Shopp 1.3.9 Maintenance Release

We are pleased to announce Shopp version 1.3.9 maintenance release (Project Cydonia) is now available and addresses a large number of issues affecting Shopp version 1.3.8 including fixes for critical security vulnerabilities.

You can read about the new features and improvements introduced in version 1.3 on the announcement post Shopp 1.3 Upgrades WordPress Ecommerce for Everyone.

As of Shopp 1.3.2, you can now upgrade from any prior release of Shopp (version 1.0.x-1.2.x). It is strongly recommended that you backup your database before attempting the upgrade from earlier point-releases (1.0, 1.1 or 1.2). For full instructions, read Upgrading to Shopp 1.3.

Shopp 1.3.9 includes an important fixes that address duplicate order submissions caused by faulty JS, and potential CSRF/XSS vulnerabilities that were responsibly disclosed. We strongly recommend updating all Shopp 1.3 installs to Shopp 1.3.9.

Below is the log of changes that landed in the Shopp 1.3.9 release:

1.3.9 Improvements

  • Added a taxonomy filter for collections rewrite so that it may be modified (slug, hierarchy etc).
  • Added custom purchase item data to default receipt template.
  • Added name arguement to shopp_purchased_data_value filter to mirror shopp_purchase_item_input_data filter.
  • Added nonce protection for account profile updates to prevent CSRF vectors; thanks to Calum Hutton for responsible reporting
  • Added redirect after password change #3188
  • Added redirect option to submit_login.
  • Added server-side duplicate order protection #3142
  • Added Shopp::debug_console
  • Added support for last-used carrier as the default selection #3153
  • Added title_before and title_after options, support for linkcount option, section term fix, and ‘shopp_storefront_categorylist_item’ filter. Fixed bad HTML in _category_list() output.
  • Added trim() to function baseversion()
  • Adjusted unit tests to accommodate new changes that affect assertions
  • Allow order override for FeaturedProducts #3212
  • Browser console debug improvements
  • Capture card type at checkout #3191
  • Category exclusion fix; Props @Just-m #3254
  • Change field name processing to match new UI templates #3124
  • Changed approach to use get_post_status() directly
  • Check the truthishness of the show product option #3201
  • Cleaned up open_basedir warnings #3239
  • Cleaned up PHP notices #3239
  • Cleaned up undefined index notice
  • Code formatting cleanup
  • Completed name copying behaviors #3195
  • Correct exclude match query fragment
  • Correctly set selected order state mapping #3242
  • Credited amount stored in ShoppPurchaseDiscount
  • Ensure country rules using USA are translated to the 2-char ISO code #3129
  • Ensure events are loaded #3270
  • Ensure itemtaxes() runs after item taxes are calculated #3204
  • Ensure the order lock is destroyed during shutdown #3203
  • Fixed category.description unit test to be more forgiving
  • Fixed PHPDoc typos
  • Fixed reference notice #3239
  • Fixed reference to GatewayModules in the order manager.
  • Fixed transaction lock timeout.
  • Fixed translated tokenized string call #3149
  • Fixed typo in setting unix file permissions.
  • Fixed UI issue introduced by enabling select menu size attribute
  • Fixed undefined property notice #3239
  • Fixed undefined property notices #3239
  • Generate new sessions for orphan session cookies #3144
  • Handle taxed pricing in multiple mode variant menus #3267
  • Improved digit filtering and added PHPDocs
  • Incorrect Calculation with Multiple Credits
  • Lookup gateway using Shopp 1.3.x naming scheme on Orders admin page
  • Minified cart.js fixes for submit once behavior
  • Minor spelling/formatting cleanup #3149
  • Mirror cartitem.addon options #2591
  • Mirror cartitem.addon-list options #3175
  • Moved shared internal _addon_menus helper
  • Pass the current id reference to the shopp_cart_remove_item filter #3154
  • Prevent billing & shipping names from overwrites; props @clifgriffin #3157
  • Prevent excerpt calls from killing Shopp Page output #3192
  • Prevent over-refunding #3205
  • Prevent warning when no images present
  • Remove label from remove button in #3119
  • Removed improper is_readable calls on the tmp folder. Modified the image store proceedure to avoid accessing the contents of the tmp directory.
  • Removing echo commands
  • Replaced ‘{taxonomy}_rewrite_args’ filter.
  • Replaced SWFUpload with a secured version
  • Restore “Charge Order” button for orders placed before Shopp 1.3.x
  • Restored ShoppServices handling
  • Retain the PAN when retrying checkout
  • Set image submit handler to cart-only forms #3233
  • Set the correct billing property to the sanitized form value #3135
  • submit_login cleanup
  • Suppress open_basedir restriction warning
  • Switch to sanitize_title()
  • Switch where clause operator for to (end) datetime; props @ben72 #3133
  • Treat last 4 digits as a string to preserve leading zeros #3234
  • Treat percentage discount amounts as floats #3198
  • Unpublished products should not be displayed via shortcodes #3161
  • Update cartitem.taxrate to handle multiple taxes and compound taxes #3136
  • Update shipped property on load #3197
  • Updated query to remove price meta in shopp_product_set_variant_options #3107
  • Use local options for load logic #3193
  • Use mb_convert_encoding when available #3127
  • Use the correct new status input #3148

For troubleshooting assitance upgrading, purchase a Shopp Support Key or a Priority Support Credit from the Shopp Store.

Need Help?

Please don't ask support questions in the comments! Search the Knowledge Base for solutions to known problems. If you can't find anything, open a ticket with the support team on the Help Desk, or ask in the Community Forums.


© Ingenesis Limited. Shopp™ is a registered trademark of Ingenesis Limited.