URL Image Importer

1.2 – 05/27/2026

• Added support for importing public Google Drive image file links from the URL importer and CSV importer.
• Added content-based validation for Google Drive downloads so non-images, private/login pages, folders, videos, and Google Workspace document links are skipped instead of imported.
• Improved CSV handling so Google Drive share links without image file extensions are accepted for import preview and validated during import.
• Fixed CSV preview behavior for already-imported URLs so duplicates can be handled by the batch importer and URL mapping export.

1.1 – 05/15/2026

• Cleaner image titles: imported images now use the filename without the “.jpg” or “.png” extension as the image’s title and URL handle in your Media Library, matching what WordPress does for a manual upload. Applies to URL, WordPress XML, and CSV imports.
• New URL mapping spreadsheet: after a batch import, you can download a CSV that pairs each original web URL with its new location in your Media Library — handy for find-and-replacing old image links across your posts. Only users with media upload permission can download the file.
• Fixed: the “Download URL Mapping CSV” button could fail in some browsers and show an error page instead of saving the file. The download now works reliably and the saved filename keeps non-English characters intact.
• Improved compatibility for sites running on Windows servers when verifying the mapping download.
• Cleanup: partial mapping files are removed when an import is canceled, and older mapping files are tidied up automatically after a day.
• Removed: a leftover developer test script that was accidentally included in earlier builds. It had no legitimate purpose after install and should not have shipped.
• Removed: an unused developer setup helper script that did not belong in a release.

1.0.8 – 12/05/2025

SECURITY FIX – SVG XSS VULNERABILITY
– Fixed: Stored Cross-Site Scripting (XSS) vulnerability via SVG file uploads reported by Wordfence
– Security: Implemented whitelist-based SVG sanitization using the enshrined/svg-sanitize library
– Security: Extended fallback blacklist to include SVG animation events (onbegin, onend, onrepeat, onactivate)
– Security: Added comprehensive coverage for all known SVG XSS vectors including SMIL animation events
– Security: Added protection against javascript:, data:, and vbscript: URL schemes in SVG attributes
– Security: Added validation to prevent malicious animate/set elements targeting event handlers

1.0.7 – 11/14/2025

• Added CSV import functionality for batch image imports from spreadsheets.
• Added XML import functionality to support images from WordPress export files.
• Added import option controls (re-import, preserve date, image-only filter).
• Added new UI tabs for URL Import, CSV Import, and WordPress XML Import.
• Added “Download Sample CSV” helper link for quick template setup.
• Improved batch import performance and error handling.
• General performance improvements and UI refinements.
  SECURITY FIX – CRITICAL UPDATE
• Fixed: Arbitrary file upload vulnerability reported by Wordfence Threat Intelligence
• Security: Removed reliance on user-controlled Content-Type HTTP headers for file validation
• Security: Implemented proper file validation BEFORE writing to disk using wp_check_filetype_and_ext()
• Security: Added actual image content validation using getimagesize()
• Security: Enforced strict mime type checking against WordPress allowed mime types
• Security: Files are now validated in temporary location before moving to uploads directory
• Security: Added unique filename generation to prevent file overwrites
• Hardened: Multiple layers of validation ensure only legitimate image files can be imported

1.0.6 – 10/17/2025

• Added PSR-4 autoloading with Composer for improved code organization
• Added namespace support: UrlImageImporterCore, Admin, FileScan, Importer, Ajax, Utils
• Code quality improvements and bug fixes

1.0 – 1/23/2025

• Initial release