Important update to AJAX requests in Easy Digital Downloads 2.9.4

Version 2.9.4 of Easy Digital Downloads includes some important updates related to a few of our templates and sections that can be customized. These updates may require changes to stores that have modified these sections. The changes, specifically were adding nonce values to actions. These nonces are now required as of version 2.9.4 and without them, critical functionality can fail. Below is a list of the nonces that were added, and the function or template files that were modified, in order to make it easier to update your changes as needed.

Template Files Changed

templates/checkout_cart.php
templates/shortcode-profile-editor.php
templates/widget-cart-item.php

Functions Changed

includes/template-functions.php

  • edd_get_purchase_link()

includes/checkout/template.php

  • edd_default_cc_address_fields()
  • edd_get_register_fields()
  • edd_get_login_fields()
  • edd_payment_mode_select()
  • edd_checkout_hidden_fields()

Debugging

In order to make this easier for store owners and theme developers to know if they are affected by these changes, we’ve forced the edd_debug_log() function to log an entry in the Easy Digital Downloads Debug Log any time a required nonce is missing.

You can view your debug log by visiting Downloads > Tools > Debug Log

Detailed Changes

Below is a list, showing the line as it previously existed, and the new line.

Its not often we have to make changes to these template files that would require this level of information, but when it comes to hardening the security and performance of your store, it will be necessary to review the above changes and update your stores accordingly.

14 responses... add one

Thanks god I found some information regarding the issues I’m having with EDD, I’m developing an addon and everything stopped working. Gotta get into that but I’m sure I’ll get it working soon. Anyway, why now is required a nonce? I mean I don’t get why it’s needed, everything was working perfectly without them.

Thanks!

@surce,

Nonces are a method used to help prevent malicious attempts at replays for links and forms. They are now required as an attempt to help prevent misuse of the AJAX endpoints. While things were ‘working perfectly’ without them, adding the nonces is just an extra layer of protection against the customer sessions and interacting with the cart.

You can read more about nonces within WordPress here: https://codex.wordpress.org/WordPress_Nonces

Just fixed it by adding data-nonce=”‘ . wp_create_nonce( ‘edd-add-to-cart-‘ . $eddnum ) . ‘” where $eddnum is the download ID, thank you so much family for such amazing plugin!

@Martin,

None of the hooks were changed in their naming or position, however if you were removing our hooks for some of the functions listed in the article above, and replacing it with your own hooks, you may need to review the changes and apply them. If you were simply adding more to the hooks, then you should not run into any issues.

Thank you for explaining where changes are. Very helpful.

I upgraded to 2.9.5 to but I’m not seeing Debug Log in Downloads > Tools. Does it only show if the log has something in it, or am I looking in the wrong place?

THANK YOU to Chris and EDD team for publishing this. I should have paid better attention while upgrading these important plugins and didn’t notice my checkout was broken until a customer emailed me! Luckily I got the templates resolved in under 20 minutes—totally worth it for the added security.

AJAX is the default method of handling things like Adding items to the cart. While disabling AJAX is supported it is not suggested and should only be used by developers doing custom integration.

So you do not see this setting, because it is already on.

My site was working fine before the update. I have problem with deletion of item from add to cart button. Item is only deleting from checkout page but not from add to cart icon. I have applied your updates but no luck.

I figure it out myself
replace this in functions.php
<a href="” class=”remove-item” title=””>x

with this
<a href="” class=”remove-item edd_cart_remove_item_btn” title=””>x

Leave a Reply

Your email address will not be published. Required fields are marked *