SMT Toolkit for WooCommerce

SMT Toolkit for WooCommerce is a modular automation and management toolkit designed for WooCommerce-based stores. The plugin provides a collection of independent modules that can be enabled or disabled as needed, allowing store owners to build flexible workflows without unnecessary features or performance overhead. SMT Toolkit focuses on automation, data consistency, and repeatable processes - especially for stores that rely on bulk imports, scheduled updates, and advanced pricing logic. Available Modules Google Drive Importer Import products, images, and updates directly from Google Drive using CSV files. Features:

• Import products and images from Google Drive folders
• Batch processing with progress tracking
• Detailed logs and safety checks
• Update rules for existing products
• Optional cron-based automation Setup note: To use this module, you must create a Google API project and obtain OAuth credentials.

Official documentation: https://developers.google.com/drive/api/guides/enable-drive-api Automation: For scheduled or unattended imports, a WordPress cron task is required. CSV File Structure The importer uses CSV files to create or update products. Required fields:

• id or sku (at least one is required) Optional fields:
• type
• barcode
• short_description
• description
• sale_start
• sale_end
• in_stock
• price
• sale_price
• categories
• tags
• custom meta fields (any column name will be treated as a meta key)
• image
• alt_text Custom meta fields are stored as product meta keys without overwriting protected WooCommerce core fields. The CSV structure is flexible. Only the required identifier field must be present. All other fields are optional and processed only if provided.

Discount Engine Create flexible discount profiles with conditions, priorities, schedules, and visual indicators. Features:

• Rule-based discount profiles
• Support for scheduled discounts
• Priority handling and conflict resolution
• Customizable discount badges
• Cron-based recalculation support Automation: A cron task is required to automatically apply, update, or expire scheduled discounts.

Theme compatibility note: To replace the default sale badge, the theme must include a span.onsale element (the wrapper does not matter, but the onsale class must be present). Transliteration Automatically transliterate non-Latin product URLs and filenames. Features:

• URL and filename transliteration
• Custom rule editor
• Testing and preview tools
• Bulk conversion and rollback support Language support: Predefined rules are included for:
• Ukrainian
• Russian
• Bulgarian For other languages, custom transliteration rules can be added manually.

This module does not require cron configuration. Store Settings The Store Settings module centralizes WooCommerce configuration in one place - no need to edit theme files or functions.php. It allows you to safely manage store behavior, performance tweaks, product badges, and Classic checkout fields through a clean admin interface. Key Features

• Disable unused frontend scripts and styles
• Add context-based inline CSS and JavaScript
• Clean up unnecessary WordPress and WooCommerce head output
• Configure product badges (Sale, New, Sold Out, Featured, Best Seller)
• Customize Classic WooCommerce checkout fields
• Define custom product fields with tab display support Checkout customization works with Classic WooCommerce checkout (shortcode). Blocks checkout is automatically detected.

Ajax Archive Engine AJAX-powered WooCommerce archive system with:

• AJAX pagination
• AJAX sorting
• Lazy-loaded filters sidebar
• Clean URL handling
• History (back/forward) state support
• Mobile-first optimized behavior

Centralized SVG Registry Secure SVG management module:

• Centralized SVG storage
• Sanitized SVG processing
• Automatic CSS generation
• Base64 background rendering
• Hash-based file versioning
• Automatic cleanup of old files
• Security-hardened SVG sanitizer

Role-Based Pricing Assign custom prices or percentage discounts based on the customer's WordPress user role. Features:

• Per-role price overrides (fixed price or percentage discount)
• Works with simple and variable products
• Role-specific prices visible only to the matching role
• Per-product manual price override via product edit screen
• Fully integrated with WooCommerce cart and checkout totals
• Compatible with WooCommerce price display hooks Setup note: Role configurations are managed globally from the plugin settings. Per-product price overrides are set directly on each product's edit screen.

AI Search Semantic product search powered by OpenAI embeddings. Customers find products by intent and natural-language queries, not just exact keywords. Features:

• OpenAI-backed embeddings index (built incrementally in the background)
• Live drop-down with brand, attribute and price chips
• Quick-view + add-to-cart directly from results
• Configurable result count, image size and ranking
• Rate limiting (burst, per-minute, per-hour, global hourly cap)
• Index status dashboard with manual rebuild and per-product diagnostics
• Works with simple and variable products Setup note: An OpenAI API key is required. Index build is throttled and can be paused.

Wishlist Personal wishlists with shareable links and multi-list support. Features:

• One default list plus user-created named lists
• Guest wishlists merge into the user account after login
• Shareable public link per list (read-only by default)
• AJAX add/remove without page reload
• Wishlist counter in header (theme-friendly via hooks and helper functions)
• Quick-view and add-to-cart from the wishlist modal
• Optional auto-cleanup of old guest sessions

Rewards / Loyalty Points Points-based rewards programme. Customers earn points on completed orders and redeem them for discount on future purchases. Features:

• Per-role or per-user-level earn rate (integrates with Discount user levels)
• Configurable redemption cap as a percentage of the cart total
• Auto-actions: registration bonus, review bonus, birthday gift, level-up bonus
• Popup + email notifications (rate-limited, branded via Newsletter settings)
• Refund-aware: points reverse on cancel/refund and re-credit on subsequent re-completion
• Points history with paginated load-more
• Opt-in/opt-out toggle on the customer's account page
• Optional self-hosted "do not load module CSS" switch for themed stores

Abandon Cart Recover sales from carts that customers leave behind. Features:

• Tracks logged-in and guest carts (via email capture on checkout)
• Configurable reminder schedule (multiple stages)
• Branded reminder emails (template shared with Newsletter / Rewards)
• Rate-limited send queue with admin dashboard and per-cart audit
• One-click cart restore link (token-protected)
• Auto-prune of recovered or aged-out carts

Newsletter Lightweight newsletter system: subscriber list, campaign composer and email branding. Features:

• Subscriber list with import / export and bulk actions
• Visual template with logo, From-name/address and footer (shared by all modules)
• Composer with token replacement ({first_name}, {site_name}, etc.)
• Per-hour send cap and queue worker (cron-based)
• Unsubscribe handling with one-click token link
• Bounce/error logging
• Integration hook so other modules (Rewards, Abandon Cart) re-use the same branding

Social Social touchpoints in a single module: share buttons, login providers and a floating contact CTA. Features:

• Share buttons (Facebook, X/Twitter, Telegram, Viber, copy-link)
• Social login (Google, Facebook, Apple) with token validation
• Floating CTA dock with Phone / Telegram / Viber / WhatsApp / Instagram / Messenger channels
• Per-channel labels (translatable)
• Hover-to-reveal label on desktop, full label on mobile
• Theme-friendly: every block is exposed via shortcode or hook

Modular Architecture Each module operates independently and can be enabled or disabled at any time. This allows you to use only the functionality you need while keeping the system lightweight and predictable.

1.3.7

• SECURITY: Rewards apply-points REST endpoint now uses the same per-user rate limit as the AJAX endpoint.
• STABILITY: Newsletter send queues now use a stale-safe processing lock and persist sent recipient IDs across batches.
• STABILITY: Google Drive Importer AJAX batches now use a per-profile lock to prevent overlapping manual imports.
• STABILITY: AI Search embedding batches now use a stale-safe lock to prevent duplicate indexing and duplicate API calls.
• STABILITY: Social token refresh lock now recovers automatically after interrupted cron runs.
• IMPROVED: Threads async publish step now writes success or failure back to the post share log.
• FIX: Module install/update failures are isolated so one module cannot break plugin boot for all enabled modules.

1.3.6

• FIX: Social Post Share (Facebook) sends the product URL as a dedicated link attachment again so Facebook can scrape the product OG image instead of publishing a plain text URL.

1.3.5

• CHANGED: Social Post Share (Facebook) now uses only the configured Page ID and Page Access Token; no runtime Page-token fallback or automatic refresh is attempted.
• CHANGED: Social token refresh keeps Instagram, Threads, X, LinkedIn and Tumblr refresh handling, but skips Facebook Post Share tokens.

1.3.4

• FIX: Social token refresh - is_due() no longer treats token_refresh_checked as a "last refreshed" timestamp; a failing endpoint can no longer lock retries out for 45 days.
• FIX: Store Settings - tracking-plugin disabler moved from wp priority 1 to template_redirect so is_cart()/is_checkout()/is_order_received_page()/is_account_page() are reliable; conversion tracking on checkout/thank-you pages is no longer accidentally stripped.
• FIX: Social Post Share (Facebook) - normalize Graph API payload and logging around Page publishing.
• IMPROVED: Social Post Share - failed or skipped provider results are now written to the PHP error log as well as the per-post share meta.
• FIX: Social Post Share (Threads) - 60-second async delay between /threads creation and /threads_publish via wp_schedule_single_event to match Meta's recommended media-processing window.
• FIX: Social Post Share (LinkedIn) - migrate from deprecated /v2/ugcPosts to current /rest/posts endpoint with LinkedIn-Version header.
• FIX: Social settings save - preserve_token_meta() keeps refresh_token, token_refreshed and token_expires_at when an admin rotates the access token; only the status meta is reset so the next cron re-checks freshness.
• FIX: Store Settings - WLW manifest 410 path check uses parse_url($uri, PHP_URL_PATH) before basename() so query strings can't trigger false positives.
• SECURITY: Token refresh cron - per-run add_option lock prevents an ad-hoc trigger from racing the daily cron and double-writing the options blob.
• SECURITY: Instagram widget - debug HTML comments are now opt-in via ?smt_ig_debug=1 so a passing admin (with WP_DEBUG enabled) never sees diagnostic strings in the page source.
• PERFORMANCE: Store Settings - tracking-disable branch now calls mark_uncacheable() (defines DONOTCACHEPAGE / sends nocache_headers()) so a logged-in admin's "no-tracking" render is never served by page caches to logged-out visitors.
• PERFORMANCE: Store Settings - added script_loader_tag last-resort filter that strips known Google / Meta tracking handles even when another plugin re-registers them after our dequeue pass.
• IMPROVED: Social - unified Facebook Graph API version to v25.0 across post-share, Instagram widget and token refresh.
• CLEANUP: Social module - removed dead smttool_social_instagram_refresh cron unschedule (the hook is no longer registered since Graph long-lived tokens are managed manually).

1.3.3

• IMPROVED: Social - add scheduled 45-day token refresh checks for Facebook/Instagram, Threads, X, LinkedIn and Tumblr OAuth2 credentials; Mastodon is checked but skipped because its tokens do not expire automatically.
• IMPROVED: Social - add X / Twitter post-sharing credentials and Tumblr OAuth2 token fields while keeping legacy Tumblr OAuth1 sharing as a fallback.

1.3.2

• FIX: AJAX Archive - pass the plugin add-to-cart nonce from single-product and Quick View forms so the CSRF guard added in 1.3.0 accepts valid customer add-to-cart requests.

1.3.1

• FIX: Include the Nova Poshta checkout helper class in the release package so Store Settings checkout helpers load without warnings.

1.3.0

• SECURITY: Google Drive Importer - strict whitelist on Drive folder IDs prevents query injection into the Drive API q parameter
• SECURITY: AJAX Archive - add-to-cart endpoint now requires a valid nonce (CSRF guard); accepts WC core, Store API or plugin-issued nonces
• SECURITY: Nova Poshta - HTTP_X_FORWARDED_FOR / CF-Connecting-IP headers are honoured only when REMOTE_ADDR is in the new TRUSTED_PROXIES whitelist; rate-limit is now atomic via wp_cache_incr
• SECURITY: Social AJAX - 64KB hard cap on POST payload before json_decode (memory-exhaustion DoS)
• SECURITY: Wishlist frontend JS - all user-controlled fields (thumbnail / url / added_at) now run through escHtml before HTML concatenation
• SECURITY: SVG Registry - explicit libxml_disable_entity_loader(true) on PHP < 8.0, plus a 50-level depth guard in clean_node (XXE + stack DoS hardening)
• SECURITY: Newsletter - created_by queue check is now default-deny (only the original author or an administrator can resume a queue)
• SECURITY: Discounts - reward add-to-cart AJAX now re-validates is_purchasable() and is_in_stock()
• SECURITY: Google Drive Importer - wp_delete_attachment() is now skipped when the same attachment is referenced by another product as a featured image or in a product gallery
• SECURITY: Discounts - discount percent is clamped to 0-100 in all reward calculation paths
• STABILITY: Rewards points - first-time add() uses atomic INSERT ... ON DUPLICATE KEY UPDATE to eliminate the lost-update race
• STABILITY: Rewards order reverse - when deduct() is capped by a low balance, the shortage is now persisted to order meta and subtracted from any re-completion credit (prevents double-credit on partial-refund edge sequences)
• STABILITY: Rewards daily cron - global lock + per-user lock around birthday bonus eliminates double-award between racing crons; soft 25s time budget per task
• STABILITY: Rewards review bonus - dedup key switched from order_id to per-comment marker so a real order_id == product_id cannot suppress a legitimate bonus
• STABILITY: Rewards popup queue - read-modify-write protected by per-user option lock; queue capped at 20 entries to prevent meta growth
• STABILITY: Discounts - cart mutations made inside cart_loaded_from_session now call cart->set_session() so they survive the next request
• STABILITY: Wishlist toggle - 3-second per-product transient lock serialises rapid double-clicks
• STABILITY: SVG Registry - recompile_now() serialised via option lock; old-CSS retention raised from 2 to 5 files to absorb CDN cache lag
• STABILITY: Store Settings save - admin saves serialised via option lock so concurrent tab saves don't race
• STABILITY: Store Settings AJAX - wp_enqueue_scripts trigger in admin context wrapped in try/catch so misbehaving 3rd-party plugins can't break the response
• PERFORMANCE: Discounts - profile / conditions / rewards reads are now request-scope-cached; eliminates N+1 SQL on every before_calculate_totals
• PERFORMANCE: AI Search - product term cache primed once per result set; eliminates per-product brand lookup queries
• PERFORMANCE: AI Search - attribute term cap raised from 500 to 5000 with truncation warning to surface silent omissions
• PERFORMANCE: Store Settings - variation REST handler primes post + post-meta caches in one batch instead of per-variation SQL
• PERFORMANCE: Store Settings - _smttool_discount_sort clause filter now idempotent; will not duplicate JOINs when the filter fires multiple times in a query
• PERFORMANCE: Store Settings - best-seller IDs cache invalidated on order completion
• PERFORMANCE: Google Drive Importer - 10k-file / 60-second cap inside list_drive_files, bounded static product caches, explicit 30s timeout on download_url, 50MB cap on CSV body
• PERFORMANCE: Rewards apply-points AJAX - per-user rate-limit (5/min) protects expensive calculate_totals() recalculation
• PERFORMANCE: Wishlist modal - product + brand caches primed before the per-item loop
• PERFORMANCE: Newsletter - server-side minimum query length on user / product / category search; transient TTL reduced from 7 to 3 days
• PERFORMANCE: Newsletter - send queue now tracks already-emailed user IDs across batches (cap 50k) to stop multi-role users receiving the same newsletter twice
• IMPROVED: Checkout phone mask - caret position math fixed (delta against pre-assignment length); now accepts 10-16 digit international numbers instead of forcing exactly 13
• IMPROVED: AJAX Archive - filter_stock_status query string is cast to string before explode, preventing silent failures when sent as an array
• IMPROVED: AJAX Archive - internal product taxonomies (product_visibility, product_shipping_class) refused as archive context to prevent hidden-product enumeration
• IMPROVED: Nova Poshta - transport-layer error messages no longer leaked to client (logged server-side)
• IMPROVED: AI Search frontend - price_html injection routed through DOMPurify when available

1.2.0

• NEW: AI Search module - OpenAI-powered semantic product search with live drop-down, rate limiting and incremental index builder
• NEW: Wishlist module - personal wishlists with multi-list support, shareable links and AJAX add/remove
• NEW: Rewards module - points-based loyalty programme with redemption, auto-actions (registration / review / birthday / level-up), refund-aware accrual and popup + email notifications
• NEW: Abandon Cart module - logged-in and guest cart recovery with token-protected restore links and branded reminder schedule
• NEW: Newsletter module - subscriber list, branded composer, queued sending with per-hour cap and shared email template re-used by Rewards and Abandon Cart
• NEW: Social module - share buttons, social login (Google / Facebook / Apple) and a floating contact-channels CTA dock
• NEW: SMT Router - unified REST response wrapper (success/data/message)
• NEW: SMT Mailer - shared email service with rate limiting and template branding
• IMPROVED: Rewards refund/re-completion flow - re-completing a previously refunded order now correctly re-credits points (was blocked by a stale flag)
• IMPROVED: AJAX archive sidebar refresh - filter chips and dynamic counts now update after every filter change
• IMPROVED: My Account AJAX tabs auto-scroll to content with theme-controlled offset (scroll-margin-top)
• IMPROVED: Recently viewed cookie parsed once per request (was re-parsed on every helper call)
• IMPROVED: Cart count in header cached per request (fragments handle live updates)
• IMPROVED: 404 fallback products query no longer uses orderby:rand on large catalogs (date + PHP shuffle)
• IMPROVED: Custom logo loaded eagerly with high fetch priority (LCP)
• IMPROVED: WC Brands sale-flash unhook now runs once per request (static guard)
• IMPROVED: Skeleton-loading state + soft fade-in for AJAX archive grid swaps
• IMPROVED: Reduced-motion preference respected globally (animation/transition durations collapse)
• IMPROVED: HPOS-ready - wc_get_orders() used throughout, no legacy posts queries
• IMPROVED: Plugin Check warnings cleaned up (line endings, prepared SQL placeholder helpers, file system operation comments)
• SECURITY: Filter-combination archive URLs emit noindex via wp_robots (prevents duplicate-content indexation, plays nice with Rank Math / Yoast)
• SECURITY: REST error paths now return immediately after wp_send_json_error() (defence in depth)
• SECURITY: All JSON input read with wp_unslash() before json_decode(), no double sanitisation that could corrupt UTF-8
• FIX: Rewards popup now shows the configured subject as a title (was dropped from the queue, only body was rendered)
• FIX: Rewards popup queue accepts both new {subject, body} entries and legacy strings for backward compatibility
• FIX: Variations table reset_variations link no longer reserves layout space when visibility-hidden
• FIX: Floating shop-toolbar clone no longer creates duplicate ids / for / aria-controls in the DOM
• FIX: search.php setup_postdata now assigns $GLOBALS['post'] so the_*() functions inside template parts work
• FIX: cart modal home_url(REQUEST_URI) build path corrected
• FIX: Yoast / Rank Math primary category honoured by the post card meta helper
• FIX: tag_escape() used for dynamic heading tags (was esc_attr)

1.1.0

• NEW: Role-Based Pricing module (per-role fixed price or percentage discount, per-product overrides)
• NEW: Unified data layer - SMT_Data_Provider centralizes all option reads and writes
• NEW: SMT_Cache - three-tier caching (in-memory, WP object cache, transients) with a unified API
• IMPROVED: Lazy module initialization - Admin/Frontend/Ajax classes load only in the context where they are needed
• IMPROVED: Active discount profiles query cached per request (reduces DB load during cron runs)
• IMPROVED: Inline context detection cached per request (was computed three times per page)
• FIX: Discount badge always fell back to woocommerce_sale_flash due to incorrect module status check
• FIX: get_profile() and get_rules_for_profile() now use the table name helpers consistently
• FIX: Admin page classes were not loaded when render_admin() was called after lazy init
• FIX: Transient cleanup in uninstall.php now uses wpdb::prepare()

1.0.4

• NEW: Ajax Archive Engine module
• NEW: Centralized SVG Registry module
• NEW: SVG background support for Discounts and Store Settings badges
• IMPROVED: Badge rendering performance
• IMPROVED: Centralized SVG CSS compilation system
• IMPROVED: 10% faster initial page load (SVG optimization)
• SECURITY: Improved JSON input sanitization
• FIX: Nonce verification improvements
• FIX: Plugin Check warnings resolved
• REMOVED: inline SVG

1.0.3

• Fixed missing store-settings module in release package
• Minor stability improvements

1.0.2

• Fixed undefined variable in Discounts cron handler

1.0.1

• Added Store Settings module (assets control, cleanup, inline CSS/JS, checkout fields)
• Checkout customization refactored (Classic checkout only, Block checkout detection added)
• Fixed WooCommerce checkout field re-rendering (wc-checkout handling)
• Improved checkout field diff-based saving (no translation overwrite)
• Added reset option for checkout fields
• Enhanced badge system (heavy SVG handling, template injection, mutation observer)
• Optimized best-seller query with transient caching
• Improved security sanitization (wp_unslash handling, SVG hardening)
• Added advanced cleanup options (WooCommerce blocks, cart fragments, brands)
• Performance improvements and codebase stabilization
• Multiple security and Plugin Check compliance fixes

1.0.0

• Initial public release
• Google Drive Importer module
• Discount Engine module
• Transliteration module
• Modular system and cron support