Order Form for WooCommerce XSS and +/- fixes

Order Form for WooCommerce version 1.3.3 has just been released. It fixes some potential XSS (cross-site scripting) vulnerabilities in the plugin, and improves compatibility with some themes.

Inspired by the recent disclosure of potential security vulnerabilities allowing XSS attacks, I’ve given the codebase an audit and fixed some things. The risks for site compromise were pretty low, but better to have them fixed than hanging out there waiting for a botnet to test those risks.

While I was in there, I also added a fix for some popular themes that add +/- buttons to quantity fields. WooCommerce prior to version 2.3 used to do that by default, and had script that told the Order Form plugin when those buttons were clicked. Since WooCommerce 2.3, that functionality has been moved into a plugin called WooCommerce Quantity Increment. Some themes implement the +/- buttons themselves, e.g. the very popular Enfold theme, and this release of Order Form for WooCommerce makes +/- buttons in those themes work too.

+/- buttons on Order Form in Enfold

+/- buttons on Order Form in Enfold

If you have Order Form for WooCommerce and a theme that adds its own +/- buttons, and this version doesn’t fix those buttons, let me know. I’ll take a look at why and work a fix into the next release.

Tags:

Posted on