WooCommerce 2.3.11 patches an object injection vulnerability discovered by Sucuri. According to the security research company, the vulnerability is only present when the PayPal Identity Token option is set in WooCommerce.
Researchers used a combination of WordPress and WooCommerce components with a known PHP bug and were able to download critical files, including wp-config.php which has sensitive information. Versions 2.0.20 – 2.3.10 are considered vulnerable.
In addition to the patch, the release also has a number of bug fixes. If you haven’t already, update as soon as possible.
Source: WP Tavern