What does urgently patch security wise as 1.9.6 breaks too much?

What does urgently patch security wise? While it is great that you fix holes immediately and there idealism to not mention the security hole but seeing the reported bugs for 1.9.6. we see us forced to not update (1.9.6 breaks Polylang functionality / Password resets / Filter etc…). The choice between the lesser of two evils… The security patch could be incorporated into 1.9.5 if you mention what it is

Hi @Mike8040,

It patches a “Remote Code Execution” vulnerability so updating is very important.

Btw did you report the Polylang issue? Apart from the experimental filters, I could see your earlier report regarding the search element but with an edit saying that you were able to fix it: WAIT: Search element, 404 error for second language result page [Polylang] - #3 by Mike8040

Please correct me if I’m wrong or if you have another report I may have missed.

OK, thanks for the clarification. Sounds like no choice but update. And yes I reported a Polylang search issue. But those are two different issues. Then one I fixed was search result page was blank for the secondary language search result page because of the base URL needed to be defined.

The other one I reported today is that the search results show products of both or all languages in the search results page and this happens without the new search filter feature and with 1.9.5. I found that issue testing the security patch version on the staging and comparing the live site with 1.9.5 where this is issue is also present.

1 Like

Is this vulnerability present in lower versions? or does this only apply to 1.9.6??

Yes, it affects lower versions as well, not just 1.9.6.