2025.07.10 – version 26.2.3
* UPDATE: Corrected automatic user login flow after account creation by replacing wp_set_current_user() and wp_set_auth_cookie() with wp_signon().
* UPDATE: Added username existence check to avoid conflicts when generating usernames from email addresses.
* UPDATE: Sanitized $_POST[‘apple-token-redsys’] input variable.
* UPDATE: Secured wp_remote_*() calls with host validation to prevent SSRF vulnerabilities.
* UPDATE: Added permission_callback checks for REST endpoints using referer validation to avoid public access.
* UPDATE: Enabled CURLOPT_SSL_VERIFYHOST = 2 and CURLOPT_SSL_VERIFYPEER = 1 in Redsys API library to enforce proper SSL certificate validation and prevent MITM attacks.
* UPDATE: Justified use of wp_redirect() for external OAuth flow with proper comment.