Feedback regarding bugs and issues

  • kiyotakakiritoooo

    (@kiyotakakiritoooo)


    1 month, 1 week ago

    Hello sir,

    Installed this plugin for just taking a look and the core workflow works fine. creator, approver, assignments all function as expected. the approved snapshot idea is actually very nicee sir. But found some real problems while going through the code the plugin comes with a hardcoded password “W***f***1*3” for sample users I am hiding it so that I don’t wanna disclose the password. anyone who reads the source code will know it. not safe at all for a real website.the entire workflow can be bypassed by calling the wordpress REST API directly. send a POST request to wp-json with status publish and it goes live without any approval. the plugin doesnt cover this at all.when an approver rejects a post, the approved snapshot gets overwritten with the rejected content…. so visitors end up seeing the version that was literally just rejected. seems like a bug.every single page load in wp-admin triggers a full database schema check… makes the admin panel noticeably slow especially on shared hosting…. when you uninstall the plugin it only removes the user roles…. the database tables and all the post meta it created are left behind…. had to clean manually with phpmyadmin… The audit log is supposed to track every edit but it keeps overwriting the same row instead of adding new entries. so you lose the history of intermediate changes completely… I just found out these using the normal analysis I do when I install new plugins and sorta stuff… I hope this review and feedback find you well sir…

Viewing 1 replies (of 1 total)
  • Plugin Author aswinikumar

    (@aswinikumar)

    1 month, 1 week ago

    Subject: Re: Cutmap Editorial Workflow Feedback Response

    Hello,

    Thank you so much for taking the time to review the plugin so thoroughly. Your feedback was very accurate and genuinely helpful I have gone through each point carefully and addressed all of them in version 1.4.6.

    Here is what was fixed:

    1. Hardcoded password — Completely removed. Sample users are now created with wp_generate_password(16, true), generating a unique random password per user. The password is shown once in the admin panel at creation time and never stored in code.
    2. REST API bypass — Added a rest_pre_insert_{post_type} filter that blocks any publish attempt via the REST API if the post is under active workflow and has not been approved. It returns a proper 403 error response.
    3. Approved snapshot overwritten on rejection — This was a real bug, thank you for catching it. The set_approved_snapshot() call has been removed from the reject() function entirely. The approved snapshot now only updates when an approver explicitly approves — so visitors always see the last correctly approved version.
    4. DB schema check on every page load — Fixed. The schema check is now version-guarded using a wp_options flag and only runs on plugin activation or version upgrade, not on every request.
    5. Uninstall leaving data behind — The uninstall handler now drops all custom database tables, removes all plugin post meta, and deletes all plugin options. No manual cleanup needed after deletion.
    6. Audit log overwriting rows — Fixed. The log_event() function now always inserts a new row (append-only). The full history of intermediate changes is preserved.

    Your analysis was spot-on across all six points. I really appreciate the depth of review — it made the plugin significantly more solid. Please do let me know if you notice anything else.

    Best regards
    M.Aswini kumar

Viewing 1 replies (of 1 total)

You must be logged in to reply to this review.