Claude/test plugin bugs k f aww#1
Merged
Merged
Conversation
- Fix authorization bypass in webhook manager (missing return after permission check) - Fix array access without bounds checking in membership/product handling - Add table name sanitization to prevent SQL injection in site duplication - Improve deserialization security by removing @ error suppression - Add Stripe API array validation before accessing charge data - Replace die() with wp_die() for proper WordPress AJAX handling - Add nonce verification to unprotected AJAX handlers - Sanitize user meta before saving in checkout - Add missing text domains for i18n compliance
…2.5.0) Security improvements: - Add Rate_Limiter class for protecting checkout and sensitive endpoints - Add Audit_Logger for tracking sensitive operations (payments, memberships, logins) - Add Security_Headers class with CSP and other protective headers - Integrate rate limiting into checkout process Performance improvements: - Add Query_Cache helper for caching expensive database queries - Add Lazy_Loader for host provider integrations (load on demand) - Implement automatic cache invalidation on data changes New features: - Add GraphQL API alongside REST API for flexible data querying - Add Multi_Currency support for international pricing - Add Analytics dashboard with revenue, signups, MRR, and churn charts - Support 40+ currencies with automatic exchange rate updates Version bump to 2.5.0
…and tests New features: - Audit logging system with database table for security/payment/system events - Real-time notifications using Server-Sent Events with polling fallback - TypeScript configuration with strict type checking - TypeScript versions of analytics.js and notifications.js Admin improvements: - Security settings section (rate limiting, audit logging, CSP headers) - Multi-currency settings section with 40+ currencies Testing: - PHPUnit tests for Rate_Limiter, Query_Cache, Audit_Logger - PHPUnit tests for Multi_Currency, Security_Headers, Lazy_Loader - PHPUnit tests for GraphQL_API Database: - New audit_logs table with schema, query, and model classes
Performance optimizations to reduce per-request overhead: Context-aware component loading: - New Context_Loader helper determines request type (admin, frontend, cron, CLI, AJAX, REST) and only loads components needed for that context. Cron/CLI skip UI, compat layers, and admin-only managers. - Split load_extra_components() into focused methods: core, UI, admin, compatibility, and background components. - Deferred 21 function files to init hook (session, documentation, geolocation, invoice, color, generator, etc.) Lazy initialization: - New Lazy_Proxy class for deferred object creation until first use Sunrise optimization: - Added guard flag to prevent load_dependencies() from parsing 45+ files twice (was called from both load_domain_mapping and load) - Removed duplicate debug.php require - Removed duplicate class-site-query.php require Dashboard query optimization: - MRR growth now processes memberships in batches of 100 instead of loading all into memory at once - Added 15-minute transient cache for computed MRR statistics - Cache invalidated automatically on membership save/delete Database composite indexes: - Memberships: status+date_created, status+date_expiration, customer_id+status, recurring+status - Payments: status+date_created, membership_id+status, customer_id+status - Added via versioned migrations with existence checks
…ents WooCommerce limitation modules: - Product count limits per plan (class-limit-wc-products.php) - Monthly order volume limits per plan (class-limit-wc-orders.php) - Payment gateway restrictions per plan (class-limit-wc-gateways.php) - Enforcement hooks for WooCommerce checkout and product publishing WooCommerce site duplication cleanup: - Clear orders, sessions, transients, analytics after cloning - Reset payment gateway API credentials (Stripe, PayPal) - Remove WooCommerce REST API keys and webhooks - Support for both legacy and HPOS order tables Store owner analytics widget: - Dashboard widget showing orders, revenue, products, low stock - Month-over-month comparison with percentage changes - 5-minute transient caching for performance Scalability improvements: - Paginated AJAX search (100 results) instead of unbounded (-1) - Paginated Jumper search (200 results) instead of 10,000 - Paginated customer list table user search (200 max) - Paginated pending site list in site list table - Paginated dashboard activity event count query - Batched cron membership checks (renewal, trial, expiration) Dedicated visits table: - New wu_visits table with (site_id, date) composite index - Atomic upsert via INSERT ON DUPLICATE KEY UPDATE - Transparent fallback to legacy blogmeta storage - All query methods support both storage backends Domain mapping cache: - Replaced wp_cache_flush() with targeted invalidation - Added persistent transient cache for domain lookups - Cache invalidates both www and non-www variants
onabhani
pushed a commit
that referenced
this pull request
Feb 17, 2026
Bug fixes (7 fatal errors + 2 hidden errors): - Fix #1: Move form.php and element.php from deferred to essential loading group to prevent wu_register_form() undefined fatal error - Fix #2: Remove early wp_create_nonce() call in Security_Headers that crashed before pluggable.php was loaded - Fix #3: Defer wp_using_ext_object_cache() call in Query_Cache to init hook when the function is available - Fix #4: Defer wp_next_scheduled()/wp_schedule_event() calls in Multi_Currency to init hook when cron API is available - Fix #5: Restructure supports_sse() in Realtime_Notifications to check function_exists('apache_get_modules') before calling it, fixing fatal error on Nginx/LiteSpeed servers - Fix #6: Handle both array and string option formats in field-multiselect.php template to prevent type error - Fix #8: Memory_Trap now checks if error is actually a memory error before showing "memory too low" message - Fix #9: mPDF temp directory falls back to wp-content/uploads when system /tmp is not writable on shared hosting New payment gateways: - Tamara: Buy Now Pay Later (installments) for Middle East - Tabby: Pay in 4 interest-free installments for GCC region - Tap Payments: Credit/debit card processor with recurring support for MENA region All gateways follow the Base_Gateway pattern with full support for: checkout, confirmation, webhooks, refunds, cancellation, and admin settings with sandbox/live mode toggle. CSP headers updated to allow Tamara, Tabby, and Tap CDN/API domains.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.