XYZ Age Verification

2.5.0

• Interstitial consent gate before session creation — no API call on page load, eliminating passive bot session consumption
• Biometric consent checkbox serves as explicit user consent capture (supports BIPA/CIPA compliance requirements)
• HMAC-signed timing gate rejects automated interactions faster than 1 second after page render
• Visitor IP address now passed to the API for per-IP rate limiting (CF-Connecting-IP with REMOTE_ADDR fallback)
• Verification UI dynamically rendered after consent via AJAX — same QR code, popup, and polling functionality
• Added FAQ about wp-content/uploads limitation
• Added planned features: media file protection and additional credit packs

2.4.2

• MU plugin: Replaced cookie array iteration with direct computed cookie name lookup
• MU plugin: Enhanced phpcs:ignore annotations with detailed technical justifications

2.4.1

• Plugin display name simplified to “XYZ Age Verification” (removed redundant “Free”)
• Migrated Free Plan Admin data operations from AJAX to WP REST API (regions, content, thresholds, verifications)
• Added HMAC verification to MU plugin redirect URLs for enhanced input validation
• Documented QRCode.js third-party library source and license in readme
• Added xyzageverify to plugin contributors

2.4.0

• Aligned text domain with WordPress.org assigned slug (xyz-age-verification-free)
• Renamed all plugin identifiers to use xyzav_ prefix for WordPress.org compliance
• Replaced inline scripts with properly enqueued JavaScript
• Removed WordPress.org directory asset files from plugin ZIP
• Added Domain Path header and languages directory

2.3.0

• Free plan registration directly from the plugin settings (100 credits/month, no credit card)
• Built-in Free Plan Admin page for managing regions, welcome content, and thresholds
• Detailed verification history with expandable attempt details
• Minimum age setting per region with automatic Tier 2 enforcement for non-18 thresholds
• Configurable fail-open/fail-closed behavior for API outages and credit exhaustion
• Credit usage tracking with monthly reset
• Site URL binding for free plan API keys
• Test mode now works for all visitors (incognito window testing support)
• Verification cookie HttpOnly flag disabled in test mode for easier testing
• Plugin renamed to XYZ Age Verification

2.2.0

• Test mode: simulate any region with ?reg=US-TX query string
• Cryptographically signed verification cookies with per-site HMAC-SHA256 keys
• Logged-in WordPress users automatically bypass the age gate redirect
• Setup checklist with status indicators on the settings page
• API connection health check on the settings page
• Admin notices for missing API key, MU plugin, age-gate page, and signing key
• Contextual help tabs with overview, setup guide, settings reference, and troubleshooting
• Restructured plugin with properly enqueued CSS and JS assets
• Replaced external QR code service with bundled local generation (privacy improvement)
• Added configurable bypass cookies for pre-verified users
• Added internationalization (i18n) support for all user-facing strings
• Added uninstall cleanup for all plugin options
• Added activation hook with PHP and WordPress version checks
• Added version constant for asset cache busting
• Fixed file extension for proper WordPress plugin loading
• Removed hardcoded client-specific default values
• Added Host header security documentation in MU plugin

2.1.0

• Removed region query parameter override vulnerability (critical security fix)
• Added nonce and capability checks to admin tool actions
• Added sanitization callbacks to all registered settings
• Added session ID format validation in AJAX poll handler
• Removed client-specific hardcoded bypass cookies from MU plugin

2.0.0

• Initial public release
• Two-tier verification (face liveness + government ID)
• Region-specific rules via Cloudflare geo headers
• QR code and popup verification options
• Server-side API key handling
• MU plugin architecture for early redirect (not compatible with WP Rocket page cache)