# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [6.1.1] - 2026-05-13 ### Fixed - Checkout: `leanpay_payment_confirmation.php` could fail nonce validation on the first attempt in some setups. Added WooCommerce order key fallback for more reliable confirmation flow. ### Technical - Tested with WooCommerce **10.7.0** (plugin header). ## [6.1.0] - 2026-04-02 ### Added - **Product pages:** setting **Position on product pages** to choose where the Leanpay block appears (e.g. before/after price via `woocommerce_get_price_html`, summary hooks, before/after add to cart, meta, after summary, or a dedicated product tab). - **Catalog / shop loops:** setting **Position on catalog pages** to place Leanpay before or after the loop title, or before or after the add to cart link (`woocommerce_loop_add_to_cart_link`). - **Admin:** clearer display of automatic installment price update scheduling (last successful update, next WP-Cron run, queued manual update) under manual price update. ### Changed - **Major redesign** of front-end Leanpay widgets (catalog, product page, checkout). - Renamed loop callback from `leanpay_before_cart_btn` to `leanpay_show_loop` for clarity. - Admin: position select fields are toggled when **On catalog pages** / **On product pages** are disabled; user-facing labels for placement options. - Updated translations. ### Removed - Unused legacy gateway options no longer shown in settings (e.g. legacy color keys and installment font-size keys). ### Fixed - Saving WooCommerce payment settings no longer risks wiping other gateway options when the custom tab link nonce is absent on POST (reliable `panel` / `lng` detection on save). ### Technical - Tested with WooCommerce **10.6.2** (plugin header and README). ## [6.0.4] - 2026-03-30 ### Changed - Markets limited to Slovenia (SI) and Romania (RO); Croatia and Hungary removed from settings and logic. - Removed the "Double price" feature (settings and front-end display). ### Added - Added market-specific 0% interest price threshold (Romania does not support 0% interest rate); exposed to leanpay.js via localized params. ### Fixed - Variable products: fixed AJAX HTML for Leanpay block (banner + modal), nonce security, and locale switching so translated strings load on variation change. - Translations: AJAX requests send `determine_locale()` and use `switch_to_locale()` so strings match the current language. ### Technical - Enqueued JS for reliable cache busting. ## [6.0.3] - 2026-03-27 ### Changed - WordPress.org release version. - Updated readme/changelog packaging and release metadata for WordPress.org distribution. ## [6.0.2] - 2026-02-03 ### Added - Added new "Advanced" settings panel with custom CSS field for front-end styling customization - Users can now add custom CSS code that will be automatically applied to Leanpay elements on the front-end ### Fixed - Fixed duplicate CSS enqueue issue where `leanpay_cene_css` was being loaded multiple times on page load - Fixed plugin textdomain loading issue that was preventing translations from being loaded correctly - Minor CSS fixes and improvements for better front-end display - Improved code comments and documentation - API vendor URL bugfix when upgrading ## [6.0.1] - 2025-01-21 ### Fixed - Fixed frontend checkout display issue where HTML content was being escaped incorrectly, preventing proper rendering of Leanpay information on checkout page ## [6.0.0] - 2025-12-18 ### Changed - Preparation for WordPress.org Release - **Security Improvements**: - Added comprehensive input sanitization for all user inputs (GET, POST, REQUEST, SERVER variables) - Implemented proper output escaping using WordPress escaping functions (esc_html, esc_attr, esc_url, etc.) - Replaced all SQL queries with prepared statements using $wpdb->prepare() - Added input validation for webhook data and API responses - Sanitized all URLs, colors, and text inputs before use - Escaped all output in HTML attributes, URLs, and inline content ### Security - Fixed potential SQL injection vulnerabilities by using prepared statements - Fixed potential XSS vulnerabilities by escaping all output - Sanitized all user inputs before database operations - Validated and sanitized JSON webhook data - Added proper escaping for admin order meta data display - Secured all API calls with proper input sanitization ### Code Quality - Improved code standards compliance with WordPress Coding Standards - Replaced `json_encode()` with `wp_json_encode()` for better compatibility - Replaced `addslashes()` with proper `sanitize_text_field()` and validation - Improved error handling with proper WordPress functions (wp_die, wp_send_json_error) - Enhanced URL construction with proper escaping ### Technical - All $_GET, $_POST, $_REQUEST variables now properly sanitized - All $_SERVER variables sanitized before use - All database queries use prepared statements - All HTML output properly escaped - All JavaScript output properly escaped - All URL parameters properly escaped ### Documentation - Added comprehensive README.md - Added CHANGELOG.md file - Improved inline code documentation --- ## Previous Versions For changes in versions prior to 6.0.0, please refer to previous release notes or contact support.