Strengthened Access Control - Tightened permission checks on several merchant panel endpoints (#16203) (#16177)
Improvements
REST API v3
Network Fee in Traffic Overview - GET /traffic-overview now includes a network_fee breakdown in its transactions and sales sections for accounts with an active affiliate network (#15383)
Visitor ID in Transaction Detail - GET /transactions/{id} now returns the transaction's visitor_id (#15337)
Reports
Profit Column in Top Affiliates - The Top Affiliates report and the GET /reports/top-affiliates endpoint now show a total profit value (total cost minus commissions) that can be sorted and filtered (#12489)
Home Page Statistics
Referral Commissions on the Home Page - New template variables expose referral commission totals for all time periods on the affiliate and merchant home pages, and the per-campaign filter now works for sales, commissions, and referral commissions (#16033) (#16036)
Plugins
Affiliate Commission Filter by Campaign - The plugin that hides commissions in the affiliate panel commissions list can now limit its filter to specific campaigns; leaving the new field empty keeps the previous behavior (#16221)
REST Commissions Plugin Description - Corrected the plugin help text describing which affiliate receives a missing tier commission (#13529)
User Interface
Edit View Popup Scrolling - In the column-selection popup, the title and Save buttons now stay in place while only the column list scrolls, so the buttons no longer scroll out of reach (#12677)
Performance
Coupon Generation Limit - Coupon generation and import are now limited to 1000 coupons per operation to avoid database performance problems (#15369)
Bug Fixes
Tracking
IP Anonymization - Fixed a case where enabling "Anonymize IP addresses" could drop Shopify sales for visitors with IPv6 addresses (#16300)
Integrations
Shopify ReCharge Subscription Tracking - Restored tracking of ReCharge subscription orders after Shopify changed the identifier it sends for them (#16311)
Shopify ReCharge with Tiered Commissions - Fixed ReCharge recurring orders producing an incorrect order ID and crediting the wrong affiliate when multi-tier commissions are used (#16324)
Stripe Checkout Affiliate Creation - The "Create Affiliate" setting now works for Stripe Checkout payments, and the plugin now supports Stripe's newer API version when detecting recurring commissions (#15966)
AI Assistant
FlowHunt AI Assistant Visibility - The AI assistant is now shown only to the account owner; in Post Affiliate Network accounts it also appeared for the network's own merchants (#16254)
Affiliate Panel
Welcome Message - Fixed the affiliate panel home page welcome message reverting to its previous text instead of saving (#16230)
Themes
Design Panel with Invalid Themes - The Design configuration screen no longer fails to load when a custom theme has a missing or invalid thumbnail; the broken theme now shows a placeholder, and theme import rejects invalid files (#16251)
User Interface
Faster Grid Loading - Fixed grid screens requesting their data twice right after a panel refresh, which could delay loading by a few seconds; a single request is now sent (#16231) (#16271)
Improved Data Protection - Tightened filtering of sensitive account fields from merchant panel responses (#16105)
Improvements
REST API v3
Assign Coupon to Affiliate - The coupon update endpoint (PATCH /banners/{id}/coupons/{coupon_id}) now accepts an affiliate_id field to assign an existing coupon code to an affiliate (#16131)
Login
Password Policy - The default password policy no longer requires a special character; passwords still need at least 8 characters including a letter and a digit (#16175)
FlowHunt AI Assistant - The merchant panel now offers an AI assistant powered by FlowHunt — the "AI assistant" button in the screen header opens a chat side panel that helps you navigate and work with Post Affiliate Pro. Activated automatically (#15414)
Security
Improved Output Escaping - Improved escaping of content displayed in the merchant panel (#16089)
Strengthened Access Control - Tightened permission checks on several merchant panel endpoints (#15999)
Improved URL Validation - Stricter validation of URLs processed by tracking scripts (#16041)
Login Protection - Fraud Protection IP rules are now evaluated earlier during login (#16095)
Improvements
REST API v3
Grid Request Limit Documented - The 1-request-per-second limit on list endpoints is now described in the Rate Limiting docs, and exceeding it returns a proper "Too Many Requests" response with a retry hint instead of a generic error (#16133)
Tracking vs. API Access Clarified - The Tools → Integration screen now separates tracking methods from programmatic API access, and the POST /transactions docs clarify that the endpoint creates commission records directly and is not the sale tracking mechanism (#16028)
Integrations
Shopify write_orders Notification - The missing-scope warning now appears only when updating order attributes actually fails, instead of proactively polling the Shopify API on every notification load (#16103)
Shopify Notification Length - The "Stores requiring update" list in the Shopify notification is capped at 10 stores, with an "and X more stores" summary for the rest (#16099)
Plugins
AWeber OAuth 2.0 - The AWeber plugin now uses AWeber's OAuth 2.0 authorization, replacing the discontinued OAuth 1.0 flow; merchants using the plugin need to re-authorize the connection (#16003)
HubSpot Field Mapping - Removed the redundant "unused" option from affiliate-field listboxes in both HubSpot plugins; leaving the field empty is now the single way to express "no mapping" (#16082)
Banners
Open Link Banner in New Tab - Link banners in the affiliate panel now show an "open in new window" icon, so the link can be opened without copy-pasting it (#15445)
Webhooks and Outbound Requests
Default User-Agent - Outbound HTTP requests (webhooks, plugin downloads, license checks) now send a User-Agent header identifying the application, preventing rejections by firewalls and bot filters; white-labeled installations use their configured branding name (#15829)
API Client User-Agent - Applications integrating via the PAP API client library (PapApi.class.php) can now set a default User-Agent for their outgoing calls without affecting the visitor browser data sent to tracking (#15764)
Bug Fixes
REST API v3
PATCH /transactions/{id} Field Names - The endpoint now accepts the documented snake_case total_cost and merchant_note fields instead of their legacy camelCase names (#16132)
Campaign Detail Account Status - GET /campaigns/{id} now returns the actual account approval status (approved, pending, declined, suspended) in account_status instead of an unrelated internal value (#15816)
Deterministic Pagination - Cursor-based pagination on /reports/top-affiliates no longer repeats a row across pages when affiliates share the same name (#15902)
Integrations
Shopify Webhook Processing - Fixed visit processing failing on queued Shopify webhook tasks such as refunds and order status changes (#16059)
Plugins
HubSpot Optional Custom Fields - The "HubSpot - create affiliates" plugin no longer requires all custom field values to be filled in to save the settings (#16047)
Commissions
Sale Filter on Manual Commissions - The Sale filter plugin is now applied when a sale commission with multi-tier support is created manually (#16046)
Affiliates
Number Field Range Filters - Range filters (greater/less than, between) on number-type custom fields now compare values numerically instead of alphabetically, in both the merchant affiliate grid and the API v3 q filter (#16007)
User Interface
Integration Method Instructions - Step-by-step screenshots in Tools → Integration now render correctly, and the marketing banner was removed from the instructions (#16051)
Notification Dismissal - "Don't show this message again" now persists for notifications without an expiry date, such as the "Default campaign is stopped/paused" warning; the dismissal resets once the campaign is active again (#15969)
Themes
Dark Mode Fixes - Fixed unreadable selected items in the top-right user menu in the August theme and the unstyled popup for editing available signup field values (#16068) (#16031)
Coupon Endpoints - Added coupon management under /banners/{id}/coupons — list, get, update, delete, generate, and import coupons (#15358)
Click Details in GET /transactions - The fields parameter on GET /transactions now accepts first/last click details (time, referer, IP, data1, data2) and click count, so click context can be fetched alongside the commission in a single call (#15994)
Integrations
Per-Locale and Per-Domain Campaign Routing in Shopify - Multi-country Shopify stores under one Shopify account can now map each storefront domain, market handle, or locale to a different campaign within a single integration, instead of routing everything to one shared campaign (#15674)
Shopify Billing Address Fields - Billing address fields (name, phone, company, address, city, ZIP, province, country) and a compound full-address option are now available in the Shopify Extra data dropdowns (#15996)
Tracking
Time-Limited UserAgent + IP Association - Added a validity period setting for "Track referrals by UserAgent and IP address", mirroring the existing IP-only setting and defaulting to 2 days. Useful where many users share the same IP and UA (VPNs, iOS user-agent freeze) (#15417)
Plugins
Plugin Capability Tags - The merchant Plugins list now shows capability tags on each plugin (refunds, partial refunds, recurring commissions, coupons, lifetime commissions, customer details) so it's clear at a glance which features each plugin supports (#15102) (#16004)
Improvements
Security
Raw SQL Removed from Event Log - Replaced raw SQL strings in customer event log entries with structured, non-SQL messages (#15955)
Cleaner Event Log During Install - Routine outbox debug entries no longer flood the customer event log during account install (#15956) (#16018)
Maximum Password Length - Removed the admin-configurable "Maximum password length" setting and capped passwords at 72 characters across all accounts (#15975)
User Interface
Password Rules Up-Front - The set-password screen, in-panel password change, and signup forms now show the active password policy as a live hint list with red/green checkmarks, replacing the strength bar that could disagree with what the validator actually accepts (#15944)
Integrations
Shopify write_orders Notification - The write_orders scope warning now appears only when at least one configured store actually lacks the scope, and multi-store setups list which specific stores still need updating (#15958)
Tracking and Callbacks
Block Google Read Aloud Bot - The Google Read Aloud user agent is now treated as a crawler, so its affiliate-link prefetches no longer create duplicate clicks (#15901)
Affiliate Name in Sale Tracking Callbacks - Application Callback URLs fired on commission events can now use {$name}, {$firstname}, {$lastname}, and {$username} (email) merge variables (#15404)
Performance
Faster Campaign Save - Saving a campaign no longer re-stamps every banner's account when the campaign's account hasn't changed — a significant improvement for accounts with thousands of banners and frequent campaign edits (#15961)
Coupon Grids - Coupon grid queries no longer add user-table joins when affiliate columns are not requested (#15859)
Bug Fixes
Integrations
Stripe Subscription Tracking on Additional Config Tabs - Fixed Stripe subscription tracking silently failing on any config tab other than the first, affecting merchants with multiple Stripe configurations (#15964)
Stripe Plan-Based Product ID - Fixed an empty product ID and PHP warning when the Stripe Product ID setting was "Plan's product" or "Plan's ID" and the purchase had no plan attached (#15752)
Plugins
Affiliate Profile Change Webhook with Membership Subscriptions - The webhook now also fires when the Membership Subscriptions Manager changes an affiliate's status (subscription activation, decline/refund, or expiry); previously these automated transitions silently skipped the webhook (#15928)
Themes
Theme Import with Disabled Built-in Parent - Fixed theme import failing with original_theme="..." does not exist when the parent built-in theme had been disabled in Configuration → Design → Themes (#15916)
Theme Import on Built-in Templates with Runtime Variables - Fixed theme import failing with a PHP fatal error and leaving an orphan theme row when the imported zip contained built-in templates referencing runtime variables; invalid templates are now rejected cleanly instead (#15946)
Dark Theme - Country Commissions - Fixed the unreadable light-grey "Custom per Sale commissions for country" section on the Commission settings screen in dark mode (#16000)
Transactions
Original Currency in Commission Import - The "Original currency ID" column (relabelled to "Original currency (ID / code)") now accepts both internal currency IDs and codes (e.g. EUR), and no longer writes a spurious critical event log entry on successful imports (#15980)
Login
Merchant Session Termination on Status Change - When a network owner changes a merchant account's status to pending or declined, the merchant's active session is now closed immediately instead of remaining usable until manual logout (#15777)
Suspend Credit Limit Notifications - Network owners can now be notified — via callback and/or email — when a network account's balance falls below the configured Suspend credit limit value (#15734)
Banners and Campaigns
Search in Category Filter - The banner and campaign category filters now include a search box in both the merchant and affiliate panels — making it easy to find a category when many are configured (#15632)
Improvements
Security
Improved Output Escaping - Hardened content rendering in built-in widgets and the report builder (#15806) (#15745)
Reduced Information Disclosure - Removed unnecessary data from API responses and improved internal error handling (#15617) (#15772)
Strengthened Rate Limiting - Improved rate limiting on multi-operation API requests (#15600)
Hardened IP-Based Controls - Improved IP detection and validation for tracking endpoints and the REST API (#15498) (#15505)
PagSeguro Plugin Hardening - Tightened input validation in the PagSeguro plugin (#15541)
Background Task Hardening - Improved internal data handling in scheduled tasks (#15712)
Login Screens Facelift - Refreshed the login, forgot-password, and set-new-password screens in the signup themes with clearer affiliate vs. merchant role identification and an improved form layout (#15149) (#15741)
Logout Confirmation - After an explicit logout, the login screen now shows a "You have been signed out" confirmation banner (#15684)
Affiliate Panel
Default Affiliate Logout URL - The default affiliate logout URL now points directly to the affiliate login page, matching the merchant side. Existing customized URLs are unaffected (#15695)
Integrations
Shopify Checkout Extensibility - The Shopify integration now supports Checkout Extensibility when "Check missing order on order created" is enabled — except for stores using "Buy Now" buttons that bypass the cart (#14220)
SamCart Partial Refunds - Partial refunds received from SamCart webhooks are now tracked with the correct refund amount (#14614)
SamCart Recurring Refunds - Refunds of recurring SamCart payments now correctly refund the recurring commission, even when no matching recurring rule is configured (previously the initial payment was refunded instead) (#14730)
Plugins
Variables in Default Signup Values - The Default signup values plugin now supports field variables such as {$data1}, {$data2}, allowing hidden fields to be auto-populated from values entered in other signup form fields (#15703)
Performance
Home Screen Stats - Refund and chargeback statistics on the home screen, trends report, and quick report are significantly faster on accounts with large transaction history, and now load in a separate request so a slow stats query no longer holds up the rest of the home screen (#15818) (#15820)
Bug Fixes
REST API v3
fields Parameter on Grid Endpoints - Fixed the fields parameter being silently ignored on several GET endpoints (transactions, affiliates, banners, campaigns, direct-links, and their affiliate-side variants), so the API now correctly returns only the requested fields (#15761)
Integrations
Stripe One-Time Product ID - Fixed Stripe one-time product purchases not having the product ID stored on the transaction, which also caused subsequent refunds for those purchases to fail (#15720)
Shopify Remaining Commission on Refund - Fixed declined or refunded Shopify orders sometimes creating an extra "remaining" commission when nothing should have remained after the refund (#13945)
Affiliate Accounts
Affiliate Status Change Notifications - Fixed the "On affiliate status changed" email being sent to affiliates even when the merchant checked the "Don't send notification" option while changing their status (#15665)
Login
IP Whitelist with Anonymized IPs - Fixed the affiliate and merchant login IP whitelist comparing the anonymized IP against configured entries when "Anonymize IP addresses" was enabled, which blocked valid logins. The "access denied" message now shows the real IP so administrators can correctly whitelist it (#15722)