SMT Toolkit for WooCommerce

Protokol změnow

1.3.4

• FIX: Social token refresh – is_due() no longer treats token_refresh_checked as a „last refreshed“ timestamp; a failing endpoint can no longer lock retries out for 45 days.
• FIX: Store Settings – tracking-plugin disabler moved from wp priority 1 to template_redirect so is_cart()/is_checkout()/is_order_received_page()/is_account_page() are reliable; conversion tracking on checkout/thank-you pages is no longer accidentally stripped.
• FIX: Social Post Share (Facebook) – drop deprecated link parameter; URL is now embedded in the message body so Graph still produces an OG card.
• FIX: Social Post Share (Threads) – 60-second async delay between /threads creation and /threads_publish via wp_schedule_single_event to match Meta’s recommended media-processing window.
• FIX: Social Post Share (LinkedIn) – migrate from deprecated /v2/ugcPosts to current /rest/posts endpoint with LinkedIn-Version header.
• FIX: Social settings save – preserve_token_meta() keeps refresh_token, token_refreshed and token_expires_at when an admin rotates the access token; only the status meta is reset so the next cron re-checks freshness.
• FIX: Store Settings – WLW manifest 410 path check uses parse_url($uri, PHP_URL_PATH) before basename() so query strings can’t trigger false positives.
• SECURITY: Token refresh cron – per-run add_option lock prevents an ad-hoc trigger from racing the daily cron and double-writing the options blob.
• SECURITY: Instagram widget – debug HTML comments are now opt-in via ?smt_ig_debug=1 so a passing admin (with WP_DEBUG enabled) never sees diagnostic strings in the page source.
• PERFORMANCE: Store Settings – tracking-disable branch now calls mark_uncacheable() (defines DONOTCACHEPAGE / sends nocache_headers()) so a logged-in admin’s „no-tracking“ render is never served by page caches to logged-out visitors.
• PERFORMANCE: Store Settings – added script_loader_tag last-resort filter that strips known Google / Meta tracking handles even when another plugin re-registers them after our dequeue pass.
• IMPROVED: Social – unified Facebook Graph API version to v25.0 across post-share, Instagram widget and token refresh.
• CLEANUP: Social module – removed dead smttool_social_instagram_refresh cron unschedule (the hook is no longer registered since Graph long-lived tokens are managed manually).

1.3.3

• IMPROVED: Social – add scheduled 45-day token refresh checks for Facebook/Instagram, Threads, X, LinkedIn and Tumblr OAuth2 credentials; Mastodon is checked but skipped because its tokens do not expire automatically.
• IMPROVED: Social – add X / Twitter post-sharing credentials and Tumblr OAuth2 token fields while keeping legacy Tumblr OAuth1 sharing as a fallback.

1.3.2

• FIX: AJAX Archive – pass the plugin add-to-cart nonce from single-product and Quick View forms so the CSRF guard added in 1.3.0 accepts valid customer add-to-cart requests.

1.3.1

• FIX: Include the Nova Poshta checkout helper class in the release package so Store Settings checkout helpers load without warnings.

1.3.0

• SECURITY: Google Drive Importer – strict whitelist on Drive folder IDs prevents query injection into the Drive API q parameter
• SECURITY: AJAX Archive – add-to-cart endpoint now requires a valid nonce (CSRF guard); accepts WC core, Store API or plugin-issued nonces
• SECURITY: Nova Poshta – HTTP_X_FORWARDED_FOR / CF-Connecting-IP headers are honoured only when REMOTE_ADDR is in the new TRUSTED_PROXIES whitelist; rate-limit is now atomic via wp_cache_incr
• SECURITY: Social AJAX – 64KB hard cap on POST payload before json_decode (memory-exhaustion DoS)
• SECURITY: Wishlist frontend JS – all user-controlled fields (thumbnail / url / added_at) now run through escHtml before HTML concatenation
• SECURITY: SVG Registry – explicit libxml_disable_entity_loader(true) on PHP < 8.0, plus a 50-level depth guard in clean_node (XXE + stack DoS hardening)
• SECURITY: Newsletter – created_by queue check is now default-deny (only the original author or an administrator can resume a queue)
• SECURITY: Discounts – reward add-to-cart AJAX now re-validates is_purchasable() and is_in_stock()
• SECURITY: Google Drive Importer – wp_delete_attachment() is now skipped when the same attachment is referenced by another product as a featured image or in a product gallery
• SECURITY: Discounts – discount percent is clamped to 0-100 in all reward calculation paths
• STABILITY: Rewards points – first-time add() uses atomic INSERT ... ON DUPLICATE KEY UPDATE to eliminate the lost-update race
• STABILITY: Rewards order reverse – when deduct() is capped by a low balance, the shortage is now persisted to order meta and subtracted from any re-completion credit (prevents double-credit on partial-refund edge sequences)
• STABILITY: Rewards daily cron – global lock + per-user lock around birthday bonus eliminates double-award between racing crons; soft 25s time budget per task
• STABILITY: Rewards review bonus – dedup key switched from order_id to per-comment marker so a real order_id == product_id cannot suppress a legitimate bonus
• STABILITY: Rewards popup queue – read-modify-write protected by per-user option lock; queue capped at 20 entries to prevent meta growth
• STABILITY: Discounts – cart mutations made inside cart_loaded_from_session now call cart->set_session() so they survive the next request
• STABILITY: Wishlist toggle – 3-second per-product transient lock serialises rapid double-clicks
• STABILITY: SVG Registry – recompile_now() serialised via option lock; old-CSS retention raised from 2 to 5 files to absorb CDN cache lag
• STABILITY: Store Settings save – admin saves serialised via option lock so concurrent tab saves don’t race
• STABILITY: Store Settings AJAX – wp_enqueue_scripts trigger in admin context wrapped in try/catch so misbehaving 3rd-party plugins can’t break the response
• PERFORMANCE: Discounts – profile / conditions / rewards reads are now request-scope-cached; eliminates N+1 SQL on every before_calculate_totals
• PERFORMANCE: AI Search – product term cache primed once per result set; eliminates per-product brand lookup queries
• PERFORMANCE: AI Search – attribute term cap raised from 500 to 5000 with truncation warning to surface silent omissions
• PERFORMANCE: Store Settings – variation REST handler primes post + post-meta caches in one batch instead of per-variation SQL
• PERFORMANCE: Store Settings – _smttool_discount_sort clause filter now idempotent; will not duplicate JOINs when the filter fires multiple times in a query
• PERFORMANCE: Store Settings – best-seller IDs cache invalidated on order completion
• PERFORMANCE: Google Drive Importer – 10k-file / 60-second cap inside list_drive_files, bounded static product caches, explicit 30s timeout on download_url, 50MB cap on CSV body
• PERFORMANCE: Rewards apply-points AJAX – per-user rate-limit (5/min) protects expensive calculate_totals() recalculation
• PERFORMANCE: Wishlist modal – product + brand caches primed before the per-item loop
• PERFORMANCE: Newsletter – server-side minimum query length on user / product / category search; transient TTL reduced from 7 to 3 days
• PERFORMANCE: Newsletter – send queue now tracks already-emailed user IDs across batches (cap 50k) to stop multi-role users receiving the same newsletter twice
• IMPROVED: Checkout phone mask – caret position math fixed (delta against pre-assignment length); now accepts 10-16 digit international numbers instead of forcing exactly 13
• IMPROVED: AJAX Archive – filter_stock_status query string is cast to string before explode, preventing silent failures when sent as an array
• IMPROVED: AJAX Archive – internal product taxonomies (product_visibility, product_shipping_class) refused as archive context to prevent hidden-product enumeration
• IMPROVED: Nova Poshta – transport-layer error messages no longer leaked to client (logged server-side)
• IMPROVED: AI Search frontend – price_html injection routed through DOMPurify when available

1.2.0

• NEW: AI Search module – OpenAI-powered semantic product search with live drop-down, rate limiting and incremental index builder
• NEW: Wishlist module – personal wishlists with multi-list support, shareable links and AJAX add/remove
• NEW: Rewards module – points-based loyalty programme with redemption, auto-actions (registration / review / birthday / level-up), refund-aware accrual and popup + email notifications
• NEW: Abandon Cart module – logged-in and guest cart recovery with token-protected restore links and branded reminder schedule
• NEW: Newsletter module – subscriber list, branded composer, queued sending with per-hour cap and shared email template re-used by Rewards and Abandon Cart
• NEW: Social module – share buttons, social login (Google / Facebook / Apple) and a floating contact-channels CTA dock
• NEW: SMT Router – unified REST response wrapper (success/data/message)
• NEW: SMT Mailer – shared email service with rate limiting and template branding
• IMPROVED: Rewards refund/re-completion flow – re-completing a previously refunded order now correctly re-credits points (was blocked by a stale flag)
• IMPROVED: AJAX archive sidebar refresh – filter chips and dynamic counts now update after every filter change
• IMPROVED: My Account AJAX tabs auto-scroll to content with theme-controlled offset (scroll-margin-top)
• IMPROVED: Recently viewed cookie parsed once per request (was re-parsed on every helper call)
• IMPROVED: Cart count in header cached per request (fragments handle live updates)
• IMPROVED: 404 fallback products query no longer uses orderby:rand on large catalogs (date + PHP shuffle)
• IMPROVED: Custom logo loaded eagerly with high fetch priority (LCP)
• IMPROVED: WC Brands sale-flash unhook now runs once per request (static guard)
• IMPROVED: Skeleton-loading state + soft fade-in for AJAX archive grid swaps
• IMPROVED: Reduced-motion preference respected globally (animation/transition durations collapse)
• IMPROVED: HPOS-ready – wc_get_orders() used throughout, no legacy posts queries
• IMPROVED: Plugin Check warnings cleaned up (line endings, prepared SQL placeholder helpers, file system operation comments)
• SECURITY: Filter-combination archive URLs emit noindex via wp_robots (prevents duplicate-content indexation, plays nice with Rank Math / Yoast)
• SECURITY: REST error paths now return immediately after wp_send_json_error() (defence in depth)
• SECURITY: All JSON input read with wp_unslash() before json_decode(), no double sanitisation that could corrupt UTF-8
• FIX: Rewards popup now shows the configured subject as a title (was dropped from the queue, only body was rendered)
• FIX: Rewards popup queue accepts both new {subject, body} entries and legacy strings for backward compatibility
• FIX: Variations table reset_variations link no longer reserves layout space when visibility-hidden
• FIX: Floating shop-toolbar clone no longer creates duplicate ids / for / aria-controls in the DOM
• FIX: search.php setup_postdata now assigns $GLOBALS[‚post‘] so the_*() functions inside template parts work
• FIX: cart modal home_url(REQUEST_URI) build path corrected
• FIX: Yoast / Rank Math primary category honoured by the post card meta helper
• FIX: tag_escape() used for dynamic heading tags (was esc_attr)

1.1.0

• NEW: Role-Based Pricing module (per-role fixed price or percentage discount, per-product overrides)
• NEW: Unified data layer – SMT_Data_Provider centralizes all option reads and writes
• NEW: SMT_Cache – three-tier caching (in-memory, WP object cache, transients) with a unified API
• IMPROVED: Lazy module initialization – Admin/Frontend/Ajax classes load only in the context where they are needed
• IMPROVED: Active discount profiles query cached per request (reduces DB load during cron runs)
• IMPROVED: Inline context detection cached per request (was computed three times per page)
• FIX: Discount badge always fell back to woocommerce_sale_flash due to incorrect module status check
• FIX: get_profile() and get_rules_for_profile() now use the table name helpers consistently
• FIX: Admin page classes were not loaded when render_admin() was called after lazy init
• FIX: Transient cleanup in uninstall.php now uses wpdb::prepare()

1.0.4

• NEW: Ajax Archive Engine module
• NEW: Centralized SVG Registry module
• NEW: SVG background support for Discounts and Store Settings badges
• IMPROVED: Badge rendering performance
• IMPROVED: Centralized SVG CSS compilation system
• IMPROVED: 10% faster initial page load (SVG optimization)
• SECURITY: Improved JSON input sanitization
• FIX: Nonce verification improvements
• FIX: Plugin Check warnings resolved
• REMOVED: inline SVG

1.0.3

• Fixed missing store-settings module in release package
• Minor stability improvements

1.0.2

• Fixed undefined variable in Discounts cron handler

1.0.1

• Added Store Settings module (assets control, cleanup, inline CSS/JS, checkout fields)
• Checkout customization refactored (Classic checkout only, Block checkout detection added)
• Fixed WooCommerce checkout field re-rendering (wc-checkout handling)
• Improved checkout field diff-based saving (no translation overwrite)
• Added reset option for checkout fields
• Enhanced badge system (heavy SVG handling, template injection, mutation observer)
• Optimized best-seller query with transient caching
• Improved security sanitization (wp_unslash handling, SVG hardening)
• Added advanced cleanup options (WooCommerce blocks, cart fragments, brands)
• Performance improvements and codebase stabilization
• Multiple security and Plugin Check compliance fixes

1.0.0

• Initial public release
• Google Drive Importer module
• Discount Engine module
• Transliteration module
• Modular system and cron support