select2 is a jQuery-based replacement for select boxes. It supports searching, remote data sets, and pagination of results.
WooCommerce used Select2 v4.0.3 in older releases, and that version indeed has known XSS and prototype pollution vulnerabilities, which were patched in later versions (up to 4.0.13). This issue highlights the importance of addressing the Select2 outdated library in WooCommerce.
Affected CVE: CVE-2016-10744
Here is the fix, let’s go through this carefully before you update:
Why you shouldn’t just overwrite it manually
Directly replacing the select2.full.min.js file in WooCommerce’s core folders (e.g., /wp-content/plugins/woocommerce/assets/js/select2/) is not recommended, because:
- Plugin updates will overwrite your change.
- WooCommerce might rely on customized build scripts or localized Select2 code.
- If other plugins or themes enqueue WooCommerce’s bundled version, version mismatches can break dropdowns or AJAX product filters.
Recommended safer approaches
Override with an updated version via enqueue (preferred)
You can safely override the outdated Select2 library by deregistering the old script and registering the updated one in your own small plugin or theme’s functions.php:
add_action('wp_enqueue_scripts', function() {
// Deregister WooCommerce's old Select2
wp_deregister_script('select2');
wp_deregister_script('selectWoo');
// Register and enqueue a secure version
wp_register_script(
'select2',
'https://cdn.jsdelivr.net/npm/select2@4.0.13/dist/js/select2.min.js',
array('jquery'),
'4.0.13',
true
);
wp_enqueue_script('select2');
// Include the matching CSS
wp_register_style(
'select2-css',
'https://cdn.jsdelivr.net/npm/select2@4.0.13/dist/css/select2.min.css',
array(),
'4.0.13'
);
wp_enqueue_style('select2-css');
}, 100);
This approach:
- Uses the newer secure version,
- Keeps WooCommerce intact,
- And remains persistent through updates.
Tested in the latest version up-to-date WooCommerce v10.3.3 (10/30/2025)