.

What action do developers need to take if affected?

The correct approach is for any developer using per_page=0 on these endpoints to begin using per_page=100&page={page} requests to load the products in batches. We would also encourage even smaller batches to improve response times when the data is being served directly to users.

In the interim, however, the following snippet will re-enable support for per_page=0 on these routes:

<?php
add_filter( 'rest_endpoints', function ( $endpoints ) {
    $routes = array( '/wc/store/products', '/wc/store/products/reviews' );
    foreach ( $routes as $route ) {
        if ( ! isset( $endpoints[ $route ] ) ) {
            return $endpoints;
        }
        foreach ( $endpoints[ $route ] as &$handler ) {
            if ( isset( $handler['args']['per_page'] ) && is_array( $handler['args']['per_page'] ) ) {
                $handler['args']['per_page']['minimum'] = 0;
            }
        }
    }
    return $endpoints;
});

This change will be included in WooCommerce 10.6, currently scheduled for March 10, 2026.

Related PR: woocommerce/woocommerce#61755

The post Restricting per_page for Product and ProductReview Store API Requests in WooCommerce 10.6 appeared first on The WooCommerce Developer Blog.

Important change: Second parameter may now be null

The woocommerce_get_breadcrumb filter signature is:

apply_filters( 'woocommerce_get_breadcrumb', array $crumbs, WC_Breadcrumb|null $breadcrumb );

Previously, the second parameter ($breadcrumb) was always an instance of WC_Breadcrumb. With this change, when the filter is called from the Core Breadcrumbs block context, the second parameter will be null.

How can developers tell if they are affected?

You are affected if all of the following are true:

1. Your site uses the WordPress Core Breadcrumbs block (not WooCommerce’s Store Breadcrumbs block!).
2. You have code that hooks into the woocommerce_get_breadcrumb filter.
3. Your filter callback uses the second parameter ($breadcrumb) and assumes it’s always a WC_Breadcrumb object.

Note: If you’re using WooCommerce’s Store Breadcrumb block (woocommerce/breadcrumbs), this change does not affect you. The second parameter will continue to be a WC_Breadcrumb instance as before. This advisory only applies when using the WordPress Core Breadcrumbs block (core/breadcrumbs).

Example of potentially affected code:

add_filter( 'woocommerce_get_breadcrumb', function( $crumbs, $breadcrumb ) {

    //  This will cause an error when called from Core Breadcrumbs block context
    $breadcrumb->add_crumb( 'Custom Crumb', '/custom-url/' );

    return $crumbs;
}, 10, 2 );

What action do developers need to take if affected?

If your filter callback uses the second parameter, add a null check before using it:

add_filter( 'woocommerce_get_breadcrumb', function( $crumbs, $breadcrumb ) {

    //  Safe: Check if $breadcrumb is available before using it
    if ( $breadcrumb instanceof WC_Breadcrumb ) {
        $breadcrumb->add_crumb( 'Custom Crumb', '/custom-url/' );
    }

    return $crumbs;
}, 10, 2 );

If your callback only modifies the $crumbs array (the first parameter) and does not use the second parameter, no changes are required:

add_filter( 'woocommerce_get_breadcrumb', function( $crumbs ) {

    //  This will continue to work without changes
    $crumbs[] = array( 'Custom Crumb', '/custom-url/' );

    return $crumbs;
} );

This change will be included in WooCommerce 10.6, currently scheduled for March 10, 2026.

Related PR: woocommerce/woocommerce#62770

The post Second parameter of woocommerce_get_breadcrumb may be null for Core Breadcrumbs block in WooCommerce 10.6 appeared first on The WooCommerce Developer Blog.

The default behavior can be customized with the new woocommerce_product_image_loading_attr filter. It filters the loading attribute for product images.

Parameters:

• string $loading_attr – The loading attribute. Default 'lazy'.
• int $image_id – Target image ID.

Allowed values: lazy, eager, and auto. Any other value will result in default browser behavior.

How can developers tell if they are affected?

If your store uses the Product Image block, this change will affect you. Product images will now be lazy loaded by default, which can improve initial page load performance.

What action do developers need to take if affected?

In most cases, no action is needed—lazy loading is the recommended behavior for performance. However, if you need to change the loading behavior (for example, to eager load above-the-fold images), use the new woocommerce_product_image_loading_attr filter.

This change will be included in WooCommerce 10.6, currently scheduled for March 10, 2026.

Related PR: woocommerce/woocommerce#62829

The post Product images are now lazy-loaded by default in WooCommerce 10.6 appeared first on The WooCommerce Developer Blog.

What’s in this release

Reverts previous PRs to fix compatibility issues with add-to-cart button being disabled in variable products. #63262
WooCommerce 10.5 introduced a regression affecting stores that customize or dequeue variation-handling scripts, preventing variable products from being added to cart. Despite updates in 10.5.1, some users continued experiencing issues, with changes inadvertently causing add-to-cart buttons to become disabled in certain store configurations. This release reverts the original changes to restore functionality.

The post WooCommerce 10.5.2: Dot Release appeared first on The WooCommerce Developer Blog.

The post March Office Hours: Testing, testing appeared first on The WooCommerce Developer Blog.