Fixes

PDowney · web-flow · commit dd9c09de2645 · 2026-02-23T21:07:24.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+
+- Hardened singleton pattern with private constructor and clone/wakeup prevention
+- Fixed missing input sanitization in settings update notification check
+- Added `function_exists()` guard for `wc_get_customer_order_count()` to prevent fatal errors if WooCommerce is deactivated
+
+### Fixed
+
+- Replaced incorrect `sanitize_text_field()` with proper `esc_html()` for store category term output context
+- Removed broken order count column sorting (no query handler existed to support it)
+- Removed redundant `is_admin()` and `current_user_can()` checks in column render callbacks already guarded at hook registration
+- Scoped admin CSS classes to prevent collisions with WordPress core `.card` styles and other plugins
+- Fixed FAQ to accurately state that all features are disabled by default
+
 ## [1.0.7] - 2025-09-15
 
 ### Added
diff --git a/class-optimizations-ace-mc.php b/class-optimizations-ace-mc.php
@@ -55,10 +55,22 @@ public static function instance() {
 		return self::$instance;
 	}
 
+	/**
+	 * Prevent cloning.
+	 */
+	private function __clone() {}
+
+	/**
+	 * Prevent unserializing.
+	 */
+	public function __wakeup() {
+		_doing_it_wrong( __METHOD__, __( 'Unserializing is not allowed.', 'optimizations-ace-mc' ), '1.0.7' );
+	}
+
 	/**
 	 * Constructor.
 	 */
-	public function __construct() {
+	private function __construct() {
 		// Load settings.
 		$this->load_settings();
 
@@ -120,7 +132,6 @@ private function init_woocommerce_optimizations() {
 		if ( $this->get_setting( 'woocommerce_user_order_count_column' ) && is_admin() && current_user_can( 'list_users' ) ) {
 			add_filter( 'manage_users_columns', array( $this, 'add_user_order_count_column' ) );
 			add_filter( 'manage_users_custom_column', array( $this, 'display_user_order_count_column' ), 10, 3 );
-			add_filter( 'manage_users_sortable_columns', array( $this, 'make_user_order_count_sortable' ) );
 		}
 	}
 
@@ -176,29 +187,13 @@ public function add_user_order_count_column( $columns ) {
 	 * @return string
 	 */
 	public function display_user_order_count_column( $output, $column_name, $user_id ) {
-		// Security check - only for admins with list_users capability.
-		if ( ! is_admin() || ! current_user_can( 'list_users' ) ) {
-			return $output;
-		}
-
-		if ( 'user_order_count' === $column_name ) {
+		if ( 'user_order_count' === $column_name && function_exists( 'wc_get_customer_order_count' ) ) {
 			$order_count = wc_get_customer_order_count( absint( $user_id ) );
 			return esc_html( number_format_i18n( $order_count ) );
 		}
 		return $output;
 	}
 
-	/**
-	 * Make order count column sortable.
-	 *
-	 * @param array $columns Sortable columns.
-	 * @return array
-	 */
-	public function make_user_order_count_sortable( $columns ) {
-		$columns['user_order_count'] = 'user_order_count';
-		return $columns;
-	}
-
 	/**
 	 * Add store categories to store meta.
 	 *
@@ -215,12 +210,12 @@ public function add_store_categories_to_meta( $store_meta, $store_id ) {
 				$location_terms = array();
 				foreach ( $terms as $term ) {
 					if ( ! empty( $term->name ) ) {
-						$location_terms[] = sanitize_text_field( $term->name );
+						$location_terms[] = esc_html( $term->name );
 					}
 				}
 				$store_meta['terms'] = implode( ', ', $location_terms );
 			} elseif ( ! empty( $terms[0]->name ) ) {
-				$store_meta['terms'] = sanitize_text_field( $terms[0]->name );
+				$store_meta['terms'] = esc_html( $terms[0]->name );
 			}
 		}
 
@@ -285,11 +280,6 @@ public function add_user_registration_date_column( $columns ) {
 	 * @return string
 	 */
 	public function display_user_registration_date_column( $output, $column_name, $user_id ) {
-		// Security check - only for admins with list_users capability.
-		if ( ! is_admin() || ! current_user_can( 'list_users' ) ) {
-			return $output;
-		}
-
 		if ( 'registration_date' === $column_name ) {
 			$registration_date = get_the_author_meta( 'registered', absint( $user_id ) );
 			if ( $registration_date ) {
@@ -524,7 +514,7 @@ public function settings_page() {
 		// Display success message if settings were updated.
 		$this->display_admin_notices();
 		?>
-		<div class="wrap">
+		<div class="wrap optimizations-ace-mc-wrap">
 			<h1><?php echo esc_html( get_admin_page_title() ); ?></h1>
 			
 			<?php $this->display_plugin_info(); ?>
@@ -552,8 +542,8 @@ public function settings_page() {
 	private function display_admin_notices() {
 		// Note: Form submission is handled automatically by WordPress Settings API.
 		// The settings_fields() function handles CSRF protection via nonces.
-		// phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		if ( isset( $_GET['settings-updated'] ) && wp_unslash( $_GET['settings-updated'] ) ) {
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( isset( $_GET['settings-updated'] ) && sanitize_text_field( wp_unslash( $_GET['settings-updated'] ) ) ) {
 			echo '<div class="notice notice-success is-dismissible"><p>' . esc_html__( 'Settings saved successfully!', 'optimizations-ace-mc' ) . '</p></div>';
 		}
 	}
@@ -582,7 +572,7 @@ private function display_plugin_info() {
 	 */
 	private function display_dependencies_info() {
 		?>
-		<div class="card">
+		<div class="optimizations-ace-mc-card">
 			<h2><?php esc_html_e( 'Plugin Dependencies', 'optimizations-ace-mc' ); ?></h2>
 			<p><?php esc_html_e( 'This plugin is designed to work with the following plugins:', 'optimizations-ace-mc' ); ?></p>
 			<ul>
@@ -617,7 +607,7 @@ private function display_dependencies_info() {
 	 */
 	private function display_support_info() {
 		?>
-		<div class="card">
+		<div class="optimizations-ace-mc-card">
 			<h2><?php esc_html_e( 'Support & Documentation', 'optimizations-ace-mc' ); ?></h2>
 			<p>
 				<?php esc_html_e( 'For support, bug reports, or feature requests:', 'optimizations-ace-mc' ); ?>
@@ -635,26 +625,26 @@ private function display_support_info() {
 	private function output_admin_styles() {
 		?>
 		<style>
-			.card {
+			.optimizations-ace-mc-card {
 				background: #fff;
 				border: 1px solid #ccd0d4;
 				border-radius: 4px;
 				padding: 15px;
 				margin: 20px 0;
 				max-width: 100%;
 			}
-			.card h2 {
+			.optimizations-ace-mc-card h2 {
 				margin-top: 0;
 			}
-			.form-table th {
+			.optimizations-ace-mc-wrap .form-table th {
 				width: 200px;
 			}
-			.form-table td label {
+			.optimizations-ace-mc-wrap .form-table td label {
 				display: flex;
 				align-items: flex-start;
 				gap: 10px;
 			}
-			.form-table td label input[type="checkbox"] {
+			.optimizations-ace-mc-wrap .form-table td label input[type="checkbox"] {
 				margin-top: 2px;
 				flex-shrink: 0;
 			}
diff --git a/languages/optimizations-ace-mc.pot b/languages/optimizations-ace-mc.pot
@@ -14,6 +14,10 @@ msgstr ""
 "X-Generator: WP-CLI 2.8.1\n"
 "X-Domain: optimizations-ace-mc\n"
 
+#: class-optimizations-ace-mc.php
+msgid "Unserializing is not allowed."
+msgstr ""
+
 #: class-optimizations-ace-mc.php:170
 msgid "Order Count"
 msgstr ""
diff --git a/readme.txt b/readme.txt
@@ -52,7 +52,7 @@ Optimizations ACE MC is a comprehensive WordPress optimization plugin that provi
 
 = Do I need to configure anything? =
 
-The plugin comes with default settings enabled, but you can customize which optimizations to use via the **Settings > Optimizations ACE MC** admin page. Each feature can be individually enabled or disabled.
+All features are disabled by default. Navigate to **Settings > Optimizations ACE MC** to enable the optimizations you need. Each feature can be individually enabled or disabled.
 
 = What happens if I don't have WooCommerce or WP Store Locator installed? =
 
@@ -68,6 +68,16 @@ Yes, this plugin focuses on specific admin and functionality enhancements rather
 
 == Changelog ==
 
+= Unreleased =
+* Security: Hardened singleton pattern with private constructor and clone/wakeup prevention
+* Security: Fixed missing input sanitization in settings update notification check
+* Security: Added function_exists() guard for wc_get_customer_order_count() to prevent fatal errors
+* Fixed: Replaced incorrect sanitize_text_field() with proper esc_html() for store category output
+* Fixed: Removed broken order count column sorting that had no query handler
+* Fixed: Removed redundant capability checks in column render callbacks
+* Fixed: Scoped admin CSS classes to prevent collisions with WordPress core and other plugins
+* Fixed: FAQ now accurately states all features are disabled by default
+
 = 1.0.7 - 2025-09-15 =
 * Added: AI-powered code analysis workflow using Google Gemini for automated security scanning
 * Added: Comprehensive WordPress coding standards compliance checking in CI/CD
