X-Cart v4.7.11 and Security Patches: Improved Speed & Performance, Updates to Payment Addons, and more

Releases
Max Slepukhov
Max Slepukhov
Head of Product at X‑Cart

It’s April and as we promised, and X-Cart v4.7.11 is out.

With this upgrade you get a significant speed improvement, a bunch of updates for payment addons. Also, you get to use the social payment method that is gaining popularity among the millennials. And of course, we have updated many features that you already have in your X-Cart.

We have also detected a couple of potential security issues and strongly recommend to take measures now.

I’ll try and keep it short. So let’s see what’s new in X-Cart first.

Release of X-Cart v4.7.11

First of all, if you remember, X-Cart 4.7.10 got a great speed boost but there’s always room for improvement, now isn’t there? So X-Cart v4.7.11 is even faster, we just hope you like that.

Second of all, the updates to the payment addons might open new horizons for you as new payment methods became available along with the necessary security and functionality updates.

Next, the updated version of jQuery in itself boosts interface speed and covers a potential security issue at the same time.

There are other changes, too, but let’s take a breath here and dig a little deeper into each update in X-Cart v4.7.11.

Improvements to payment addons

With the PSD2 (Second Payments Services Directive) introducing in September 2019, many payment methods that you use at your online store will be pushing changes in the form of Strong Customer Authentication (SCA).

To prepare for the upcoming changes, we have made the necessary changes to the software.

For example, we have updated Amazon Payments Advanced according to the standards provided by Amazon Pay.

This is not the only update for this addon – we have also fixed the issue with a wrong payment method showing in orders within the usual checkout flow.

SCA isn’t the only change to online payments now. Another novice is introduced by PayPal – it’s the Venmo social payments. It’s already used by millions of people by now, it’s exclusively for mobile devices and its main audience is millennials. If you use PayPal as one of the payment methods in your store, you don’t need to install any extensions, just enable Venmo in your current PayPal addon.

There used to be a few issues with PayPal, we fixed them all in the new X-Cart v4.7.11. Here is the list of them:

  • In mobile Website Payments Pro Hosted, some of the orders got declined. We managed to locate the issue and fix it.
  • Sometimes orders got declined with the ‘Declined: Payment amount mismatch: wrong order currency’ error message. Fixed that, too.
  • In PayPal Express, some of the orders partly paid with a gift certificate could not be processed via PayPal. Now they can.
  • In PayPal Payments Advanced, if a cart contained too many items, the order could not be processed with the error message ‘Field format error: Request is too large to process’. So we have updated the field format and now your big orders will not hang unfinished.

Apple Pay/Visa Checkout is now available through the new Elavon Converge Hosted Payments Page payment gateway.

Authorize.Net is now phasing out the MD5 based use of hash for transaction response verification. SHA-512 based hash utilizing Signature Key is to be used instead. We have made the necessary amendments to the AuthorizeNet eCheck addon to reflect those changes.

We have switched from the legacy HMAC-MD5 authenticated hash to HMAC-SHA512 as required by Authorize.Net. You can now use a Signature Key to enhance the security of your AuthorizeNet SIM payment method.

In the Sage Pay Go addon, form protocol did not work properly with PHP7.2/PHP7.3 and OpenSSL. The following error message used to pop up: ‘Payment amount mismatch: wrong order total error related to VISA cards’. We fixed that issue.

We updated the Ingenico ePayments e-Commerce addon to support UTF8 so that international names could be registered properly.

Improvements to other addons

The Free Currency Converter API that is used in the XMultiCurrency addon now requires for a free API key. And the API version changed from v3 to v6. We have made the necessary changes to the addon according to these requirements.

For the Detailed Product Images addon, we updated the version of jQuery Colorbox, which added Retina display support. So your product images will look equally great both on an average desktop and on double-density screens from now on.

We also added slideshow mode that can be enabled/disabled as you like.

As more and more websites around the world start using IPv6, it becomes necessary to keep up even though they are compatible with v4 as well. Advanced Customer Reviews and Customer Reviews are IPv6 compatible now. So are the Survey and Stop List modules and login history. Basically, X-Cart v4.7.11 is fully compatible with IPv6 now.

We’ve optimized the Special Offers addon greatly: it now works a whole lot faster and more effectively.

For the Amazon Feeds addon, we have added a few new categories:

  • NetworkAdapter;
  • CellularPhoneCase/ScreenProtector;
  • Industrial/AdhesiveTapes;
  • LightMotor/LightMotorVehicle;
  • FoodAndBeverages/BabyFood;
  • TechnicalSportShoe/Sandal.

The addon now also works for the United Arab Emirates. We have also made a few minor changes to the Canada and Mexico endpoints.

The X-PDF addon is now compatible with PHP7.3 as well as with PHP7.2 and PHP7.1. Also, mpdf is updated from 6.1.4 to 8.0.0 version. It requires at least PHP 5.6 and is tested with up to PHP 7.3.

Other changes

One of our clients received an unexpected result after performing a regular Trustwave scan saying the current jQuery version is potentially risking Cross-Site Scripting attacks. As the remedy to this issue we have updated the jQuery version to the latest v3.4.0 and this update is a part of the new X-Cart 4.7.11, too.

We fixed the issue with admin area not working properly through CloudFlare. Error message saying ‘It seems your IP address has changed. For security reasons your user session has been terminated by the session protection mechanism (PROTECT_XID_BY_IP)…’ used to show up every time you attempted a login using CloudFlare.

Sometimes so-called spiderbots, or web crawlers, began to overload user sessions on popular X-Cart online stores and interfere with the regular user experience. We have updated web crawlers’ signatures in X-Cart 4.7.11, added MJ12bot SEMrushBot and others. It helps to reduce the amount of MySQL queries and unload the user sessions.

For defined methods, the total order weight is now taken into account even when the real-time shipping calculation is disabled.

In terms of SEO, there are a few improvements, too.

The ‘combine,minify,optimize’ option is removed for the “Use speed-up tool for CSS” setting to reflect the changes in ‘Google PageSpeed Insights’ algorithms.

Security patches

Affected versions:X-Cart 4.4.0 and higher

Impact:

  1. Potential SQL-injection
  2. Potential XSS breach for jQuery

Solution:

Security patches for users of X-Cart versions 4.4.5 and higher or upgrade to the latest X-Cart v4.7.11.

Custom security patch adaptation for vv4.4.0-4.4.4 or upgrade to v4.7.11.

You can get the job done by the pros

It’s up to you to decide to upgrade your X-Cart instance or just go with the security patches, just make sure you pick one.

The security patches are always available in the File Area section of your HelpDesk account. They are free of charge and you can apply them following the instructions.

The upgrade will bring you a whole lot of improvements along with the enhanced security.

No matter which option you choose, keep in mind you can always get the job done for you – just contact you-know-who.

That’s all for today, thanks for reading. For more details, please check the updated Changelog.

For more details on other fixes and improvements, please refer to the changelog {link}. Feel free to download the fresh X-Cart 4.7.11 and discuss it on forums, we’d love to know what you think!

Share
Tweet
Email