Security
- Order customization display β Customer-entered design text (element text, font, SKU) shown on order pages, in order emails, and in the WooCommerce order screen is now fully escaped, so it can no longer inject scripts into the store admin's browser.
- Saving a customized order β Editing a customized order from the account area now requires the customer to be signed in and to own that order; it can no longer be triggered anonymously or against someone else's order.
- Admin product/pricing/interface/print-profile lists β Added strict server-side validation of sort, column, and filter parameters on these admin list endpoints to close a data-exposure vector.
- Printful admin actions β Fetching the Printful catalog and importing products now require the proper Chamevo permission and a valid security token.
- Remote image fetching β Strengthened trusted-host validation to prevent lookalike-domain bypasses.
Bug Fixes
- Translations β Corrected the German, Spanish, and French catalogs and repaired the admin-label pipeline so admin interface strings translate reliably.
- Gravity Forms order emails β Order emails no longer show legacy internal field names.