Dev news

Commit 6fc2731780f for woocommerce

commit 6fc2731780f88db96450d6a7f308775b4e7883e9
Author: Asim Sulehria <de.asimhabib@gmail.com>
Date:   Thu Jun 18 15:36:35 2026 +0500

    Fix exception info leak, null dereferences, and duplicate date query key (#65368)

diff --git a/plugins/woocommerce/changelog/65368-fix-null-safety-and-security-bugs b/plugins/woocommerce/changelog/65368-fix-null-safety-and-security-bugs
new file mode 100644
index 00000000000..b58c9d9b9d7
--- /dev/null
+++ b/plugins/woocommerce/changelog/65368-fix-null-safety-and-security-bugs
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Fix exception message info leak to non-admin API callers, null dereferences on missing parent product and order, and duplicate date query key in OrdersTableQuery.
\ No newline at end of file
diff --git a/plugins/woocommerce/includes/wc-stock-functions.php b/plugins/woocommerce/includes/wc-stock-functions.php
index 37f817e2dbc..9afd29f5f83 100644
--- a/plugins/woocommerce/includes/wc-stock-functions.php
+++ b/plugins/woocommerce/includes/wc-stock-functions.php
@@ -521,8 +521,10 @@ function wc_get_low_stock_amount( WC_Product $product ) {
 	$low_stock_amount = $product->get_low_stock_amount();

 	if ( '' === $low_stock_amount && $product->is_type( ProductType::VARIATION ) ) {
-		$product          = wc_get_product( $product->get_parent_id() );
-		$low_stock_amount = $product->get_low_stock_amount();
+		$parent = wc_get_product( $product->get_parent_id() );
+		if ( $parent ) {
+			$low_stock_amount = $parent->get_low_stock_amount();
+		}
 	}

 	if ( '' === $low_stock_amount ) {
diff --git a/plugins/woocommerce/phpstan-baseline.neon b/plugins/woocommerce/phpstan-baseline.neon
index 76da6d342e0..8c071eedfce 100644
--- a/plugins/woocommerce/phpstan-baseline.neon
+++ b/plugins/woocommerce/phpstan-baseline.neon
@@ -35583,12 +35583,6 @@ parameters:
 			count: 2
 			path: includes/wc-stock-functions.php

-		-
-			message: '#^Cannot call method get_low_stock_amount\(\) on WC_Product\|false\|null\.$#'
-			identifier: method.nonObject
-			count: 1
-			path: includes/wc-stock-functions.php
-
 		-
 			message: '#^Cannot call method get_stock_quantity\(\) on WC_Product\|false\|null\.$#'
 			identifier: method.nonObject
@@ -68137,24 +68131,6 @@ parameters:
 			count: 1
 			path: src/Internal/RestockRefundedItemsAdjuster.php

-		-
-			message: '#^Cannot call method get_qty_refunded_for_item\(\) on WC_Order\|WC_Order_Refund\|false\.$#'
-			identifier: method.nonObject
-			count: 1
-			path: src/Internal/RestockRefundedItemsAdjuster.php
-
-		-
-			message: '#^Cannot call method get_refunds\(\) on WC_Order\|WC_Order_Refund\|false\.$#'
-			identifier: method.nonObject
-			count: 1
-			path: src/Internal/RestockRefundedItemsAdjuster.php
-
-		-
-			message: '#^Cannot call method get_version\(\) on WC_Order\|WC_Order_Refund\|false\.$#'
-			identifier: method.nonObject
-			count: 1
-			path: src/Internal/RestockRefundedItemsAdjuster.php
-
 		-
 			message: '#^Method Automattic\\WooCommerce\\Internal\\RestockRefundedItemsAdjuster\:\:init\(\) has no return type specified\.$#'
 			identifier: missingType.return
diff --git a/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableQuery.php b/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableQuery.php
index 0c4313c0e98..589556df85c 100644
--- a/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableQuery.php
+++ b/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableQuery.php
@@ -537,7 +537,7 @@ class OrdersTableQuery {

 		// Add top-level date parameters to the date_query.
 		$tl_query = array();
-		foreach ( array( 'hour', 'minute', 'second', 'year', 'monthnum', 'week', 'day', 'year' ) as $tl_key ) {
+		foreach ( array( 'hour', 'minute', 'second', 'year', 'monthnum', 'week', 'day' ) as $tl_key ) {
 			if ( $this->arg_isset( $tl_key ) ) {
 				$tl_query[ $tl_key ] = $this->args[ $tl_key ];
 				unset( $this->args[ $tl_key ] );
diff --git a/plugins/woocommerce/src/Internal/RestApiControllerBase.php b/plugins/woocommerce/src/Internal/RestApiControllerBase.php
index 3706dccb2b4..6a105004fd5 100644
--- a/plugins/woocommerce/src/Internal/RestApiControllerBase.php
+++ b/plugins/woocommerce/src/Internal/RestApiControllerBase.php
@@ -156,7 +156,6 @@ abstract class RestApiControllerBase implements RegisterHooksInterface {
 			$data['exception_message'] = $exception->getMessage();
 			$data['exception_trace']   = (array) $exception->getTrace();
 		}
-		$data['exception_message'] = $exception->getMessage();

 		return new WP_Error( 'woocommerce_rest_internal_error', __( 'Internal server error', 'woocommerce' ), $data );
 	}
diff --git a/plugins/woocommerce/src/Internal/RestockRefundedItemsAdjuster.php b/plugins/woocommerce/src/Internal/RestockRefundedItemsAdjuster.php
index 974da5ab0d0..daa277f9986 100644
--- a/plugins/woocommerce/src/Internal/RestockRefundedItemsAdjuster.php
+++ b/plugins/woocommerce/src/Internal/RestockRefundedItemsAdjuster.php
@@ -40,7 +40,10 @@ class RestockRefundedItemsAdjuster {
 	 * @param array $items Order items to save.
 	 */
 	public function initialize_restock_refunded_items( $order_id, $items ) {
-		$order         = wc_get_order( $order_id );
+		$order = wc_get_order( $order_id );
+		if ( ! $order instanceof \WC_Order ) {
+			return;
+		}
 		$order_version = $order->get_version();

 		if ( version_compare( $order_version, '5.5', '>=' ) ) {