Release v4.3.3#1858
Merged
Merged
Conversation
Add a mandatory Code Review Prevention Checklist to developer docs. The detailed checklist in .claude/skills/wpuf-backend-dev/SKILL.md covers top rejection causes and required practices (strict ===/!== comparisons, in_array/array_search with strict true, wp_unslash() + sanitization for superglobals, output escaping, $wpdb->prepare() for SQL, nonce verification, permission checks, snake_case method naming, @SInCE docblocks, translator comments, hook prefixes, spacing rules, and a pre-PR mental checklist). A condensed summary of these rules was also added to CLAUDE.md with guidance to run composer phpcs before submitting changes.
release version 4.3.2 v4.3.2
…-code-review-prevention-rules Add code review prevention checklist
* Bind cancel nonce to user and enforce ownership
Use a user-specific nonce for subscription cancel actions and ensure only the subscription owner (or a user with the wpuf admin role) can cancel it. Updated nonce generation in subscription templates and verification in class/subscription.php and includes/Admin/Subscription.php to include the current user ID, added ownership checks and appropriate early returns, and adjusted form fields to generate the user-scoped nonce. This tightens CSRF protection and prevents users from canceling other users' subscriptions.
* Support legacy cancel nonce for self-cancellations
Add fallback verification for the legacy 'wpuf-sub-cancel' nonce used by theme-overridden templates. If the new 'wpuf-sub-cancel-{user_id}' nonce fails, the code now accepts the old nonce only when the action is a self-cancel (requested user equals current user). Changes applied to class/subscription.php and includes/Admin/Subscription.php to preserve backward compatibility while keeping existing permission checks for non-self cancellations.
* Improve subscription cancel nonce validation
Add early exits and tighten nonce validation for subscription cancel actions. Return immediately if the nonce is empty (frontend returns, admin returns false), and adjust legacy nonce compatibility to first ensure the user ID matches the current user before checking the legacy nonce. Changes applied to class/subscription.php and includes/Admin/Subscription.php to prevent unauthorized or malformed cancel requests.
Agent-Logs-Url: https://github.com/weDevsOfficial/wp-user-frontend/sessions/df5670b3-ab7b-42db-8394-d04e086ec31d Co-authored-by: iftakharul-islam <88052038+iftakharul-islam@users.noreply.github.com>
…move-polinrider-malware security: remove PolinRider malware injected into vite.config.mjs
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release v4.3.3 (30 April, 2026)
Standard gitflow release merge into master. Cannot push directly due to branch protection — opening as PR for admin merge.
Changes in this release
What this PR contains
chore: bump version to 4.3.3(commit58818701) — version bumps inwpuf.php,readme.txt,package.json,package-lock.json;WPUF_SINCE→4.3.3; changelog entries; built CSS/JS/.pot/readme.md viagrunt releaseMerge branch 'release/4.3.3'(commitc121830b)v4.3.3(annotated) already pushed alongsideMerge instructions for admin
IMPORTANT: This PR replicates the historical sapayth release pattern (e.g. v4.3.2 commit
9a3d6941). To preserve the exact graph:If using GitHub UI merge button: must use "Rebase and merge" to preserve the gitflow merge commit. "Create a merge commit" will add an extra
Merge pull request #...commit on top, deviating from sapayth's pattern.After merge
Appsero auto-deploys to wp.org on tag push (already on fork; will sync once master moves on upstream + tag is pushed).
Develop is already updated (commit
bf98e571481b59476722d8df93b55a79ffecac21).