Looks like line 1405 in the same as well…
Hi @kevp75,
Thank you for reporting this issue. I completely understand how frustrating it can be when errors like this interfere with your site’s functionality.
Just to clarify, the latest version of WooCommerce is actually 9.9.5, which differs from the version you mentioned. To better understand the situation, could you please share your site’s system status report? You can find it under WooCommerce > Status > Get system report > Copy for support, and then paste it into gist.github.com and share the link here.
Also, could you confirm where exactly you’re seeing this error? Is it on the frontend, in the admin area, or within the error logs?
Seeing it in debug.log.
Yes, WooCommerce 9.9.5 which as I said, is the latest version as of the time of that post.
The actual issue is you have unescaped $_GET and you are not checking if it’s actually an array… throughout your plugins. (yes, the plural was intentional as I found the same issue in your WooCommerce PayPal Payments plugin as well)
I have already corrected the issue in the plugin, with what I stated in the OP, however, I am going to modify it even further to protect against possible attacks as well… since they are not escaped either.
The report is here: https://gist.github.com/kpirnie/97b4c5706755b174df39e1cdf84fdf40
Hi @kevp75,
Thanks so much for the detailed follow-up and for sharing the system report.
Since you’ve already identified the issue and proposed a potential fix, the best next step would be to open a GitHub issue so our development team can review and address this directly. You can report it here: https://github.com/woocommerce/woocommerce/issues/new/choose
Be sure to include the error message, affected lines, and your suggested patch — this will help the team evaluate and resolve it more quickly.
We really appreciate your contribution to improving WooCommerce!
Done.
Easy fix for others in the meantime:
Replace the plain calls to $_GET throughout all WooCommerce plugins (assumed) with:
PHP 8.x and up $_the_get = esc_sql( ( $_GET ) ?? array( ) );
Hi @kevp75,
Thanks again for taking the time to submit the GitHub issue and for also sharing your workaround with the community — that kind of proactive insight is incredibly valuable, especially with forward-looking compatibility like PHP 8.4.
If you’ve found WooCommerce helpful overall, we’d love it if you could leave us a quick review here: https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/#new-post. Your feedback helps us keep improving and supporting store owners like you even better.
Let us know if you spot anything else!
This is not resolved, it should not be marked as such.
Hi @kevp75,
I understand your concern, and I appreciate you taking the time to follow up. The thread was marked as resolved since you had mentioned implementing a workaround and had also submitted a bug report, which typically indicates that the issue is on its way to being properly addressed.
That said, it makes sense to keep this open for visibility if others are experiencing the same issue. Could you please share the GitHub issue link here so we can reference it directly and keep an eye on its progress?
Looking forward to your update!
Yeah, the problem is WooCommerce just released an update, and I’m one to update ASAP. The issue wasn’t corrected in the update, so mine were overwritten.
What I would do… is either modify the function: Automattic\WooCommerce\Utilities\ArrayUtil::get_value_or_default(): to not declare the $items argument, and do a check inside it… or you’d have find each instance that utilizes the function, and force the argument to be an array. Or, search out all instaces across all WooCommerce plugins (yes, including the official addons), and forcing the $_GET argument to be an array, instead of a nullable object
Also… what I saw was 90% of the calls to it, were unescaped $_GET as the argument being passed. Personally… I would consider this a security issue, and there should likely be a CVE put out for it…
Hi there!
Thanks for the detailed feedback!
I can see you’re already discussing this issue on GitHub here: https://github.com/woocommerce/woocommerce/issues/59271. In this case, I’d recommend continuing the conversation there so our developers can further investigate and provide guidance on how to resolve the issue.
We really appreciate you taking the time to analyze the code and share your insights — that’s incredibly helpful for improving the plugin.
Hi @kevp75 this thread hasn’t been active for a while, so I’m going to mark this as resolved. If you have any further questions, please feel free to start a new thread.
We’d appreciate it if you could take a few moments to review the WooCommerce plugin using the link below:
https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/
