Changeset 3476940

advanced-ip-blocker/trunk/advaipbl-loader.php

-                      r3464093
+                      r3476940
 // Explicit check for direct access to satisfy Plugin Check while allowing auto_prepend_file.
 if ( ! defined( 'ABSPATH' ) ) {
+    if ( basename( $_SERVER['SCRIPT_FILENAME'] ) === basename( __FILE__ ) ) {
+    $script_filename = isset($_SERVER['SCRIPT_FILENAME']) ? sanitize_text_field(wp_unslash($_SERVER['SCRIPT_FILENAME'])) : '';
+    if ( basename( $script_filename ) === basename( __FILE__ ) ) {
         exit( 'Restricted access.' );
+    }

advanced-ip-blocker/trunk/advanced-ip-blocker.php

-                      r3472969
+                      r3476940
 Plugin URI: https://advaipbl.com/
 Description: Your complete WordPress security firewall. Blocks IPs, bots & countries. Includes an intelligent WAF, Threat Scoring, and Two-Factor Authentication.
 Version: 8.8.8
+Version: 8.8.9
 Author: IniLerm
 Author URI: https://advaipbl.com/
 …
+}
 define( 'ADVAIPBL_VERSION', '8.8.8' );
+define( 'ADVAIPBL_VERSION', '8.8.9' );
 define( 'ADVAIPBL_PLUGIN_FILE', __FILE__ );

advanced-ip-blocker/trunk/css/advaipbl-styles.css

r3472969	r3476940
1	1	/**
2	2	* Advanced IP Blocker - Admin Panel Styles
3		* Version: 8.8.8
	3	* Version: 8.8.9
4	4	*/
5	5

advanced-ip-blocker/trunk/includes/class-advaipbl-2fa-users-list-table.php

-                      r3419894
+                      r3476940
         $tfa_status_filter = isset($_REQUEST['tfa_status']) ? sanitize_text_field(wp_unslash($_REQUEST['tfa_status'])) : 'all';
         if ( in_array( $tfa_status_filter, ['active', 'inactive'] ) ) {
+            // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
             $args['meta_key'] = ADVAIPBL_2fa_Manager::META_ENABLED_AT;
             if ( 'active' === $tfa_status_filter ) {
 …
         // Contar usuarios con 2FA activo
+        // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
         $active_users_count = count( get_users([
             'meta_key' => ADVAIPBL_2fa_Manager::META_ENABLED_AT,

advanced-ip-blocker/trunk/includes/class-advaipbl-action-handler.php

-                      r3442728
+                      r3476940
                 global $wpdb;
                 $lockdowns_table = $wpdb->prefix . 'advaipbl_endpoint_lockdowns';
+                // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
                 $wpdb->delete($lockdowns_table, ['id' => $lockdown_id], ['%d']);
 …
                 global $wpdb;
                 $table_name = $wpdb->prefix . 'advaipbl_ip_scores';
                 // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+                // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                 $wpdb->query("TRUNCATE TABLE `{$table_name}`");
                 /* translators: %s: Username. */
 …
                 global $wpdb;
                 $table_name = $wpdb->prefix . 'advaipbl_malicious_signatures';
                 // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+                // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                 $wpdb->query("TRUNCATE TABLE `{$table_name}`");
                 /* translators: %s: Username. */
 …
                         $placeholders = implode(', ', array_fill(0, count($log_types_to_clear), '%s'));
                         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare
+                        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                         $wpdb->query($wpdb->prepare("DELETE FROM {$wpdb->prefix}advaipbl_logs WHERE log_type IN ({$placeholders})", $log_types_to_clear));
 …
                 case 'clear_all_logs':
                     global $wpdb;
                     // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+                    // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                     $wpdb->query("TRUNCATE TABLE `{$wpdb->prefix}advaipbl_logs`");
                     // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+                    // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                     $wpdb->query("TRUNCATE TABLE `{$wpdb->prefix}advaipbl_notifications_queue`");
                     /* translators: %s: Username. */
 …
                                 global $wpdb;
                                 $table_name = $wpdb->prefix . 'advaipbl_blocked_ips';
                                 // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+                                // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                                 $exists = $wpdb->get_var($wpdb->prepare("SELECT id FROM {$table_name} WHERE ip_range = %s", $ip_or_range));

advanced-ip-blocker/trunk/includes/class-advaipbl-admin-pages.php

-                      r3471934
+                      r3476940
         $where_sql = implode(' AND ', $where_clauses);
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $total_items = $wpdb->get_var("SELECT COUNT(log_id) FROM $table_name WHERE $where_sql");
         $total_pages = ceil($total_items / $per_page);
         $offset = ($current_page - 1) * $per_page;
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $logs = $wpdb->get_results($wpdb->prepare("SELECT * FROM $table_name WHERE $where_sql ORDER BY " . esc_sql($orderby) . " " . esc_sql($order) . " LIMIT %d OFFSET %d", $per_page, $offset), ARRAY_A);
         ?>
 …
         // phpcs:enable
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $total_items = $wpdb->get_var("SELECT COUNT(id) FROM {$table_name}");
         $total_pages = ceil($total_items / $per_page);
         $offset = ($current_page - 1) * $per_page;
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $items = $wpdb->get_results($wpdb->prepare(
             "SELECT * FROM {$table_name} ORDER BY " . esc_sql($orderby) . " " . esc_sql($order) . " LIMIT %d OFFSET %d",
 …
         <?php
         // Primero, limpiamos los lockdowns expirados.
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->query($wpdb->prepare("DELETE FROM {$table_name} WHERE expires_at <= %d", time()));
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $items = $wpdb->get_results("SELECT * FROM {$table_name} ORDER BY created_at DESC", ARRAY_A);
         ?>
 …
     $where_sql = !empty($where_clauses) ? 'WHERE ' . implode(' AND ', $where_clauses) : '';
     // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
     $total_items = $wpdb->get_var("SELECT COUNT(id) FROM {$table_name} {$where_sql}");
     $total_pages = ceil($total_items / $per_page);
     // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
     $items_for_page = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$table_name} {$where_sql} ORDER BY " . esc_sql($orderby) . " " . esc_sql($order) . " LIMIT %d OFFSET %d", $per_page, $offset), ARRAY_A);
 …
     $where_sql = implode(' AND ', $where_clauses);
     // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
     $total_items = $wpdb->get_var("SELECT COUNT(log_id) FROM $table_name WHERE $where_sql");
     $total_pages = ceil($total_items / $per_page);
     $offset = ($current_page - 1) * $per_page;
     // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
     $logs = $wpdb->get_results($wpdb->prepare("SELECT * FROM $table_name WHERE $where_sql ORDER BY " . esc_sql($orderby) . " " . esc_sql($order) . " LIMIT %d OFFSET %d", $per_page, $offset), ARRAY_A);
 …
         $where_sql = implode(' AND ', $where_clauses);
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $total_items = $wpdb->get_var("SELECT COUNT(id) FROM {$table_name} WHERE {$where_sql}");
         $total_pages = ceil($total_items / $per_page);
         $offset = ($current_page - 1) * $per_page;
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $items = $wpdb->get_results($wpdb->prepare(
             // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
 …
         $where_sql = implode(' AND ', $where_clauses);
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $total_items = $wpdb->get_var("SELECT COUNT(log_id) FROM $table_name WHERE $where_sql");
         $total_pages = ceil($total_items / $per_page);
         $offset = ($current_page - 1) * $per_page;
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $logs = $wpdb->get_results($wpdb->prepare("SELECT * FROM $table_name WHERE $where_sql ORDER BY " . esc_sql($orderby) . " " . esc_sql($order) . " LIMIT %d OFFSET %d", $per_page, $offset), ARRAY_A);
     ?>
 …
         $table_name = $wpdb->prefix . 'advaipbl_activity_log';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         if ($wpdb->get_var("SHOW TABLES LIKE '$table_name'") != $table_name) {
              $logs = [];
 …
              // Count total for pagination (Simple implementation)
              // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+             // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
              $total_items = $wpdb->get_var("SELECT COUNT(id) FROM $table_name");
              $total_pages = ceil($total_items / $per_page);

advanced-ip-blocker/trunk/includes/class-advaipbl-ajax-handler.php

-                      r3472969
+                      r3476940
         global $wpdb;
         $table_name = $wpdb->prefix . 'advaipbl_endpoint_lockdowns';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $lockdown = $wpdb->get_row($wpdb->prepare("SELECT * FROM {$table_name} WHERE id = %d", $lockdown_id), ARRAY_A);
 …
             // Check if actively blocked (expires_at is 0 OR expires_at > current_time)
+            // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
             $exists = $wpdb->get_var($wpdb->prepare(
                 "SELECT COUNT(*) FROM {$table_name} WHERE ip_range = %s AND (expires_at = 0 OR expires_at > %d)",
 …
         // Fetch ALL actively blocked IPs (permanent or not expired)
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $results = $wpdb->get_results($wpdb->prepare("SELECT ip_range, reason, expires_at, block_type FROM {$table_name} WHERE expires_at = 0 OR expires_at > %d", $current_time), ARRAY_A);

advanced-ip-blocker/trunk/includes/class-advaipbl-asn-manager.php

-                      r3455663
+                      r3476940
         global $wpdb;
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $log_json = $wpdb->get_var($wpdb->prepare(
             "SELECT log_details FROM {$this->table_name} WHERE ip = %s",
             $ip
         ));
         // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         if ($log_json === null) {

advanced-ip-blocker/trunk/includes/class-advaipbl-audit-logger.php

-                      r3455663
+                      r3476940
         $ip = $this->main_instance->get_client_ip();
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $wpdb->insert(
             $this->table_name,
 …
     public function get_logs($limit = 20, $offset = 0) {
         global $wpdb;
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         return $wpdb->get_results($wpdb->prepare(
             "SELECT * FROM {$this->table_name} ORDER BY timestamp DESC LIMIT %d OFFSET %d",
             $limit, $offset
         ), ARRAY_A);
         // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+        // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
+    }
 …
         $cutoff_date = gmdate('Y-m-d H:i:s', current_time('timestamp') - ($retention_days * DAY_IN_SECONDS));
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->query($wpdb->prepare("DELETE FROM {$this->table_name} WHERE timestamp < %s", $cutoff_date));
         // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+        // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
+    }
 …
     public function clear_all_logs() {
         global $wpdb;
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         return $wpdb->query("TRUNCATE TABLE {$this->table_name}");
         // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery
+        // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
+    }
+}

advanced-ip-blocker/trunk/includes/class-advaipbl-cli.php

-                      r3455663
+                      r3476940
         global $wpdb;
         $table_name = $wpdb->prefix . 'advaipbl_logs';
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
         @$wpdb->insert( $table_name, [ 'timestamp' => current_time( 'mysql', 1 ), 'ip' => is_array($ip) ? wp_json_encode($ip) : $ip, 'log_type' => 'general', 'level' => $level, 'message' => $message, 'details' => wp_json_encode( [ 'source' => 'WP-CLI' ] ) ] );
+    }
 …
         global $wpdb;
         $table_name = $wpdb->prefix . 'advaipbl_blocked_ips';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $exists = $wpdb->get_var($wpdb->prepare("SELECT id FROM {$table_name} WHERE ip_range = %s", $ip_or_range));
 …
         global $wpdb; $table_name = $wpdb->prefix . 'advaipbl_logs'; $type = $assoc_args['type'] ?? 'general'; $count = $assoc_args['count'] ?? 20;
         $where_clause = '1=1'; if ( 'all' !== $type ) { $where_clause = $wpdb->prepare( 'log_type = %s', $type ); }
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $logs = $wpdb->get_results( $wpdb->prepare( "SELECT timestamp, level, ip, message, details FROM $table_name WHERE $where_clause ORDER BY timestamp DESC LIMIT %d", $count ), ARRAY_A );
         if ( empty( $logs ) ) { WP_CLI::line( 'No log entries found for the specified type.' ); return; }
 …
         if ( ! isset( $assoc_args['force'] ) ) { $confirm_message = ( 'all' === $type ) ? 'Are you sure you want to clear ALL logs? This action cannot be undone.' : "Are you sure you want to clear all '{$type}' logs?"; WP_CLI::confirm( $confirm_message ); }
         global $wpdb; $table_name = $wpdb->prefix . 'advaipbl_logs'; $this->log_event_autonomo( "WP-CLI: Clearing logs of type '{$type}'.", 'warning' );
+        if ( 'all' !== $type ) { $deleted = $wpdb->delete( $table_name, [ 'log_type' => $type ], [ '%s' ] ); WP_CLI::success( "{$deleted} logs of type '{$type}' have been cleared." ); } else {
+            // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        if ( 'all' !== $type ) {
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+            $deleted = $wpdb->delete( $table_name, [ 'log_type' => $type ], [ '%s' ] );
+            WP_CLI::success( "{$deleted} logs of type '{$type}' have been cleared." );
+        } else {
+            // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
             $wpdb->query( "TRUNCATE TABLE $table_name" ); WP_CLI::success( 'All logs have been cleared.' ); }
+    }

advanced-ip-blocker/trunk/includes/class-advaipbl-community-manager.php

r3464093	r3476940
36	36
37	37	// 1. Vaciar la tabla (Truncate es más rápido que Delete)
38		// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
	38	// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
39	39	$wpdb->query("TRUNCATE TABLE {$table_name}");
40	40

advanced-ip-blocker/trunk/includes/class-advaipbl-dashboard-manager.php

-                      r3455663
+                      r3476940
         $results = $wpdb->get_results(
     $wpdb->prepare(
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         "SELECT log_type, COUNT(*) as count
          FROM {$table_name}
 …
          GROUP BY log_type
          ORDER BY count DESC",
          // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+         // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $date_after
     ),
 …
         $results = $wpdb->get_results(
     $wpdb->prepare(
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         "SELECT DATE(timestamp) as day, COUNT(*) as count
          FROM {$table_name}
 …
          GROUP BY day
          ORDER BY day ASC",
          // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+         // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $date_after
     ),
 …
         return $wpdb->get_results(
     $wpdb->prepare(
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         "SELECT ip, COUNT(*) as count
          FROM {$table_name}
 …
          ORDER BY count DESC
          LIMIT 8",
          // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+         // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $date_after
     ),
 …
         return $wpdb->get_results(
     $wpdb->prepare(
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         "SELECT JSON_UNQUOTE(JSON_EXTRACT(details, '$.country')) as country,
                 JSON_UNQUOTE(JSON_EXTRACT(details, '$.country_code')) as country_code,
 …
          ORDER BY count DESC
          LIMIT 8",
          // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+         // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $date_after
     ),
 …
         $blocked_count = $wpdb->get_var(
     $wpdb->prepare(
         // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         "SELECT COUNT(DISTINCT ip)
          FROM {$table_name}
 …
            AND details LIKE %s
            AND timestamp >= %s",
            // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+           // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         '%"source":"Spamhaus"%',
         $date_after

advanced-ip-blocker/trunk/includes/class-advaipbl-fingerprint-manager.php

-                      r3464093
+                      r3476940
     // Borramos las firmas que ya han expirado
     // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
     $wpdb->query($wpdb->prepare("DELETE FROM {$signatures_table} WHERE expires_at <= %d", time()));
     // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
     $start_time = time() - $analysis_window_seconds;
     // 1. Encontrar firmas sospechosas (usadas por múltiples IPs)
     // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
     $suspicious_signatures = $wpdb->get_results(
         $wpdb->prepare(
 …
+        )
     );
     // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
     if (empty($suspicious_signatures)) {
 …
     foreach ($suspicious_signatures as $sig) {
         // Comprobamos si esta firma ya está marcada como maliciosa (y no ha expirado)
         // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $is_already_flagged = $wpdb->get_var($wpdb->prepare("SELECT id FROM {$signatures_table} WHERE signature_hash = %s", $sig->signature_hash));
         // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         if ($is_already_flagged) {
             continue;
 …
         // 2. Obtener un ejemplo de la petición más común para esta firma
         // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $sample = $wpdb->get_row(
             $wpdb->prepare(
 …
+            )
         );
         // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         // Añadimos un log si la consulta de ejemplo falla, para depuración futura.
 …
         // 1. Obtenemos una petición de ejemplo para desglosar la firma (cabeceras, etc.)
         // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $sample_request = $wpdb->get_row($wpdb->prepare(
             "SELECT user_agent, request_headers FROM {$log_table} WHERE signature_hash = %s LIMIT 1",
             $signature_hash
         ));
         // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         if (!$sample_request) {
 …
         // 2. Obtenemos la evidencia: las últimas 15 IPs distintas que usaron esta firma.
         // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:disable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $evidence = $wpdb->get_results($wpdb->prepare(
             "SELECT DISTINCT ip_hash, user_agent, request_uri, timestamp, is_fake_bot as is_impersonator
 …
             $signature_hash
         ));
         // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:enable PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $details = [

advanced-ip-blocker/trunk/includes/class-advaipbl-live-feed-manager.php

-                      r3455663
+                      r3476940
         $table_name = $wpdb->prefix . 'advaipbl_activity_log';
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $table_name)) != $table_name) {
              return new WP_REST_Response(['attacks' => [], 'last_id' => 0], 200);
 …
+        }
         // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+        // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $results = $wpdb->get_results($query, ARRAY_A);
 …
                         break;
                     case 'advanced_rule':
+                        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                         $block_entry = $wpdb->get_row($wpdb->prepare("SELECT reason FROM {$wpdb->prefix}advaipbl_blocked_ips WHERE ip_range = %s", $row['ip']), ARRAY_A);
                         if ($block_entry && !empty($block_entry['reason'])) {
 …
+                }
+                $obfuscated_ip = $this->obfuscate_ip($row['ip']);
                 $attacks[] = [
                     'id'          => (int) $row['log_id'],
                     'time'        => human_time_diff(strtotime($row['timestamp'])) . ' ago',
                     'ip'          => esc_html($row['ip']),
+                    'ip'          => esc_html($obfuscated_ip),
                     'type'        => esc_html(ucwords(str_replace('_', ' ', $log_type))),
                     'location'    => esc_html($location),
                     'method'      => esc_html($details_data['method'] ?? 'N/A'),
+                    'details'     => esc_html($details_message),
+                    'user_agent'  => esc_html($details_data['user_agent'] ?? 'N/A'),
+                    'uri'         => esc_html($details_data['uri'] ?? ($details_data['url'] ?? '')),
+                    'details'     => esc_html($details_message)
                 ];
+            }
 …
     /**
+     * Obfuscates an IP address for public display (GDPR compliance).
+     * IPv4: 192.168.1.55 -> 192.168.1.*
+     * IPv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 -> 2001:0db8:85a3:****:****:****:****:****
+     *
+     * @param string $ip
+     * @return string
+     */
+    private function obfuscate_ip($ip) {
+        if (empty($ip)) {
+            return '';
+        }
+        // IPv4 Obfuscation
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            $parts = explode('.', $ip);
+            if (count($parts) === 4) {
+                // Return 192.168.1.*
+                return $parts[0] . '.' . $parts[1] . '.' . $parts[2] . '.*';
+            }
+        }
+        // IPv6 Obfuscation
+        elseif (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            // Expand IPv6 to full length to parse correctly
+            $expanded = inet_ntop(inet_pton($ip));
+            if ($expanded !== false) {
+                $parts = explode(':', $expanded);
+                if (count($parts) === 8) {
+                    // Return first 3 blocks, obfuscate the rest
+                    return $parts[0] . ':' . $parts[1] . ':' . $parts[2] . ':**::**';
+                }
+            }
+        }
+        // Fallback: simply mask the last half of the string if validation fails
+        $len = strlen($ip);
+        return substr($ip, 0, (int)($len / 2)) . '***';
+    }
+    /**
      * API Callback for Nonce.
      */
 …
      */
     public function render_shortcode($atts) {
-        // Use the proper paths relative to this file's location in includes/
-        // Original: plugin_dir_url(dirname(__FILE__)) . 'js/...'
-        // If this file is in includes/, dirname is includes.
-        // plugin_dir_url(includes) -> yields URL to includes.
-        // But 'js/' is usually at the root of the plugin or assets/.
-        // Original main was in includes/ too? checking...
-        // Main path: .../includes/class-advaipbl-main.php
-        // The original code used: plugin_dir_url(dirname(__FILE__)) . 'js/advaipbl-live-feed.js'
-        // dirname(__FILE__) = .../includes
-        // plugin_dir_url via dirname would point to the includes folder URL.
-        // BUT 'js' folder is likely parallel to 'includes', not inside it.
-        // Original code logic: plugin_dir_url(...) returns URL with trailing slash.
-        // If dirname is .../includes, url is https://.../includes/
-        // Then . 'js/...' -> https://.../includes/js/...
-        // This implies /includes/js/ exists?
-        // Re-checking list_dir: js is at logical root, includes is at logical root.
-        // Wait, list_dir of includes showed 'lib' inside.
-        // list_dir of root (implicit from previous context) showed 'js' folder.
-        // So 'js' is a sibling of 'includes'.
-        // So the original code `plugin_dir_url(dirname(__FILE__))` pointing to includes/ seems wrong if it appends 'js/' directly, unless 'js' IS inside includes.
-        // Let's use `plugin_dir_url( dirname( __DIR__ ) )` to go up one level safely.
-        // dirname(__DIR__) from includes/class... -> .../plugin-root
-        $root_url = plugin_dir_url( dirname( __FILE__ ) ); // Points to .../includes/ OR plugin root?
-        // plugin_dir_url accepts a FILE path.
-        // plugin_dir_url( __FILE__ ) ->  .../includes/
-        // plugin_dir_url( dirname( __FILE__ ) . '/../advanced-ip-blocker.php' ) -> Root.
-        // Safer approach used in many plugins:
         $root_url = plugins_url( '/', dirname( __FILE__ ) );

advanced-ip-blocker/trunk/includes/class-advaipbl-main.php

-                      r3471934
+                      r3476940
         add_action('wp_ajax_advaipbl_run_fim_scan', [$this->ajax_handler, 'ajax_run_fim_scan']);
+        if (is_admin() || (isset($_GET['action']) && strpos($_GET['action'], 'advaipbl_') === 0)) {
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+        $action = isset($_GET['action']) ? sanitize_text_field(wp_unslash($_GET['action'])) : '';
+        if (is_admin() || (strpos($action, 'advaipbl_') === 0)) {
             add_action('admin_init', [$this, 'initialize_backend_managers'], 0);
 …
     public function log_request_signature() {
         if (empty($this->options['enable_signature_engine'])) { return; }
+        $request_uri = isset($_SERVER['REQUEST_URI']) ? sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI'])) : '';
         // No loguear las peticiones del Live Feed interno
         if (strpos($_SERVER['REQUEST_URI'], '/advaipbl/v1/live-attacks') !== false) {
+        if (strpos($request_uri, '/advaipbl/v1/live-attacks') !== false) {
             return;
+        }
 …
+        }
-        $request_uri = $_SERVER['REQUEST_URI'] ?? '';
         if (wp_is_json_request() && strpos($request_uri, '/telemetry/') === false && strpos($request_uri, '/aib-network/') === false && strpos($request_uri, '/aib-scanner/') === false) {
             return;
 …
         ];
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->insert($table_name, $data_to_log);
+    }
 …
+        }
+        // phpcs:ignore WordPress.Security.NonceVerification.Missing
         if (isset($_POST['_advaipbl_js_token'])) {
     // Parámetros para el desafío de firmas: cookie 'advaipbl_js_verified', duración 4 horas.
 …
         // Fix: Check if table exists to avoid fatal error on fresh install
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         if ($wpdb->get_var("SHOW TABLES LIKE '$signatures_table'") != $signatures_table) {
             return;
+        }
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $is_malicious = $wpdb->get_var($wpdb->prepare(
             "SELECT id FROM {$signatures_table} WHERE signature_hash = %s AND expires_at > %d",
 …
             return;
+        }
+        // phpcs:ignore WordPress.Security.NonceVerification.Missing
         if (isset($_POST['_advaipbl_challenge_type']) && $_POST['_advaipbl_challenge_type'] === 'geo_challenge') {
             $duration_hours = (int)($this->options['geo_challenge_cookie_duration'] ?? 24);
 …
+    }
+    // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion
     wp_enqueue_script(
         'google-recaptcha',
 …
+    }
+    if (!isset($_POST['g-recaptcha-response']) || empty($_POST['g-recaptcha-response'])) {
+    // phpcs:ignore WordPress.Security.NonceVerification.Missing
+    $recaptcha_response = isset($_POST['g-recaptcha-response']) ? sanitize_text_field(wp_unslash($_POST['g-recaptcha-response'])) : '';
+    if (empty($recaptcha_response)) {
         return new WP_Error('recaptcha_empty', __('<strong>ERROR</strong>: Please complete the reCAPTCHA verification.', 'advanced-ip-blocker'));
+    }
     $token = sanitize_text_field($_POST['g-recaptcha-response']);
+    $token = $recaptcha_response;
     $visitor_ip = $this->get_client_ip();
 …
         global $wpdb;
         $table_name = $wpdb->prefix . 'advaipbl_blocked_ips';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $count = (int) $wpdb->get_var("SELECT COUNT(id) FROM {$table_name}");
         wp_cache_set('blocked_ips_count', $count, 'advaipbl', 300); // Cache por 5 minutos
 …
     $count = wp_cache_get('blocked_signatures_count', 'advaipbl');
     if (false === $count) {
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $count = (int) $wpdb->get_var($wpdb->prepare("SELECT COUNT(id) FROM {$table_name} WHERE expires_at > %d", time()));
         wp_cache_set('blocked_signatures_count', $count, 'advaipbl', 300); // Cache por 5 minutos
 …
     if (false === $count) {
         // Primero, limpiamos los expirados para un conteo preciso
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->query($wpdb->prepare("DELETE FROM {$table_name} WHERE expires_at <= %d", time()));
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $count = (int) $wpdb->get_var("SELECT COUNT(id) FROM {$table_name}");
         wp_cache_set('blocked_endpoints_count', $count, 'advaipbl', 300); // Cache por 5 minutos
 …
         global $wpdb;
         $table_name = $wpdb->prefix . 'advaipbl_cache';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->query("TRUNCATE TABLE `{$table_name}`");
 …
         // --- 1. Determinar la pestaña y sub-pestaña activas ---
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
         $current_page_slug = isset($_GET['page']) ? sanitize_key($_GET['page']) : '';
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
         if (isset($_GET['tab'])) {
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended
             $active_main_tab = sanitize_key($_GET['tab']);
         } else {
 …
+        }
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
         $active_sub_tab = isset($_GET['sub-tab']) ? sanitize_key($_GET['sub-tab']) : null;
 …
             if ( 'main_dashboard' === $active_sub_tab ) {
                 wp_enqueue_script('chartjs', plugin_dir_url( dirname( __FILE__ ) ) . 'assets/js/chart.min.js', [], '3.9.1', true);
+                // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion
                 wp_enqueue_style('leaflet-css', plugin_dir_url( dirname( __FILE__ ) ) . 'assets/css/leaflet.css');
                 wp_enqueue_script('leaflet-js', plugin_dir_url( dirname( __FILE__ ) ) . 'assets/js/leaflet.js', [], '1.9.4', true);
+                // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion
                 wp_enqueue_style('leaflet-markercluster-css', plugin_dir_url( dirname( __FILE__ ) ) . 'assets/css/MarkerCluster.css');
+                // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion
                 wp_enqueue_style('leaflet-markercluster-default-css', plugin_dir_url( dirname( __FILE__ ) ) . 'assets/css/MarkerCluster.Default.css');
                 wp_enqueue_script('leaflet-markercluster-js', plugin_dir_url( dirname( __FILE__ ) ) . 'assets/js/leaflet.markercluster.js', ['leaflet-js'], '1.5.3', true);
 …
             // Cargar assets de la página "About"
             // STRICT CHECK: Ensure we are explicitly on the about tab to avoid loading Stripe/Sift on other pages (CSP issues)
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended
             if (isset($_GET['tab']) && $_GET['tab'] === 'about') {
+                // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion
                 wp_enqueue_script('stripe-buy-button', 'https://js.stripe.com/v3/buy-button.js', [], null, true);
+            }
 …
     if ( ! empty( $this->options['prevent_author_scanning'] ) && ! is_admin() ) {
         // Comprobamos directamente el parámetro GET 'author'. Es mucho más fiable.
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
         if ( isset( $_GET['author'] ) && is_numeric( $_GET['author'] ) ) {
             wp_safe_redirect( home_url(), 301 );
 …
         // If a deadlock occurs, it just means another process is handling this IP, which is fine.
         $wpdb->suppress_errors();
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $lock_acquired = $wpdb->query($wpdb->prepare("INSERT IGNORE INTO {$wpdb->prefix}advaipbl_cache (cache_key, cache_value, expires_at) VALUES (%s, '1', %d)", $lock_key, time() + 15));
         $wpdb->show_errors();
 …
         $table_name = $wpdb->prefix . 'advaipbl_blocked_ips';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         if ($wpdb->get_var($wpdb->prepare("SELECT id FROM {$table_name} WHERE ip_range = %s", $ip))) {
             $wpdb->delete("{$wpdb->prefix}advaipbl_cache", ['cache_key' => $lock_key]);
 …
 $expires_at = ($duration_in_seconds > 0) ? $timestamp + $duration_in_seconds : 0;
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->insert($table_name, [ 'ip_range' => $ip, 'block_type' => $type, 'timestamp' => $timestamp, 'expires_at' => $expires_at, 'reason' => $reason_message ]);
 …
+    }
+    // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
     $wpdb->delete("{$wpdb->prefix}advaipbl_cache", ['cache_key' => $lock_key]);
 …
         $table_name = $wpdb->prefix . 'advaipbl_logs';
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.InterpolatedNotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->query($wpdb->prepare("DELETE FROM $table_name WHERE timestamp < DATE_SUB(NOW(), INTERVAL %d DAY)", $retention_days));
+    }
 …
         $table_blocked = $wpdb->prefix . 'advaipbl_blocked_ips';
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $table_missing = ($wpdb->get_var("SHOW TABLES LIKE '$table_audit'") != $table_audit)
                       || ($wpdb->get_var("SHOW TABLES LIKE '$table_blocked'") != $table_blocked);
 …
                 // Insertamos la fila en la nueva tabla.
+                // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                 $wpdb->insert(
                     $table_name,
 …
+    }
+    // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
     @$wpdb->insert(
         $table_name,
 …
         $wpdb->suppress_errors(); // Avoid deadlock noise
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $lock_acquired = $wpdb->query($wpdb->prepare(
             "INSERT IGNORE INTO {$wpdb->prefix}advaipbl_cache (cache_key, cache_value, expires_at) VALUES (%s, %s, %d)",
 …
+        }
         $table_name_blocked = $wpdb->prefix . 'advaipbl_blocked_ips';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $existing_block = $wpdb->get_var($wpdb->prepare("SELECT id FROM {$table_name_blocked} WHERE ip_range = %s", $ip));
         if ($existing_block) {
+            // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
             $wpdb->delete("{$wpdb->prefix}advaipbl_cache", ['cache_key' => $lock_key]);
             return;
 …
         $option_key = $option_key_map[$type] ?? null;
         if ( ! $option_key ) {
+            // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
             $wpdb->delete("{$wpdb->prefix}advaipbl_cache", ['cache_key' => $lock_key]); // Liberar cerrojo antes de salir
             return;
 …
         } elseif ($notification_enabled && in_array($frequency, ['daily', 'weekly'])) {
             $table_name_queue = $wpdb->prefix . 'advaipbl_notifications_queue';
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
             @$wpdb->insert($table_name_queue, ['timestamp' => current_time('mysql', 1), 'ip' => $ip, 'block_type' => $type, 'reason' => $reason]);
+        }
 …
+        }
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->delete("{$wpdb->prefix}advaipbl_cache", ['cache_key' => $lock_key]);
+    }
 …
     $this->block_response_initiated = true;
+    $is_xmlrpc_request = (isset($_SERVER['REQUEST_URI']) && strpos($_SERVER['REQUEST_URI'], 'xmlrpc.php') !== false);
+    $request_uri = isset($_SERVER['REQUEST_URI']) ? sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI'])) : '';
+    $is_xmlrpc_request = (strpos($request_uri, 'xmlrpc.php') !== false);
     $custom_message = $this->options['custom_block_message'] ?? '';
 …
         $is_single_ip = filter_var($entry_to_unblock, FILTER_VALIDATE_IP);
         // Borrar de la nueva tabla
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $wpdb->delete($table_name, ['ip_range' => $entry_to_unblock]);
         // También borrar de la tabla de reportes pendientes para evitar falsos positivos
         $table_reports = $wpdb->prefix . 'advaipbl_pending_reports';
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $wpdb->delete($table_reports, ['ip' => $entry_to_unblock]);
 …
         // 1. Vaciar la tabla de IPs bloqueadas.
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->query("TRUNCATE TABLE `{$table_name_blocked}`");
         // También vaciar la tabla de reportes pendientes
         $table_reports = $wpdb->prefix . 'advaipbl_pending_reports';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->query("TRUNCATE TABLE `{$table_reports}`");
 …
         // 1. Obtener todas las IPs que van a expirar
         // Aumentamos el límite a 100 para procesar en lotes razonables y evitar timeouts masivos
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $expiring_ips = $wpdb->get_results($wpdb->prepare(
             "SELECT ip_range, block_type FROM {$table_name} WHERE expires_at < %d AND expires_at > 0 LIMIT 100",
 …
 */
 public function conditionally_remove_admin_notices() {
+    // phpcs:ignore WordPress.Security.NonceVerification.Recommended
     $current_page_slug = isset($_GET['page']) ? sanitize_key($_GET['page']) : '';
     $plugin_pages = [
 …
     // Obtenemos los parámetros de la URL actual para mantenerlos al ordenar
+    // phpcs:ignore WordPress.Security.NonceVerification.Recommended
     $current_params = $_GET;
     $url_params = array_merge($current_params, [
 …
         $definitions = $this->get_all_block_type_definitions();
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $results = $wpdb->get_results("SELECT * FROM {$table_name}", ARRAY_A);
 …
     public function display_telemetry_notice() {
         // Condición 1: Solo mostrar en las páginas de nuestro plugin.
+        if (!isset($_GET['page']) || strpos($_GET['page'], 'advaipbl_settings_page') === false) {
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+        $page = isset($_GET['page']) ? sanitize_text_field(wp_unslash($_GET['page'])) : '';
+        if (strpos($page, 'advaipbl_settings_page') === false) {
             return;
+        }
 …
         $seven_days_ago = gmdate('Y-m-d H:i:s', strtotime('-7 days'));
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $blocks_by_type_results = $wpdb->get_results( $wpdb->prepare(
             "SELECT log_type, COUNT(log_id) as count FROM {$wpdb->prefix}advaipbl_logs WHERE level = 'critical' AND timestamp >= %s GROUP BY log_type",
 …
             'blocked_user_agents_count' => count(get_option(self::OPTION_BLOCKED_UAS, [])),
             'manual_asn_count'        => count(get_option(self::OPTION_BLOCKED_ASNS, [])),
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
             'total_blocks_7d'         => (int) $wpdb->get_var($wpdb->prepare("SELECT COUNT(log_id) FROM {$wpdb->prefix}advaipbl_logs WHERE level = 'critical' AND timestamp >= %s", $seven_days_ago)),
             'blocks_by_type_7d'       => $blocks_by_type_7d,
             'geoblock_country_count'  => count($this->options['geoblock_countries'] ?? []),
             'active_blocks_count'     => $this->get_blocked_count(),
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
             'ips_with_active_score'   => (int) $wpdb->get_var("SELECT COUNT(id) FROM {$wpdb->prefix}advaipbl_ip_scores"),
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
             'active_malicious_signatures' => (int) $wpdb->get_var($wpdb->prepare("SELECT COUNT(id) FROM {$wpdb->prefix}advaipbl_malicious_signatures WHERE expires_at > %d", time())),
             'geo_challenge_country_count' => count($this->options['geo_challenge_countries'] ?? []),
 …
         check_ajax_referer( 'advaipbl_export_nonce', 'nonce' );
+        $export_type = isset( $_POST['export_type'] ) && in_array( $_POST['export_type'], ['template', 'full_backup'] ) ? $_POST['export_type'] : 'template';
+        $export_type_raw = isset( $_POST['export_type'] ) ? sanitize_text_field(wp_unslash($_POST['export_type'])) : 'template';
+        $export_type = in_array( $export_type_raw, ['template', 'full_backup'] ) ? $export_type_raw : 'template';
         global $wpdb;
 …
         // 2. Exportar la tabla de IPs bloqueadas
         $table_name = $wpdb->prefix . 'advaipbl_blocked_ips';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $blocked_ips_data = $wpdb->get_results("SELECT ip_range, block_type, timestamp, expires_at, reason FROM {$table_name}", ARRAY_A);
         if (!empty($blocked_ips_data)) {
 …
                 'recaptcha_site_key', 'recaptcha_secret_key',
                 'api_key_ipapicom', 'api_key_ipstackcom', 'api_key_ipinfocom',
+                'api_key_ip_apicom', 'maxmind_license_key', 'push_webhook_urls'
+                'api_key_ip_apicom', 'maxmind_license_key', 'push_webhook_urls',
+                'cf_api_token', 'cf_zone_id', 'abuseipdb_api_key'
             ];
             foreach ($sensitive_keys as $sensitive_key) {
 …
     $type = 'error';
+    if ( isset( $_FILES['advaipbl_import_file'] ) && UPLOAD_ERR_OK === $_FILES['advaipbl_import_file']['error'] ) {
+        $file_name = $_FILES['advaipbl_import_file']['name'];
+    $file_error = isset($_FILES['advaipbl_import_file']['error']) ? (int) $_FILES['advaipbl_import_file']['error'] : UPLOAD_ERR_NO_FILE;
+    if ( isset( $_FILES['advaipbl_import_file'] ) && UPLOAD_ERR_OK === $file_error ) {
+        $file_name = isset( $_FILES['advaipbl_import_file']['name'] ) ? sanitize_file_name(wp_unslash($_FILES['advaipbl_import_file']['name'])) : '';
         if ( 'json' !== pathinfo( $file_name, PATHINFO_EXTENSION ) ) {
             $message = __( 'Error: The uploaded file is not a .json file.', 'advanced-ip-blocker' );
             $this->log_event( sprintf( 'A failed settings import was attempted by %s (invalid file type).', $this->get_current_admin_username() ), 'error' );
         } else {
+            $file_content = file_get_contents( $_FILES['advaipbl_import_file']['tmp_name'] );
+            $tmp_name = isset( $_FILES['advaipbl_import_file']['tmp_name'] ) ? sanitize_text_field(wp_unslash($_FILES['advaipbl_import_file']['tmp_name'])) : '';
+            if (empty($tmp_name)) {
+                return;
+            }
+            $file_content = file_get_contents( $tmp_name );
             $settings_to_import = json_decode( $file_content, true );
 …
                         global $wpdb;
                         $table_name = $wpdb->prefix . 'advaipbl_blocked_ips';
                         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+                        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                         $wpdb->query("TRUNCATE TABLE `{$table_name}`");
 …
     public function handle_login_action() {
         if ( ! isset( $_POST['advaipbl_2fa_login_step'] ) ) { return; }
         $step = $_POST['advaipbl_2fa_login_step'];
+        $step = sanitize_text_field(wp_unslash($_POST['advaipbl_2fa_login_step']));
         $user_id = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
         $code = isset( $_POST['advaipbl_2fa_code'] ) ? trim( sanitize_text_field( $_POST['advaipbl_2fa_code'] ) ) : '';
         $nonce = $_POST['_wpnonce'] ?? '';
+        $code = isset( $_POST['advaipbl_2fa_code'] ) ? trim( sanitize_text_field( wp_unslash($_POST['advaipbl_2fa_code']) ) ) : '';
+        $nonce = isset($_POST['_wpnonce']) ? sanitize_text_field(wp_unslash($_POST['_wpnonce'])) : '';
         $user = get_user_by( 'id', $user_id );
         if ( ! $user ) { wp_die( 'Authentication error: Invalid user.' ); }
 …
         if ( $is_valid ) {
             wp_set_auth_cookie( $user->ID, isset( $_POST['rememberme'] ) );
             $redirect_to = isset( $_REQUEST['redirect_to'] ) && !empty($_REQUEST['redirect_to']) ? wp_unslash( $_REQUEST['redirect_to'] ) : admin_url();
+            $redirect_to = (isset( $_REQUEST['redirect_to'] ) && !empty($_REQUEST['redirect_to'])) ? sanitize_text_field(wp_unslash( $_REQUEST['redirect_to'] )) : admin_url();
             wp_safe_redirect( $redirect_to );
             exit;
 …
                 'user_id' => $user->ID,
                 'wp_auth_nonce' => wp_create_nonce( 'advaipbl-2fa-interim-' . $user->ID ),
                 'redirect_to' => $_REQUEST['redirect_to'] ?? '',
+                'redirect_to' => isset($_REQUEST['redirect_to']) ? sanitize_text_field(wp_unslash($_REQUEST['redirect_to'])) : '',
             ], site_url( 'wp-login.php', 'login' ) );
             wp_safe_redirect( $redirect_url );
 …
                 'user_id' => $user->ID,
                 'wp_auth_nonce' => wp_create_nonce( 'advaipbl-2fa-interim-' . $user->ID ),
+                'redirect_to' => $_REQUEST['redirect_to'] ?? '',
+                'rememberme' => $_REQUEST['rememberme'] ?? '',
+                // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                'redirect_to' => isset($_REQUEST['redirect_to']) ? sanitize_text_field(wp_unslash($_REQUEST['redirect_to'])) : '',
+                // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                'rememberme' => isset($_REQUEST['rememberme']) ? sanitize_text_field(wp_unslash($_REQUEST['rememberme'])) : '',
             ], site_url( 'wp-login.php', 'login' ) );
             wp_safe_redirect( $redirect_url );
 …
         public function display_2fa_login_form_step_2() {
         $user_id = isset( $_GET['user_id'] ) ? absint( $_GET['user_id'] ) : 0;
         $nonce = $_GET['wp_auth_nonce'] ?? '';
+        $nonce = isset($_GET['wp_auth_nonce']) ? sanitize_text_field(wp_unslash($_GET['wp_auth_nonce'])) : '';
         if ( ! $user_id || ! wp_verify_nonce( $nonce, 'advaipbl-2fa-interim-' . $user_id ) ) {
 …
         $message = '';
         if ( isset( $_COOKIE['advaipbl_login_error'] ) ) {
             $message = '<div id="login_error" class="notice notice-error">' . wp_kses_post( $_COOKIE['advaipbl_login_error'] ) . '</div>';
+            $message = '<div id="login_error" class="notice notice-error">' . wp_kses_post( wp_unslash($_COOKIE['advaipbl_login_error']) ) . '</div>';
             // Borramos la cookie para que no se muestre de nuevo
             unset( $_COOKIE['advaipbl_login_error'] );
 …
             </p>
             <input type="hidden" name="user_id" value="<?php echo esc_attr( $user_id ); ?>" />
             <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $_REQUEST['redirect_to'] ?? '' ); ?>" />
             <input type="hidden" name="rememberme" value="<?php echo esc_attr( $_REQUEST['rememberme'] ?? '' ); ?>" />
+            <input type="hidden" name="redirect_to" value="<?php echo esc_attr( isset($_REQUEST['redirect_to']) ? sanitize_text_field(wp_unslash($_REQUEST['redirect_to'])) : '' ); ?>" />
+            <input type="hidden" name="rememberme" value="<?php echo esc_attr( isset($_REQUEST['rememberme']) ? sanitize_text_field(wp_unslash($_REQUEST['rememberme'])) : '' ); ?>" />
             <input type="hidden" name="advaipbl_2fa_login_step" value="2" />
             <?php wp_nonce_field( 'advaipbl-2fa-verify-' . $user_id ); ?>
 …
                         'user_id' => $user_id,
                         'wp_auth_nonce' => $nonce,
                         'redirect_to' => $_REQUEST['redirect_to'] ?? '',
+                        'redirect_to' => isset($_REQUEST['redirect_to']) ? sanitize_text_field(wp_unslash($_REQUEST['redirect_to'])) : '',
                     ], site_url( 'wp-login.php', 'login' ) ) );
                 ?>">
 …
         public function display_2fa_backup_code_form() {
         $user_id = isset( $_GET['user_id'] ) ? absint( $_GET['user_id'] ) : 0;
         $nonce = $_GET['wp_auth_nonce'] ?? '';
+        $nonce = isset($_GET['wp_auth_nonce']) ? sanitize_text_field(wp_unslash($_GET['wp_auth_nonce'])) : '';
         if ( ! $user_id || ! wp_verify_nonce( $nonce, 'advaipbl-2fa-interim-' . $user_id ) ) {
 …
         $message = '';
         if ( isset( $_COOKIE['advaipbl_login_error'] ) ) {
             $message = '<div id="login_error" class="notice notice-error">' . wp_kses_post( $_COOKIE['advaipbl_login_error'] ) . '</div>';
+            $message = '<div id="login_error" class="notice notice-error">' . wp_kses_post( wp_unslash($_COOKIE['advaipbl_login_error']) ) . '</div>';
             unset( $_COOKIE['advaipbl_login_error'] );
             setcookie( 'advaipbl_login_error', '', time() - 3600, COOKIEPATH, COOKIE_DOMAIN );
 …
             </p>
             <input type="hidden" name="user_id" value="<?php echo esc_attr( $user_id ); ?>" />
             <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $_REQUEST['redirect_to'] ?? '' ); ?>" />
             <input type="hidden" name="rememberme" value="<?php echo esc_attr( $_REQUEST['rememberme'] ?? '' ); ?>" />
+            <input type="hidden" name="redirect_to" value="<?php echo esc_attr( isset($_REQUEST['redirect_to']) ? sanitize_text_field(wp_unslash($_REQUEST['redirect_to'])) : '' ); ?>" />
+            <input type="hidden" name="rememberme" value="<?php echo esc_attr( isset($_REQUEST['rememberme']) ? sanitize_text_field(wp_unslash($_REQUEST['rememberme'])) : '' ); ?>" />
             <input type="hidden" name="advaipbl_2fa_login_step" value="backup" />
             <?php wp_nonce_field( 'advaipbl-2fa-verify-backup-' . $user_id ); ?>
 …
                         'user_id' => $user_id,
                         'wp_auth_nonce' => $nonce,
                         'redirect_to' => $_REQUEST['redirect_to'] ?? '',
+                        'redirect_to' => isset($_REQUEST['redirect_to']) ? sanitize_text_field(wp_unslash($_REQUEST['redirect_to'])) : '',
                     ], site_url( 'wp-login.php', 'login' ) ) );
                 ?>">
 …
      ) {
          // Increase limits for large file download/extraction
+         // phpcs:ignore Squiz.PHP.DiscouragedFunctions.Discouraged
          if (function_exists('set_time_limit')) { @set_time_limit(300); }
+         // phpcs:ignore Squiz.PHP.DiscouragedFunctions.Discouraged
          @ini_set('memory_limit', '256M');
 …
         $table_name = $wpdb->prefix . 'advaipbl_blocked_ips';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $is_blocked_in_db = $wpdb->get_var( $wpdb->prepare(
             "SELECT id FROM {$table_name} WHERE ip_range = %s AND (expires_at = 0 OR expires_at > %d)",
 …
         foreach ($options_to_optimize as $option_name) {
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
             $wpdb->query( $wpdb->prepare(
                 "UPDATE {$wpdb->options} SET `autoload` = 'no' WHERE `option_name` = %s",
 …
         static $request_method = null;
         if (is_null($request_method)) {
+            $request_method = sanitize_text_field($_SERVER['REQUEST_METHOD'] ?? 'GET');
+            $request_method_raw = isset($_SERVER['REQUEST_METHOD']) ? wp_unslash($_SERVER['REQUEST_METHOD']) : 'GET';
+            $request_method = sanitize_text_field($request_method_raw);
+        }
         return $request_method;
 …
         static $remote_addr = null;
         if (is_null($remote_addr)) {
+            $remote_addr = filter_var($_SERVER['REMOTE_ADDR'] ?? '', FILTER_VALIDATE_IP) ?: '';
+            $remote_addr_raw = isset($_SERVER['REMOTE_ADDR']) ? sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'])) : '';
+            $remote_addr = filter_var($remote_addr_raw, FILTER_VALIDATE_IP) ?: '';
+        }
         return $remote_addr;
 …
             // Insertamos el lockdown en nuestra nueva tabla.
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
             $wpdb->insert(
                 $lockdowns_table,
 …
             // Limpiamos el contador de la caché, ya que el lockdown está activo.
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
             $wpdb->delete($wpdb->prefix . 'advaipbl_cache', ['cache_key' => $cache_key]);
 …
             // Verificamos que no haya ya un lockdown activo para este endpoint para evitar duplicados.
             // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+            // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
             $is_already_active = $wpdb->get_var($wpdb->prepare(
                 "SELECT id FROM {$lockdowns_table} WHERE endpoint_key = %s AND expires_at > %d",
 …
                 $details = wp_json_encode(['triggering_ip_hashes' => $trigger_data['ip_hashes']]);
+                // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                 $wpdb->insert(
                     $lockdowns_table,
 …
             // Limpiamos el contador de la caché, ya que el lockdown está activo.
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
             $wpdb->delete($wpdb->prefix . 'advaipbl_cache', ['cache_key' => $cache_key]);
+        }
 …
         // Procesa la respuesta del desafío si es para este tipo.
+        // phpcs:ignore WordPress.Security.NonceVerification.Missing
         if (isset($_POST['_advaipbl_challenge_type']) && $_POST['_advaipbl_challenge_type'] === 'endpoint') {
             // Un pase de 1 hora es suficiente para un endpoint crítico.
 …
         global $wpdb;
         $lockdowns_table = $wpdb->prefix . 'advaipbl_endpoint_lockdowns';
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $is_lockdown_active = $wpdb->get_var($wpdb->prepare(
             "SELECT id FROM {$lockdowns_table} WHERE endpoint_key = %s AND expires_at > %d",
 …
 public function display_setup_wizard_notice() {
     // Solo mostrar el aviso si la bandera existe, el usuario puede gestionar opciones, y no estamos ya en el asistente.
+    // phpcs:ignore WordPress.Security.NonceVerification.Recommended
     if ( get_option( 'advaipbl_run_setup_wizard' ) && current_user_can( 'manage_options' ) && ( ! isset( $_GET['page'] ) || $_GET['page'] !== 'advaipbl-setup-wizard' ) ) {
         $wizard_url = admin_url( 'admin.php?page=advaipbl-setup-wizard' );
 …
              // Check if already active
              // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+             // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
              $is_active = $wpdb->get_var($wpdb->prepare(
                  "SELECT id FROM {$lockdowns_table} WHERE endpoint_key = %s AND expires_at > %d",
 …
                  $details = wp_json_encode($details_array);
+                 // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
                  $wpdb->insert(
                      $lockdowns_table,
 …
              // Clear cache as lockdown is now active
+             // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
              $wpdb->delete($wpdb->prefix . 'advaipbl_cache', ['cache_key' => $cache_key]);
+        }
 …
          global $wpdb;
          $lockdowns_table = $wpdb->prefix . 'advaipbl_endpoint_lockdowns';
          // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
          return $wpdb->get_var($wpdb->prepare(
              "SELECT id FROM {$lockdowns_table} WHERE endpoint_key = %s AND expires_at > %d",
 …
 public function scanner_ping_endpoint() {
+    // phpcs:ignore WordPress.Security.NonceVerification.Recommended
     if (isset($_GET['advaipbl-ping']) && $_GET['advaipbl-ping'] === '1') {
 …
         $expected_user_agent = base64_decode($encoded_user_agent);
         $visitor_ip = $_SERVER['REMOTE_ADDR'] ?? '';
         $request_user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';
+        $visitor_ip = isset($_SERVER['REMOTE_ADDR']) ? sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'])) : '';
+        $request_user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? sanitize_text_field(wp_unslash($_SERVER['HTTP_USER_AGENT'])) : '';
         if (in_array($visitor_ip, $allowed_ips, true) && hash_equals($expected_user_agent, $request_user_agent)) {

advanced-ip-blocker/trunk/includes/class-advaipbl-notification-manager.php

-                      r3464093
+                      r3476940
         if (!empty($ids)) {
             $ids_placeholder = implode(',', $ids);
             // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery
+            // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
             $wpdb->query("DELETE FROM $table_name WHERE id IN ($ids_placeholder)");
+        }
 …
         if (!empty($ids)) {
             $ids_placeholder = implode(',', $ids);
             // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery
+            // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
             $wpdb->query("DELETE FROM $table_name WHERE id IN ($ids_placeholder)");
+        }

advanced-ip-blocker/trunk/includes/class-advaipbl-threat-score-manager.php

-                      r3419894
+                      r3476940
         global $wpdb;
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $score = $wpdb->get_var($wpdb->prepare(
             "SELECT score FROM {$this->table_name} WHERE ip = %s",
 …
         // Obtenemos el log existente para poder añadir la nueva entrada.
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $existing_log_json = $wpdb->get_var($wpdb->prepare(
             "SELECT log_details FROM {$this->table_name} WHERE ip = %s",
 …
         // Usamos una única consulta eficiente para insertar o actualizar.
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $wpdb->query($wpdb->prepare(
             "INSERT INTO {$this->table_name} (ip, score, last_event_timestamp, log_details)
 …
         // 1. Reducimos la puntuación de las IPs inactivas.
         // Usamos una consulta SQL para restar los puntos, asegurándonos de que nunca baje de 0.
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $updated = $wpdb->query($wpdb->prepare(
             "UPDATE {$this->table_name}
              SET score = GREATEST(0, score - %d)
+            SET score = GREATEST(0, score - %d)
              WHERE last_event_timestamp < %d",
             $decay_points,
 …
         // 2. Eliminamos las filas cuya puntuación ha llegado a 0.
         // Esto mantiene la tabla limpia y eficiente.
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $deleted = $wpdb->query(
             "DELETE FROM {$this->table_name} WHERE score <= 0"
 …
         global $wpdb;
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
         $result = $wpdb->delete(
             $this->table_name,
 …
         global $wpdb;
         // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+        // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter
         $log_json = $wpdb->get_var($wpdb->prepare(
             "SELECT log_details FROM {$this->table_name} WHERE ip = %s",

advanced-ip-blocker/trunk/js/advaipbl-live-feed.js

-                      r3353165
+                      r3476940
 jQuery(document).ready(function($) {
+jQuery(document).ready(function ($) {
     const feedContainer = $('#advaipbl-live-feed-container');
 …
     const nonceUrl = window.advaipbl_feed_data.nonce_url || '';
     const texts = window.advaipbl_feed_data.text || {};
     let lastId = 0;
     let isFetching = false;
 …
         detailsHtml += `<div class="feed-label">${texts.method || 'Method'}</div><div class="feed-value"><code>${attack.method}</code></div>`;
         detailsHtml += `<div class="feed-label">${texts.details || 'Details'}</div><div class="feed-value">${attack.details}</div>`;
-        if (attack.uri) {
-            detailsHtml += `<div class="feed-label">${texts.uri || 'URI'}</div><div class="feed-value"><code>${attack.uri}</code></div>`;
+        }
-        if (attack.user_agent && attack.user_agent !== 'N/A') {
-            detailsHtml += `<div class="feed-label">${texts.user_agent || 'User Agent'}</div><div class="feed-value"><code>${attack.user_agent}</code></div>`;
+        }
         detailsHtml += '</div>';
         return `
 …
         const url = `${apiUrl}?${params.toString()}`;
         $.get(url, function(response) {
+        $.get(url, function (response) {
             if (response && response.attacks && response.attacks.length > 0) {
                 feedList.find('.placeholder').remove();
 …
+                }
+            }
         }).always(function() {
+        }).always(function () {
             isFetching = false;
         });
+    }
     function initializeFeed() {
         if (!nonceUrl) {
 …
+        }
         // 1. Primero, obtenemos un nonce fresco que no esté cacheado.
         $.get(nonceUrl, function(response) {
+        $.get(nonceUrl, function (response) {
             if (response && response.nonce) {
                 freshNonce = response.nonce;
 …
                 console.error('Live Feed: Failed to fetch a valid nonce.');
+            }
         }).fail(function() {
+        }).fail(function () {
             console.error('Live Feed: AJAX error while fetching nonce.');
         });

advanced-ip-blocker/trunk/languages/advanced-ip-blocker.pot

r3472969	r3476940
4	4	msgid ""
5	5	msgstr ""
6		"Project-Id-Version: Advanced IP Blocker 8.8.8\n"
	6	"Project-Id-Version: Advanced IP Blocker 8.8.9\n"
7	7	"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/advanced-ip-blocker\n"
8	8	"POT-Creation-Date: 2025-07-22 14:47+0200\n"

advanced-ip-blocker/trunk/readme.txt

-                      r3472969
+                      r3476940
 Requires at least: 6.7
 Tested up to: 6.9
 Stable tag: 8.8.8
+Stable tag: 8.8.9
 Requires PHP: 8.1
 License: GPLv2 or later
 …
 == Changelog ==
+= 8.8.9 =
+*   **SECURITY UPDATE:** Fixed an issue where the "Export Template" feature was inadvertently including sensitive API keys (`cf_api_token`, `cf_zone_id`, `abuseipdb_api_key`) in the generated JSON. Templates are now completely clean of private tokens.
+*   **MAINTENANCE:** Cleaned up excessive developer comments in the frontend JS inclusion logic for better code readability.
+*   **MAINTENANCE:** Analyzed and ensured that the background Cloudflare Sync task (`advaipbl_cloudflare_sync_event`) schedules properly.
 = 8.8.8 =
 *   **CRITICAL FIX:** Resolved an issue where IPs imported via the Bulk Import tool were not immediately synchronized with the Server-Level Firewall (`.htaccess`). Synchronization is now instantaneous and safely batched.
+*   **CRITICAL FIX:** Addressed a regression introduced in the `.htaccess` fix where Cloudflare Edge Firewalls stopped synchronizing imported IPs. Bulk Imports will now immediately trigger a background Cloudflare Sync Event to safely upload large IP batches without dropping connections.
 = 8.8.7 =
 …
 == Upgrade Notice ==
+= 8.8.9 =
+**SECURITY UPDATE:** Patches a vulnerability in the Settings exporter where the "Template (No API Keys)" file was accidentally leaking Cloudflare and AbuseIPDB API keys. Update immediately if you plan to export your configuration templates to share with others.
 = 8.8.8 =
 **CRITICAL UPDATE:** Fixes a `.htaccess` synchronization bug with the Bulk Import tool. Update immediately to ensure imported IPs are actively blocking threats at the server level.
+**CRITICAL UPDATE:** Fixes a `.htaccess` synchronization bug with the Bulk Import tool. Resolves a regression where Bulk Imports stopped pushing new blocks to Cloudflare. Update immediately to ensure imported IPs are actively blocking threats at both the server level and the cloud edge.
 = 8.8.7 =

advanced-ip-blocker/trunk/uninstall.php

r3464093	r3476940
39	39	// phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
40	40	foreach ( $tables_to_drop as $table_name ) {
41		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared
	41	// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.SchemaChange, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared
42	42	$wpdb->query( 'DROP TABLE IF EXISTS ' . $wpdb->prefix . $table_name );
43	43	}

Plugin Directory

Context Navigation

Legend:

advanced-ip-blocker/trunk/advaipbl-loader.php

advanced-ip-blocker/trunk/advanced-ip-blocker.php

advanced-ip-blocker/trunk/css/advaipbl-styles.css

advanced-ip-blocker/trunk/includes/class-advaipbl-2fa-users-list-table.php

advanced-ip-blocker/trunk/includes/class-advaipbl-action-handler.php

advanced-ip-blocker/trunk/includes/class-advaipbl-admin-pages.php

advanced-ip-blocker/trunk/includes/class-advaipbl-ajax-handler.php

advanced-ip-blocker/trunk/includes/class-advaipbl-asn-manager.php

advanced-ip-blocker/trunk/includes/class-advaipbl-audit-logger.php

advanced-ip-blocker/trunk/includes/class-advaipbl-cli.php

advanced-ip-blocker/trunk/includes/class-advaipbl-community-manager.php

advanced-ip-blocker/trunk/includes/class-advaipbl-dashboard-manager.php

advanced-ip-blocker/trunk/includes/class-advaipbl-fingerprint-manager.php

advanced-ip-blocker/trunk/includes/class-advaipbl-live-feed-manager.php

advanced-ip-blocker/trunk/includes/class-advaipbl-main.php

advanced-ip-blocker/trunk/includes/class-advaipbl-notification-manager.php

advanced-ip-blocker/trunk/includes/class-advaipbl-threat-score-manager.php

advanced-ip-blocker/trunk/js/advaipbl-live-feed.js

advanced-ip-blocker/trunk/languages/advanced-ip-blocker.pot

advanced-ip-blocker/trunk/readme.txt

advanced-ip-blocker/trunk/uninstall.php

Download in other formats: