This past week WooCommerce developers have released version 3.4.6. This release patches a security issue for all previous versions and it’s strongly recommended that you to update your WooCommerce sites as soon as possible.
Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions. These issues can be exploited by users with Shop Manager capabilities or greater, and we recommend all users running WooCommerce 3.x upgrade to 3.4.6 to mitigate them.
The full changelog is below:
* Fix - Security issues * Fix - Allow percent coupons with sale restrictions to apply to carts with sale items in them. #21241 * Fix - Prevent multiple slashing of variation's SKU. #21019
Download the latest release of WooCommerce here or venture over to Dashboard → Updates to update your plugins from WordPress.
There is one breaking change in this release. Previously, Shop Managers were allowed to edit all roles except admins. This was much more permission than Shop Managers needed for their role. With this release, Shop Managers can only edit users with the Customer role by default, and there is a whitelist of roles that Shop Managers can edit.