WP Bannerize Pro

Changelog

1.13.0

Feature, Security & Compatibility Update

New Features

• Added WebP image format support for local and remote banners
• WebP banners can now be uploaded from the media library or linked via external URLs
• Updated remote image validation to accept image/webp content type

Security

• Hardened analytics queries: campaign and banner ID filters now use $wpdb->prepare() placeholders instead of string interpolation
• Fixed invalid SQL placeholder (%1s) in analytics cleanup LIMIT clause, replaced with %d
• Hardened meta key JOINs in banner query builder with $wpdb->prepare() for all meta_key values
• Fixed SQL export using unescaped table name in INSERT statements
• Added capability check (manage_banners) to admin error notice display
• Used esc_html__() for translatable admin notice output

Bug Fixes

• Fixed PHP 8.0+ function str_starts_with() usage that broke compatibility with PHP 7.4
• Fixed duplicate entries in image MIME types array
• Fixed uninitialized $width and $height variables when image size detection fails
• Fixed potential fatal error when mime type is not detected during banner save
• Fixed string-to-integer comparison in banner list column for max impressions/clicks
• Fixed Gutenberg block missing “type” field for orderby attribute in block.json causing REST API warnings
• Fixed fatal error “read property ID on null” in getBannerClasses() when banner post is null
• Fixed esc_attr() used instead of esc_html() for impressions/clicks column output
• Fixed incorrect sanitization order (absint on esc_attr result) in pagination input

Improvements

• Redesigned horizontal layout with modern flexbox and responsive 2-column grid on wide screens, single column on mobile
• Vertical layout now uses flexbox with consistent gap spacing
• Banner images are fully responsive with max-width: 100% and auto height
• Refactored banner query meta key JOINs from repetitive code to loop-based construction
• Removed dead code: commented-out create_function() reference
• Refreshed readme.txt with structured description, expanded FAQ, and documentation links
• Rewrote README.md with badges, features, tech stack, and project structure

1.12.0

Security, Bug Fixes & Improvements

Security

• Fixed SQL injection vulnerabilities in analytics queries (impressions, clicks, CTR trends)
• Fixed SQL injection in the legacy importer controller
• Fixed XSS in banner rendering: added proper escaping for image src, alt, title, link href, and target attributes
• Fixed XSS in text banner rendering: added escaping for width/height style attributes
• Fixed stored XSS risk: sanitized IP address and User-Agent before saving to the database
• Fixed SSRF in image size detection: replaced raw cURL and getimagesize() with wp_remote_get()
• Fixed SSRF in remote image validation: replaced raw cURL with wp_remote_head()
• Hardened options update endpoint with schema validation, key whitelist, and sanitize_file_name() for template paths
• Hardened wp_loaded banner endpoint: added post type check, ID validation, null safety, and wp_kses_post() output filtering
• Removed full plugin options exposure from public frontend
• Used wp_json_encode() for all inline script output to prevent script injection

Bug Fixes

• Fixed Gutenberg block not filtering by campaign
• Fixed banner layout always forced to vertical regardless of the layout parameter
• Fixed banner preview meta box not appearing in the editor
• Fixed analytics data not deleted when a banner is permanently removed
• Fixed cron cleanup events not cleared when tracking is disabled or plugin is deactivated
• Fixed N+1 query issue: banner click/impression counts with value 0 no longer trigger unnecessary COUNT queries
• Fixed resetOptions calling a non-existent AJAX action
• Fixed DataTable crash when a banner has no campaigns assigned
• Fixed CSV export using incorrect escape sequence instead of RFC 4180 standard

Improvements

• Replaced remove_all_filters(‘parse_query’) with explicit suppress_filters
• Replaced deprecated get_terms() positional arguments with array syntax
• Replaced date() with gmdate() for WordPress coding standards
• Aligned all SQL queries to use %i placeholder for table identifiers
• Removed all debug error_log() calls and console.log() from production code
• Migrated CPT meta box registration to registerMetaBoxes()

1.11.0

Security & Enhancement Updates

Security

• Added SSRF protection for external banner image URLs
• Added wp_bannerize_is_remote_image() validation method
• Only allows JPEG, PNG, and GIF formats from external sources
• Added admin error notice when invalid image URLs are submitted

Improvements

• Standardized code formatting and indentation
• Added user-friendly error messages for invalid banner image URLs