Security: back-in-stock subscribe nonce changed to a static action so product_id is never read before authentication.
Security: all nonce values now passed through sanitize_key() before wp_verify_nonce(), per WordPress security documentation.
Security: sanitize_url() replaced with esc_url_raw() (sanitize_url was deprecated in WP 6.1).
Security: absint() calls on POST user_id now include wp_unslash() per WPCS.
Security: GET page parameter compared using sanitize_key() in the log export handler.
Security: printf output in SMS history log now escapes at the point of output instead of pre-escaping the variable.
Feature: Clear Log button added to debug log tab; implements the clear_debug_log handler in handle_log_exports().
Removed: Elementor Pro Forms and Gravity Forms integrations removed (not ready for WordPress.org review).
3.3.3
Fix: Local phone numbers with a trunk prefix (e.g. Saudi 0559…, UAE 050…) are now correctly normalized by stripping the trunk digit and raising the local-number threshold to 9 digits.
3.3.2
New: Country-specific phone validation for 70+ countries: local digit length and mobile prefix are now checked inside normalize_phone(), giving callers meaningful error messages instead of generic rejections.
Fix: OTP codes are now stored as HMAC-SHA256 hashes in transients; a database read can no longer reveal active OTP values.
Fix: Cart abandonment operations are now protected by a MySQL advisory lock to prevent concurrent race conditions.
Fix: Debug log and CSV export downloads now include the X-Content-Type-Options: nosniff header.
Fix: Private IP detection in rate limiting now uses the correct 172.16.0.0/12 CIDR range.
Fix: API password special characters are now preserved correctly on save.
Fix: Checkout OTP send now enforces per-phone and per-IP rate limits.
Fix: Cart recovery coupon codes now use a cryptographically secure random source.
Fix: Added missing is_ip_in_cidr() method that was causing a fatal error on every OTP attempt.
3.3.1
New: Elementor Pro and Gravity Forms integrations are now fully active (removed “coming soon” status).
Fix: Admin phone fields (order status, instant order, stock alerts, admin alerts) no longer send duplicate SMS when the same number appears in both local and international format.
Fix: woo_admin_phone (order status admin notification) now accepts space-separated phone numbers, consistent with all other admin phone fields.
Fix: WooCommerce sub-tab settings (stock alerts, multivendor, cart abandonment) were reset to defaults whenever the parent WooCommerce tab was saved, because unrendered checkboxes produce no POST data. Each sub-section now only updates its own fields when its specific tab is saved.
Fix: Cart abandonment records with recovered=true were deleted when the cart was emptied after a successful purchase, losing recovery stats.
Fix: Checkout OTP first-submit notice type changed from notice to error so WooCommerce correctly halts order creation while the customer retrieves their OTP code.
Fix: Instant order and vendor SMS now also fire for WooCommerce block checkout orders via woocommerce_store_api_checkout_order_processed.
Fix: Default SMS templates are now applied when saved template values are empty strings, ensuring out-of-box SMS content without requiring manual template entry.
3.3.0
New: WooCommerce HPOS (High-Performance Order Storage) compatibility declaration
New: COD-only OTP gate option — require OTP only for Cash on Delivery orders
New: Stock alert SMS — low stock, out of stock, backorder notifications to admin
New: New product published SMS notification to admin
New: Back-in-stock subscriber notifications — customers opt-in, SMS sent on restock
New: Instant new order SMS (fires once per order regardless of status)
New: Multivendor support — vendor SMS for Dokan, WCFM, WC Vendors
New: Cart abandonment recovery SMS with coupon code generation
New: Cart abandonment dashboard card with recovery stats
3.2.0
Added: Admin Site Alerts: send SMS to admin phone(s) on new user registration, login, post publish, comment, and WordPress core update events.
Each alert is individually toggleable with configurable EN and AR message templates.
New “Admin Alerts” settings page under the kwtSMS admin menu.
3.1.7
Security: Trusted Devices. After completing 2FA, users can trust their device for 30 days. Trusted devices skip the OTP step on subsequent logins. Tokens stored as SHA-256 hashes in user meta, never raw. Profile page shows all trusted devices with individual and bulk revoke. All trusted devices are cleared on password reset.
3.1.6
Security: Registration OTP Gate. Verify phone number via OTP before the WordPress account is created. Supports disabled, optional, and required modes. Works for standard WordPress registration and WooCommerce My Account registration.
3.1.5
Security: IPHub Proxy/VPN Detection. OTP requests from known proxy or VPN IPs can be silently blocked or flagged based on admin-configured actions per block level. Result cached per IP with configurable TTL. Allowlisted IPs bypass the check entirely.
3.1.4
Security: IP Allowlist/Blocklist with CIDR support. Admin textareas for IPv4/IPv6 address and CIDR ranges. Allowlisted IPs bypass per-IP rate limiting; blocklisted IPs receive a silent refusal indistinguishable from a rate-limit error.
3.1.3
Security: Verify sliding-window rate limiting — per-phone, per-IP, and per-account limiters use timestamp arrays that self-prune, making fixed-window boundary exploits impossible.
3.1.2
Security: Verify duplicate OTP guard — generate() reuses existing valid OTP and resets expiry clock to prevent double-SMS on double-click or page refresh.
3.1.1
Enhancement: Dashboard widget now pinned to the right column for all users.
Enhancement: kwtSMS Dashboard link added to the dashboard widget for quick credit and log access.
Enhancement: “View full log” and “kwtSMS Dashboard” links placed on the same line in the widget.
Fix: Replace em-dash HTML entity separators with pipe/colon in admin balance bar and form integration settings.
Fix: Login page CSS improvements: button sizing, OTP code input focus style, back link alignment, form box-shadow removal.
Fix: Logs page tab parameter now validated against a whitelist to prevent unexpected tab values.
Security: Update security contact email to support@kwtsms.com.
CI: Remove PHPUnit job from GitHub Actions (tests run locally).
3.0.4
CI: Added GitHub Actions workflow for PHPCS, PHPStan, and PHPUnit across PHP 8.1, 8.2, and 8.3.
CI: Automated plugin zip release on version tag push via GitHub Actions.
Fix: Replace real API username placeholder with wp_username in tests for client identification.
