Fix: Removed backup file (withdrawal-form.js.bak) inadvertently included in the distribution archive.
Fix: Wizard step tracking (step_texts_touched, step_design_touched) moved from a $GET[settings-updated] check into pre_update_option filter hooks. The wizard steps are now marked as completed inside the verified settings save flow, removing all unverified $_GET access from the settings screen.
1.3.24
Improvement: All SQL SELECT queries in class-wbwiderruf-db.php rewritten with fully literal column names, ORDER BY direction and column hardcoded per branch — no variable interpolation in any SQL template. Eliminates remaining PluginCheck.Security.DirectDB.UnescapedDBParameter warnings for $cols/$col/$dir.
1.3.23
Fix: Confirmation page (success step) now correctly appears after form submission. Root cause: the REST API validate_callback for pending_token had a length limit of 128 characters, which is shorter than real-world tokens (which include a full SHA-256 HMAC). Requests were silently rejected before reaching the callback.
Fix: Database migration (v2) no longer converts freshly-created pending entries to submitted. Only entries with a confirmed_at timestamp are migrated. A v3 migration corrects any entries affected by the previous behaviour.
Fix: JavaScript confirmStep() now uses a locally scoped error element instead of referencing the out-of-scope alert variable from the parent closure.
Fix: Admin withdrawal list search now works correctly. The wbwiderruf_db_admin_list() call in the list table was passing positional arguments; updated to named array.
Fix: Spurious status filter tabs (In Prüfung, Fertig, Abgelehnt) removed from admin list. These statuses are not used by the Free version and always showed (0).
Fix: ORDER BY column is now correctly passed through from admin list table to the database query.
Improvement: All database queries in class-wbwiderruf-db.php rewritten to explicit per-branch $wpdb->prepare() calls, eliminating Plugin Check warnings about dynamically-constructed SQL strings.
Improvement: db-schema.php migration queries use $wpdb->prepare() with %i table-name placeholder instead of raw string interpolation.
Readme: Short description and main description section rewritten in English per wp.org requirements.
1.3.21
Review update: unique internal prefixes introduced for WordPress.org compliance.
