Submit Changelog
Track Changelogs

Content Mask

Changelog

1.8.5.4

  • Security: require edit-post capability before returning a post’s role/condition permissions over AJAX, fixing an Insecure Direct Object Reference (IDOR). Reported by Nabil Irawan (CVE-2025-58012).
  • Hardening: the “Content Mask enabled” admin notice now reads the current post from the trusted global rather than the raw request parameter.

1.8.5.3

  • Revive abandoned notice, address SSRF

1.8.5.2

  • Fix titles on iframe pages with some themes

1.8.5.1

  • Fix null-coalescing operator for PHP 7.3 in admin panel

1.8.5

  • Minor CSS Fixes for Columns
  • Allow custom “Go Back

1.8.4.15

  • fix for non-slashed relative urls in Download method

1.8.4.14

  • adjust kses for SVGs and output

1.8.4.13

  • Fix count in unique views

1.8.4.11

  • allow more in kses

1.8.4.9

  • Allow ‘id’ attribute in style and script tags for kses

1.8.4.9

  • More pragmatic approach to wp_kses for scripts, styles, and HTML elements in single script areas and universal script areas
  • Fixed Universal CSS in iframe and download

1.8.4.7

  • Adjust wp_kses to allow script src

1.8.4.6

  • Fixed individual footer scripts not being parsed and displayed

1.8.4.5

  • Fixed missed/broken escapes and entity decoding for some header/footer sections

1.8.4.4

  • Fixed missed SE/EL/AV mantra
  • Added kses to some outputs

1.8.4.3

  • Additional early sanitization
  • additional late escaping in iframe output

1.8.4.2

  • Additional Sanitization and Escaping
  • Fixed accidental var_dump
  • Adjusted script field display

1.8.4.1

  • Added much more escaping and sanitization where required. Attributes, URLs, and bare HTML are escaped.
  • Added individual function nonces for additional security, no longer reliant on a single nonce.
  • Changed most concatenation to formatted strings for clarity and ease of escaping.

1.8.4

  • Added WP Nonce Validation to all AJAX requests
  • Checked user permissions/caps where necessary
  • Patched security vulnerability where authenticated users could modify non-content mask options

1.8.3.2

  • Add “Footer Scripts” section for Download and Iframe method
  • Fix minor script access issue

1.8.3

  • Fix PHP notice from smoke test for post_type_XYZ_checked dynamic variable

1.8.3

  • Adjust single post type metabox to better illustrate Mask state
  • Additional CSS to handle screen sizes better

1.8.2.9

  • Prevent Content Mask save_meta function from running on post types that aren’t considered “public”, also hid meta box

1.8.2.7

  • Fixed an issue with headers being sent and an error showing in the customizer

1.8.2.6

  • Fixed an issue where Content Mask admin styles were being applied to other elements on the edit.php admin base screen.

1.8.2.4

  • Modified IFL check
  • Added Post Types to “Hide Content Mask From” list. Removes meta box and all active page processing for specificed post type(s).

1.8.2.3

  • In some instances, roles aren’t set when checked. Forced to array or skip in all cases.

1.8.2.2

  • Replace deprecated functions

1.8.2

  • Added “Content Mask Role” permissions. All roles enabled by default. Users with “manage_options” capability can disable Content Masking admin page/metabox for each role.
  • Require “manage_options” capability to modify content mask options or scripts/styles settings

1.8.1.10

  • Minor updates to IFL Request check, fix two further undefined index warnings on iframe specific requests

1.8.1.9

  • Check infractions list, fix PHP string/array comparison warning in metabox.

1.8.1.8

  • Fix in_array errors in metabox

1.8.1.7

  • Fixed two inconsequential PHP notices

1.8.1.6

  • Updated jQuery.load call to jQuery.on(‘load’)

1.8.1.5

  • Added an option “Return Link” to allow users to go back to their previous page.

1.8.1.4

  • Accidentally left in diagnostic code in “condition permissions”, this has been removed.

1.8.1.3

  • Fixed scripts and styles saving in the admin
  • Added condition permissions

1.8.1.2

  • Allow use of standard wp_head() in iframes

1.8.1.1

  • Minor fixes from 1.8.1

1.8.1

  • Patched some minor security vulnerabilities exposed by PHP Grinder
  • Allow Role-Based Content Mask Permission Locking.
  • Added Support-based Iframe Query-Parameter Overrides

1.8.0.6

  • Allow variants of ‘localhost’ in the Content Mask URL

1.8.0.5

  • Allow passing of URL parameters to iframe
  • update baked in version

1.8.0.4

  • Updated Chrome User Agent String for HTTP Headers option

1.8.0.3

  • Fixed displaying visitor tracking columns in admin panel

1.8.0.2

  • Compatibility for WordPress 5.4 confirmed
  • Fixed an issue where the Refresh Transient option wasn’t working properly
  • Made find/replace functions in the download method more reliable.
  • Added content generator meta tag in the tag on the download method.

1.8.0.1

  • Fixed an issue where Error Reporting was turned on for the entire site after updating

1.8.0

  • Introduced a method to easily create new content masks from the Content Mask admin panel.
  • Content Mask has partnered with WhirLocal to embed Landing Pages and other content. A link to sign up for a FREE account has been added to the admin panel.

Plugin Website
Visit website

Author
Alex
Version:
1.8.5.4
Last Updated
June 1, 2026
Active Installs
1000
Requires
WordPress 4.7
Tested Up To
WordPress 6.9.4
Requires PHP
5.4

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.