WooCommerce Security
WooCommerce 10.9.4: Issues to Check Before Updating
WooCommerce updates touch checkout, payments, tax logic, emails, order flow, and extensions. Test revenue paths before updating a live store.

Quick answer
WooCommerce 10.9.4 is the current WordPress.org release. It includes a block checkout VAT exemption fix, but stores should still test payments, tax, emails, extensions, and database behavior before updating production.
Only scan websites you own or have explicit permission to test. Fixnx is built for defensive security checks and website protection. Unauthorized scanning may be illegal.
WooCommerce is different from a normal WordPress plugin because it handles money, tax, customers, orders, email, stock, checkout, and extensions. A small update can still affect revenue.
As of July 16, 2026, WordPress.org lists WooCommerce 10.9.4. The WooCommerce developer changelog says this point release fixes VAT exemption logic for block checkout and is not marked as a security update. That still deserves careful testing on stores.
Latest WooCommerce version snapshot
WooCommerce 10.9.4 was released on July 7, 2026. The WordPress.org plugin page lists more than 7 million active installations, PHP 7.4 or higher, WordPress 6.9 or higher, and compatibility tested up to WordPress 7.0.1.
The WooCommerce developer blog also shows WooCommerce 11.0 in beta, with performance and account changes coming next. That means store owners should update 10.9.4 carefully while extension makers prepare for the next branch.
- Current WordPress.org version: WooCommerce 10.9.4.
- Latest fix: VAT exemption logic in block checkout.
- Security update flag: no, according to WooCommerce release notes.
- Main risk area: checkout, tax, payments, email, subscriptions, and extensions.
WooCommerce 10.9.4 issues to check
The update may be small, but WooCommerce stores are complex. A checkout extension, payment gateway, tax plugin, shipping plugin, subscription system, or custom order workflow can be more fragile than WooCommerce core.
Do not stop at opening the homepage. The test is only useful if a real order path works from product page to payment confirmation.
- Block checkout should calculate VAT exemption correctly for logged-in users.
- Payment gateways should load, authorize, and return to the store correctly.
- Order emails should send and show correct totals.
- Subscriptions, coupons, taxes, shipping, and multicurrency extensions should be tested.
- Fatal errors can appear when older filters or email customizations conflict with newer WooCommerce code.
Safe WooCommerce update checklist
- Back up files and database before touching production.
- Test the update on staging with the same payment and shipping extensions.
- Confirm WordPress, PHP, theme, and WooCommerce extensions meet requirements.
- Run test orders for guest checkout, logged-in checkout, coupon use, tax, shipping, and refunds.
- Check order emails, webhooks, payment callbacks, analytics pixels, and inventory updates.
- Clear cache and retest checkout from a logged-out browser.
- Run a Fixnx scan after release to catch public exposure or SEO changes.
Example Fixnx finding
A Fixnx scan after a WooCommerce update might show that checkout works, but the store exposes old payment gateway assets and missing security headers.
That means the store can still take orders, but it is leaking useful information and missing browser protections around sensitive pages.
- Evidence: public plugin paths reveal payment and checkout extensions.
- Impact: attackers can focus on high-value commerce components.
- Fix: update payment extensions, remove unused plugins, and harden headers.
- Retest: confirm checkout, webhook callbacks, and scan findings after caches clear.
What to fix first
- Fix checkout, payment, tax, shipping, and order email problems first.
- Patch payment gateway and subscription extensions before low-risk UI plugins.
- Remove unused WooCommerce extensions that still load public assets.
- Check customer account pages, refunds, coupons, and inventory sync.
- Improve headers, HTTPS, cookie flags, and exposed plugin files after revenue flow is stable.
Recommended next steps
Review storefront, checkout, account, and plugin risk signals.
WordPress security scanCheck the broader WordPress surface around the store.
Website vulnerability scannerRun the main Fixnx public website scanner.
Sample security reportSee how Fixnx presents evidence and recommended fixes.
Trusted external resources
Official plugin page for version, requirements, active installations, and changelog.
WooCommerce developer changelogOfficial WooCommerce release notes and update details.
WooCommerce developer archiveOfficial WooCommerce posts covering recent releases, advisories, and upcoming changes.
W3Techs WordPress subtechnology statisticsUsage statistics for WordPress subtechnologies including WooCommerce.
FAQ
What is the latest WooCommerce version?
As of July 16, 2026, WordPress.org lists WooCommerce 10.9.4 as the current public plugin release.
Is WooCommerce 10.9.4 a security update?
WooCommerce release notes list 10.9.4 as a point release and mark security update as no. Stores should still update after testing because checkout fixes affect real orders.
Can a small WooCommerce update break checkout?
Yes. The core update may be small, but payment gateways, tax plugins, shipping plugins, checkout blocks, subscriptions, and custom code can conflict.
What should I test before updating WooCommerce?
Test product pages, cart, checkout, payment, tax, shipping, coupons, refunds, order emails, webhooks, customer accounts, and analytics tracking.
Check your WooCommerce store after updating
Run a Fixnx scan after the WooCommerce update to find public security, SEO, and performance signals around your store.
Only scan websites you own or have explicit permission to test. Fixnx is built for defensive security checks and website protection. Unauthorized scanning may be illegal.
