classic editor: restyle the “Insert Piwigo image” media button with a frame, icon and label so it matches the other media buttons
Gutenberg: widen the picker modal so the option panels fit without horizontal scrolling
Gutenberg: fix drag-and-drop inside the modal — thumbnails now follow the cursor and dropping into the drop zone works
Gutenberg: let the drop zone grow as more thumbnails are added (no longer pinned to a fixed height)
compatibility metadata: bump Tested up to to 7.0
2.34
security: fix authenticated (Contributor+) stored XSS in the [PiwigoPress] shortcode by escaping the class, style, size, opntype, URL and title attributes (Wordfence advisory)
security: switch all Piwigo web-service calls from format=php + unserialize() to format=json + json_decode() to remove a PHP object-injection / RCE primitive on responses from the (potentially untrusted or MITM’d) remote Piwigo gallery
security: tighten AJAX endpoints — pwgp-categories and pwgp-thumbnails now require edit_others_posts and a verified nonce; URLs go through an SSRF guard that rejects non-http(s) schemes and private/loopback/link-local hosts
security: Save_options (post-save handler) now verifies a nonce, capability and skips autosaves/revisions, and sanitises every field before writing the global picker defaults
security: stop leaking remote API responses and outbound URLs as HTML comments on rendered pages
security: stop trusting $_SERVER[‘HTTP_HOST’] — use home_url() for default URL construction
security: escape every value rendered by the widget (esc_attr/esc_url/esc_html), including data coming back from the remote Piwigo gallery
fix: array_change_key_case($parm) would TypeError on PHP 8 when the shortcode had no attributes (cast to array first)
fix: drop dead get_magic_quotes_gpc() branch in PWGP_secure (removed in PHP 8.0 — was a fatal error)
fix: compute the “since X months” cutoff in PHP instead of via raw SQL on wpdb
fix: PiwigoPress::update() no longer triggers PHP 8 warnings for missing widget-form keys; every field is now read through an isset() helper
drop dead TinyMCE 3 fallback (tinyMCE.execInstanceCommand); WordPress has shipped TinyMCE 4+ since 3.9
harden direct-access guards: add if (!defined(‘ABSPATH’)) exit; to every PHP file
replace @include ‘piwigopress_admin.php’ with require_once so real errors aren’t silently swallowed
move the widgets-screen helper script enqueue from inside the widget form() method to admin_enqueue_scripts filtered on widgets.php
only persist PiwigoPress_previous_url when the writer has edit_others_posts, removing a per-render DB write and preventing low-privileged users from rewriting the site-wide default
drop the stale shipped js/piwigopress_adm.min.js (was diverging from the source); load the unminified file instead
compatibility metadata: bump Requires at least to 5.0 and Tested up to to 6.9.4, declare Requires PHP: 7.4
security: fix reflected XSS in the [PiwigoPress] shortcode error message when the id attribute is malformed (the raw value was concatenated into a translation string and returned as HTML)
security: whitelist enum-style shortcode attributes (size, lnktype, opntype, ordertype, name) and run class through sanitize_html_class / style through safecss_filter_attr to block CSS-based payloads
security: switch outbound HTTP from wp_remote_get to wp_safe_remote_get with redirection => 0 and timeout => 5 — blocks SSRF via 30x redirects to internal hosts and bounds the request window
security: unserialize() of the legacy PiwigoPress_previous_options option now uses allowed_classes => false
security: escape previous_url and photo_class when rendering the picker form (defensive against legacy unsanitised option values)
fix: detect HTTPS via is_ssl() so reverse-proxy X-Forwarded-Proto is honoured
security: tighten pwgp-categories / pwgp-thumbnails to edit_others_posts (Editor+) — these endpoints perform server-side HTTP fetches, so we want them above Contributor scope even though the URL guard is in place
security: escape every URL/text in the widget’s category-menu output via esc_url / esc_attr / esc_html; store external widget URL with esc_url_raw on save
security: wrap every translated string used in the admin picker heredoc with esc_html__ / esc_attr__ so a malicious translation can’t inject HTML
fix: guard $PWG_Adm with isset() to suppress the PHP 8 undefined-variable warning when piwigopress_admin.php is reloaded
fix: stop hard-coding the plugin directory name in asset URLs — use plugins_url( …, __FILE__ ) so the plugin keeps working if the directory is renamed
fix: move CSS/JS enqueueing from in_admin_header / in_admin_footer to admin_enqueue_scripts / wp_enqueue_scripts. The previous hooks fire after admin_print_*_scripts, so wp_enqueue_script was a no-op and the classic-editor picker (#PWGP_button) never appeared on modern WordPress — replace the hand-rolled <link> echo with wp_enqueue_style while we’re at it
fix media-button shortcode generator broken on PHP 8+ (replace PHP4-style PiwigoPress_Admin() constructor with __construct() and drop deprecated by-reference &$this)
add Gutenberg (block editor) support: new “PiwigoPress” entry in the editor’s more-menu opens a modal with the existing photo picker and inserts the generated shortcode as a core/shortcode block
harden classic JS: guard window.tinyMCE.majorVersion access and route shortcode insertion through a piwigopress:insert custom event so other editors can intercept
2.33
fix widget initialization for newer PHP versions
2.32
2.31
relax requirement what image sizes galleries have to provide (Issue 21)
allow selecting the order of photos for the widget (Issue 20)
2.30
multiple image ids can be used in the shortcode (by Anton Lavrov)
support for displaying the photo name (title) (by Anton Lavrov)
shortcode generator – support name setting
fix ‘albumpicture’ setting not being preserved
2.29
security related improvements by Rüdiger Schulz, big thanks!
2.28
use “album” instead of “category” in the user interface, as this is what Piwigo calls it (Issue 14)
allow loading of albums from remote installations (Issue 13, 5)
2.27
widget configuration now allows adding html code just before and after the included photos, but before the divs. This requires the ‘unfiltered_html’ permission for the user editing the widget.
2.26
new parameter for widget and shortcode: opntype: ‘_blank’ (open in new window/tab) or ‘_self’ (open in same) (Issue 10)
set alt parameter of images to ‘name’ (plus ‘comment’, if available) if the piwigo image (Issue 8)
make widget configuration background white instead of transparent for readability
2.25
fix some peculiarities with the album list download
update compatibility to 4.1
2.24
new maintainership
fix compatibility with piwigo 1.6 and wordpress 4.0
allow url to be “/foo/bar” like on local server, preserving http(s)
fix compatibility with tinyMCE v4 (WordPress 1.9)
support //host/path and use either http or https
link tagets to photo are now within the first album of the photo
permalinks are used for albums as far as possible
support pulling from a specific album instead of only from all photos
Support of Piwigo 2.4.x and 2.5.x (and probably above)
2.22
New shortcode parameter lnktype = ‘picture’, ‘none’, or ‘album’ (most recent album id) : indicates the link type of the shortcoded picture
Small bugs (functional defects) within Shortcode generator have been corrected
Shortcode generator generates lnktype parameter
New widget parameter Link type (Differ from lnktype here above) “album” link the first picture to the selected album id
New Caption widget parameter to have the caption directly with the displayed and selected pictures.
Sidebar widget has been totally rewritten
2.21
Minor issues solved in drag & drop.
jQuery code reviewed
WordPress 3.4.2 support
If you don’t have your own up-to-date Piwigo gallery, just try it with Piwigo demo URL: http://piwigo.org/demo/
2.20
Edit post/page shortcode generator using Drag-n-drop (a useful tool for your photoblog).
If you don’t have your own up-to-date Piwigo gallery, just try it with Piwigo demo URL: http://piwigo.org/demo/
2.10
I18n version (Hugarian)
Widget: Largest sizes added (from user request)
WordPress shortcode for post/page: e.g. [PiwigoPress id=72 url=’http://piwigo.org/demo/’]
2.00
Support of WordPress from 2.8.0 to 3.4.1 (and probably above)
Support of Piwigo 2.4.x (and probably above)
Support of Piwigo 2.0.x – 2.3.x assumed
cURL access support (3rd way to solve webservice call issues)
CSS DIV class: img-shadow and/or img-show-desc are now provided
