Improved: the public consent REST endpoint (POST /tccl/v1/consent) is now rate-limited per IP, so a logged-out visitor can no longer script it to flood the consent log with bogus records. It returns HTTP 429 once the limit is reached; tunable with the new tccl_consent_rate_max and tccl_consent_rate_window filters.
Fix: the CSV export now neutralises spreadsheet formula/CSV injection. Any cell whose value begins with =, +, -, @, a tab or a carriage return is prefixed with a single quote, so Excel, LibreOffice and Google Sheets render it as literal text instead of executing it. This matters because the accepted text and the user agent can be supplied by anonymous visitors through the public consent endpoint, and the export is the GDPR evidence an admin is expected to open.
1.4.0
New: native WordPress login integration. Captures successful logins through wp-login.php as consent_type = wp_login whenever the submission carries a ticked consent checkbox. The “Remember me” checkbox is excluded by design — it is an ePrivacy / persistent-cookie preference, not a GDPR Article 7.1 consent. Opt-in toggle in Settings → Integrations, off by default in fresh installs (a normal login form has no consent checkbox, so logging every login would only add noise).
New: native WordPress registration integration. Captures registrations through wp-login.php?action=register as consent_type = wp_register whenever the registration form carries a ticked consent checkbox. Opt-in toggle, on by default in fresh installs.
New: native WooCommerce login integration. Captures the My Account login as consent_type = wc_login. Routed by inspecting the submission for WC-specific markers and the HTTP referer, so it is reliably distinguished from the WP-admin login that shares the same underlying hook.
New: native WooCommerce registration integration. Captures customer creations through the My Account register form as consent_type = wc_register, with email + source URL.
New: optional “Inject a required consent checkbox” toggle for both the WP and the WC registration forms. WooCommerce does not ship a consent checkbox out of the box (only a privacy-policy paragraph), so this option fills that gap for sites without a separate GDPR plugin. The injected checkbox blocks the registration on the server side if it is left unticked.
New: configurable “Consent text for login / registration” (used as the stored consent_text on every login/registration record, and also as the label of the injected checkbox).
New: configurable “Custom consent field names” — a comma-separated list that overrides the built-in name heuristic for sites whose GDPR plugin uses unusual field names.
New: heuristic detector for consent checkboxes. Names containing consent, gdpr, privacy, terms, acceptance, agreement, accept, rgpd, politica, privacidad or terminos are treated as the consent checkbox (case-insensitive). rememberme and standard nonce / referer keys are always excluded.
For older changelog entries, please check the changelog.txt file.
