Skip to Content
✨ v1.13.0 Released - See the release notes
DocumentationRelease Notes

Release Notes

1.13.0

Feature, Security & Compatibility Update

✨ New Features

  • Added WebP image format support for local and remote banners
  • WebP banners can now be uploaded from the media library or linked via external URLs
  • Updated remote image validation to accept image/webp content type

🔒 Security

  • Hardened analytics queries: campaign and banner ID filters now use $wpdb->prepare() placeholders
  • Fixed invalid SQL placeholder in analytics cleanup LIMIT clause
  • Hardened meta key JOINs in banner query builder with $wpdb->prepare()
  • Fixed SQL export using unescaped table name in INSERT statements
  • Added capability check to admin error notice display

🐛 Bug Fixes

  • Fixed PHP 8.0+ str_starts_with() usage that broke compatibility with PHP 7.4
  • Fixed Gutenberg block missing type field for orderby attribute causing REST API warnings
  • Fixed fatal error in getBannerClasses() when banner post is null
  • Fixed uninitialized variables when image size detection fails
  • Fixed incorrect escaping and sanitization in admin column output

🚀 Improvements

  • Redesigned horizontal layout with modern flexbox and responsive 2-column grid
  • Vertical layout updated with flexbox and consistent gap spacing
  • Banner images are fully responsive with max-width: 100%
  • Refactored banner query meta key JOINs to loop-based construction
  • Removed dead code and refreshed documentation

1.12.0

Security, Bug Fixes & Improvements

🔒 Security

  • Fixed SQL injection vulnerabilities in analytics queries (impressions, clicks, CTR trends)
  • Fixed SQL injection in the legacy importer controller
  • Fixed XSS in banner rendering: added proper escaping for image src, alt, title, link href, and target attributes
  • Fixed XSS in text banner rendering: added escaping for width/height style attributes
  • Fixed stored XSS risk: sanitized IP address and User-Agent before saving to the database
  • Fixed SSRF in image size detection: replaced raw cURL and getimagesize() with wp_remote_get()
  • Fixed SSRF in remote image validation: replaced raw cURL with wp_remote_head()
  • Hardened options update endpoint with schema validation, key whitelist, and sanitize_file_name() for template paths
  • Hardened wp_loaded banner endpoint: added post type check, ID validation, null safety, and wp_kses_post() output filtering
  • Removed full plugin options exposure from public frontend: only impressions/clicks enabled and nonce are now output
  • Removed unnecessary options dump from analytics admin page script localization
  • Used wp_json_encode() for all inline script output to prevent script injection

🐛 Bug Fixes

  • Fixed Gutenberg block not filtering by campaign: campaigns attribute was not passed to the render function
  • Fixed banner layout always forced to vertical regardless of the layout parameter
  • Fixed banner preview meta box not appearing in the editor due to deprecated registerMetaBoxCallback
  • Fixed analytics data (impressions and clicks) not deleted when a banner is permanently removed
  • Fixed cron cleanup events not cleared when tracking is disabled or plugin is deactivated
  • Fixed N+1 query issue: banner click/impression counts with value 0 no longer trigger unnecessary COUNT queries
  • Fixed undefined variable warning in wp_bannerize_pro_sanitize_mysql_datetime()
  • Fixed resetOptions calling a non-existent AJAX action
  • Fixed DataTable crash when a banner has no campaigns assigned (null campaigns field)
  • Fixed manage_analytics permission check using .length on a boolean value
  • Fixed CSV export using incorrect escape sequence instead of RFC 4180 standard

🚀 Improvements

  • Replaced remove_all_filters(‘parse_query’) with explicit suppress_filters in banner query methods
  • Replaced deprecated get_terms() positional arguments with array syntax
  • Replaced date() with gmdate() throughout analytics trait for WordPress coding standards
  • Aligned all SQL queries in analytics trait to use %i placeholder for table identifiers
  • Removed redundant esc_attr() wrapping on values already cast with absint()
  • Removed duplicate wp_set_script_translations registration
  • Removed all debug error_log() calls and console.log() statements from production code
  • Migrated CPT meta box registration from deprecated registerMetaBoxCallback to registerMetaBoxes()

1.11.0

Security & Enhancement Updates

🔒 Security

  • SSRF Protection: Added Server-Side Request Forgery (SSRF) protection for external banner image URLs
  • Added wp_bannerize_is_remote_image() method to validate remote image URLs
  • Only allows JPEG, PNG, and GIF image formats from external sources
  • Returns HTTP 200 status validation for remote images
  • Prevents malicious URL exploitation through banner uploads
  • Added admin error notice when invalid image URLs are submitted

🎨 Code Quality

  • Standardized code indentation and formatting
  • Improved readability and consistency across the codebase

🚨 User Experience

  • Added user-friendly error messages for invalid banner image URLs
  • Clear feedback for users when external image URLs fail validation
Last updated on
REST API
Bannerize

Bannerize is a free WordPress plugin for creating and managing advertising banners with impressions and clicks tracking. Built with WPBones and Mantine UI. Download it from WordPress.org. You can also sponsor the development.

HIGHLIGHTS
WordPress.org
WPBones Framework
Mantine Extensions HUB
Blog
RESOURCES
Documentation
Getting Started
Release Notes
Support Forum
Raycast Extension
New
Roadmap
New
WP Bones AI
Discord
ECOSYSTEM
WP Bones Repository
WP Bones Plugin Boilerplate
Custom Post Boilerplate
New
WP Bones Docs
Actions & Filters for Javascript
Flags
Geolocalizer
Morris PHP
Pure CSS Tabs
Pure CSS Switch
User Agent
WP Tables

Made with ❤️ by Undolog

Hosted on Vercel

Built with Mantine