Changelog

Security release — version 7.4.0. All users are strongly advised to update immediately.

• Fixed an unauthenticated blind SQL injection vulnerability (CWE-89). The internal temporary-storage lookup interpolated a request-derived key directly into a database query; sanitize_text_field() does not escape SQL quotes, so several unauthenticated entry points (including the media download handler via __mediakey) could be abused for time-based blind injection.
• The query is now fully parameterized with $wpdb->prepare(), closing the injection for every caller of the storage layer.

Credit: responsibly disclosed by mrinolife.

• Redesigned the wpdm_user_profile page with a modern cover/avatar layout, stat pills (packages, favourites, member since), and pill-style tabs that highlight in the user’s brand color.
• Added async re-rendering for the wpdm_packages shortcode toolbar so filter / sort / paginate updates the results in place without a full page reload.
• Per-file download flow now respects the terms-and-conditions lock and correctly carries the file index through the unlock cycle.
• Added a per-file Size override field in the file-info metabox for granular control over displayed file sizes.
• Gated the wpdmpro custom-post-type capability and parent admin menu behind WPDM_MENU_ACCESS_CAP when set to manage_options.
• Pre-fill the File Size input from Media Library attachments (uses filesizeHumanReadable).
• Escaped reset URLs on the download-history filter chips.
• Switched the .__wpdm_submit_async submit handler to delegated binding so AJAX-injected forms keep working after replacement.
• Proper output escaping on the public profile partials and dark-mode support (manual + prefers-color-scheme).

• Resolved an issue affecting the file list on the admin site.

• Redesigned the DropZone file-request page as an enterprise-grade upload UI — two-column layout with a sticky sidebar (request meta + best-practices tips), a table-style file queue with per-row progress, sticky action bar with summary and Submit / Clear, dedicated success state, mobile responsive
• Synced the DropZone main page with WPDM Color Scheme settings
• Both DropZone views now pull the primary color from WPDM UI Settings
• Fixed WPDM\__\__::sanitize_var() emitting a PHP warning — “Delimiter must not be alphanumeric or backslash” — when an unknown sanitize value (e.g. 'array') reached the regex fallback. Added an isRegexPattern() guard so non-pattern values are returned unchanged

• Added dark mode support for User Dashboard (manual dark mode and system preference)
• Added tag filter dropdown for [ wpdm_all_packages] shortcode (tag_filter="true")
• Made category and tag names clickable in DataTables to filter by that term
• Added Last Login column to WordPress admin Users list
• Fixed DropZone comment form not resetting after submission
• Fixed DropZone storage calculation crash when file path is missing
• Added DropZone admin page to WPDM admin styles whitelist
• Internationalized hardcoded “File Details” string in DropZone sidebar

• Guard $_SERVER["SERVER_NAME"] with isset() check in login redirect validation to prevent undefined index warnings in CLI and cron contexts where server variables are not populated.

• Fixed: [ wpdm_category] shortcode toolbar — renamed the orderby / order select fields to orderby_ / order_ so they no longer collide with WordPress reserved query vars. Front-end sorting from the category toolbar now works reliably. (The same fix was applied to [ wpdm_packages] in 7.3.3; this release extends it to [ wpdm_category] and covers a couple of remaining spots in the packages toolbar that were missed.)
• Fixed: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes ( Reported by Patchstack )

• Fixed: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode attributes (Reported by Wordfence)
• Fixed: Missing authorization check in Media Access Control
• Fixed: Email lock “Mail Download Link” checkbox not saving unchecked state
• Fixed: Email lock download link condition was inverted
• Fixed: CSV import BOM character handling for UTF-8 files
• Fixed: CSV import post_title overriding title column
• Fixed: is_email() check without verifying user exists
• Improved: Video CDN detection now uses filterable array
• Improved: Toolbar sort/order params renamed to avoid WordPress reserved query var conflicts
• Improved: Added wpdm_all_packages_tags filter for DataTable row customization
• Improved: File type icons now use SVG image files instead of inline SVGs
• Improved: Admin modal and UI refinements

• Redesigned modal login form with modern split-panel UI, gradient branding panel, SVG icons, animated entrance, backdrop blur, and dark mode support
• Replaced legacy notify/floatify with new WPDM.toast() notification system
• Updated alert colors to use CSS custom properties
• Added AI agent callAgent() method and redesigned AI settings UI ( Beta )
• Fixed nonce security in UserController for user status review
• Fixed FileSystem type cast for pathinfo compatibility

• Redesigned 12 page templates with modern layouts: Folio, Shelf, Panel, Showcase, Exhibit, Studio, Slate, Compact, Canvas, Bare, Mosaic, Screen
• Renamed all template labels to use descriptive style names
• Redesigned Metro page template with modern flat tile layout
• Redesigned Premium Package templates with sticky sidebar CTA, metadata grid, and single-scroll content
• Fixed CSS variable cascade – color variables moved from .w3eden to :root so admin color settings (uiColors) properly override defaults
• Dynamic light color variants – computed via rgba(var(–color-*-rgb), 0.1) to adapt to user color settings
• Modernized Author Dashboard UI with unified card component system
• Dashboard UI improvements and CSS optimization
• Added pagination to DropZone file list
• Improved wpdm_verify_email function
• Moved renderFileIcon/getFileTypeClass helpers to FileSystem class
• Dark mode support added to all page templates

• Security Fix: Addressed reflected XSS vulnerability in login form redirect parameter
• UI Improvements: Enhanced front-end user dashboard and overall interface

• Maintenance release with minor bug fixes and stability improvements

• Activity Reports: New weekly/monthly email summaries for administrators
• Report Sections: Download summaries, trending packages, user activity, category breakdown, revenue, and storage usage
• Flexible Scheduling: Weekly (any day) or monthly (1st-28th) options
• Multiple Recipients: Support for admin and additional email addresses
• Preview Feature: Test reports before scheduling

• Media Protection: Secure WordPress Media Library files with 5 protection methods
• Private Storage: Move files outside web root for enhanced security
• Performance: Access decision caching and batched .htaccess regeneration
• Fixes: HTML encoding in password error messages, path depth calculation

• Redesigned email templates with light/dark mode support

• Directory Explorer completely redesigned with enterprise UI
• File Info modal modernized
• Dark mode synced with color scheme settings

• reCAPTCHA Enterprise test widget in admin settings
• Human-readable error messages for reCAPTCHA failures
• FileList component redesigned with grid/list toggle
• Enhanced dark mode and ad blocker detection

• reCAPTCHA Migration: Upgraded to reCAPTCHA Enterprise API
• Welcome Page: Fixed activation trigger
• Performance: Optimized meta cache priming
• Settings: Added search functionality with real-time filtering

• Security: Fixed CBC bit-flipping attack vector in Crypt.php
• Color Scheme: System/Light/Dark mode options
• Changelog Component: Timeline UI for file uploads
• Modernization: Front-end CSS with dark mode support

• Fixed Gemini API connectivity issues
• Professional AI generation modal in template editor
• Modernized admin UI and link templates

• Fixed terms lock option
• Fixed CSV import issues
• Admin and front-end UI improvements

• Fixed nonce check in media protection
• Resolved directory browser issue in build import

• Fixed package description rendering issue

Check old changelog here: