WC 8.5 is not secure.
“The WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 8.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Additional Information From WooCommerce Slack: For those who are not yet aware, on Tuesday there was an issue with our release of 8.5. The problem was identified, we reverted the stable tag to 8.4 (effectively preventing 8.5 from being downloaded further) and communicated the known issue in the release notes. The issue has since been fixed. However, for the sake of comprehensive testing around the fix release and in order to address a few other minor problems, we are delaying version 8.5.1 until Monday, January 15th. We are digging into how the issue was able to be released and will be addressing this internally as necessary to prevent future disruptions. I would also like to acknowledge the general lack of communication around this issue until now. This is another area we are investigating and are hopeful to improve in the future. Thank you for your patience as we get this fully resolved.”