Updated brand URLs from unstoppablewp.com to unstoppablesolutions.app throughout the plugin (Plugin URI, Author URI, and Options Studio dashboard footer links)
Updated footer link text from “Visit Unstoppable WP” to “Visit Unstoppable Solutions” to match the new destination
1.1.3
SECURITY: Closed a TOCTOU race condition that allowed a customer to redeem the same points across two concurrent checkouts and receive a duplicate discount
SECURITY: deduct_points() is now atomic per user — a MySQL advisory lock serializes concurrent redemptions so the balance check and decrement cannot race
SECURITY: If point deduction fails at order placement (e.g. balance was consumed by a concurrent checkout), the order is now put on-hold with an explanatory note instead of silently keeping the discount
SECURITY: The apply_points AJAX endpoint now enforces the cart-total cap server-side; previously the cap was only enforced via the form’s HTML max attribute, so customers could submit more points than the cart was worth and lose the excess
1.1.2
SECURITY: Escape all values returned by shortcode callbacks [uprf_points_balance] and [uprf_points_history] (per WordPress.org plugin review)
Wrapped number_format_i18n() return values in esc_html() before output
Wrapped class attribute and sign output in esc_attr() / esc_html() for consistency
1.1.1
Maintenance release for directory resubmission under the new name and slug
Verified compliance: no external service calls, upgrade prompts limited to the plugin’s own settings page
1.1.0
Renamed plugin to “Unstoppable Points & Loyalty for WooCommerce” (slug: unstoppable-points-loyalty)
Updated text domain to match new slug
No functional changes — settings, points balances, and customer data are preserved
