tufty

The wc-stripe logs had the answer. “This typically happens when you have multiple webhooks setup for the same Stripe account. This order most likely originated from a different site.”

It was a dev copy of the site with emails suspended but Woo Subscriptions was not in staging mode, and it was spitting out renewals that were trying to report back to the live site webhook.

Thanks for this. It was a bit alarming. Your plugin is rock solid ??

Hi @bbtr as I understand this, it is not a vulnerability that affects the security of your site. Instead this is something a third party can use your resources for to execute something bad from a weblink that they present to the victim.

https://portswigger.net/web-security/cross-site-scripting/reflected

This is expressed in the severity score of 6.1, ie. medium, not critical. So suspending your site pending the fix would probably not be proportionate. And in any case it appears from the Woocommerce note that simply activating the Woocommerce marketplace before installing 8.5 would avoid the bug.

Personally, I’ll wait for the fix. If it was really serious I’m sure they would have it out by now.

There’s a bug in 8.5.0 so they stopped further downloads

Please note: this release contains a known issue that may cause fatal errors if the Marketplace feature is disabled. Learn more about this issue and workarounds.

We have rolled back the stable tag to version 8.4.0. This temporary measure is to halt further updates to version 8.5.0 until we implement a necessary fix. As a result, the option to update to 8.5.0 will not be available during this period.

We will make an announcement once the fix is released.

https://developer.woo.com/2024/01/09/woocommerce-8-5-0-released/

Hi @mikes41720 yes I have Yoast Premium. And the issue is that I found the invitation to consent in the user profile page as well as the Yoast settings page, in a deceptive way. You have to understand that while AI is undoubtedly a very powerful tool, it also has serious privacy concerns and I need a great deal of control and transparency when I use it. I don’t appreciate being pushed into something like that.

+1 here on both 4.6.0 and 4.6.1

Wonderful, thank you! I don’t need the premium features, as this is a great free plugin, but I’ve just bought it anyway, as I recognise that it takes work to maintain.

This is the last plugin in over 100 on my store showing incompatibility with HPOS. We have a pretty big db, so I am anxious to migrate to HPOS as soon as possible. Judging by the lack of timeline at all, it won’t be this year, so I think I will have to find something else. ??

I’d be super curious what issue is more important than the plugin not working at all on new sites. And if they aren’t too bothered about large successful sites who most need to use HPOS, then who their actual customer base is?

But either way, judging by this and the lack of response in other tickets, anyone wanting to use HPOS had better make alternative arrangements. Fast.

Hi Nick, I believe this can be done with a free (or paid) MaxMind local database and no need for an API. The cost of the API is not even the biggest issue, but the external dependency and privacy issues of needing a 3rd party connection to operate are very undesirable for me. I have just played around with If-So. It has an impressive set of features, but some big gotchas, so I’m holding off for now.

Hi there, it is odd that you have marked the issue as resolved when it certainly isn’t resolved with this plugin. I am trying to tell you that when a perfectly reasonable modification is made to the login page, and (only) a password reset is attempted, your plugin unexpectedly fails to retrieve the keys to send the email.

The server stack I use has a wp-config.php and also a user-configs-php file which persists on pushing to staging. I use the former so the keys are deleted on push to staging because you do not have the facility to disable emails on staging automatically in this plugin (I have suggested this as a feature).

Surprisingly, the reset seems to work as expected when the keys are in user-configs.php, but not when in wp-config.php. I realise this represents even more of a non-standard environment for you to cater for, but I hope this gives you a better background as to why the problem is occurring so that you can fix it.

In the meantime, I have resolved this issue by using a different plugin, WP Offload SES lite, which just works.

Hi Amimul,

What do you mean by “reconfigure the SES connection”? I am sure the configuration is fine as it works for all emails except this particular edge case where the password reset page url is changed. This suggests that the plugin has the credentials but does not send them in this particular circumstance.

I don’t have that table in my database. Are you sure you are reviewing the right plugin?

Hello there and thank you very much for replying. But that is not what I am suggesting at all. What I know many people would find useful is for a regular setup on a production site to convert automatically to staging mode without intervention when the live site is pushed to staging.

Yes I can certainly stop emails by switching them off on staging or other ways such as this https://en-gb.www.ads-software.com/plugins/disable-emails/

But my suggestion is really for those times when you start a push to staging and get distracted and forget to switch the emails off when it is finished pushing. Or someone simply forgets that you have to do that. That’s whey it would be helpful to have it off by default for staging sites.

Yes and no. See this thread: https://www.ads-software.com/support/topic/sync-only-specific-user-roles/

Broadly it is possible given some custom development and M. Froger is planning to add more explicit support at some stage. You can also achieve quite a lot by creating custom roles with different capabilities. So the user on one site would still be synced but would have a role on the other side with no capabilities.

Still, it would be even better to have users arrive on the other side with no role rather than default role if there is no role specified.