Improved Data Protection - Tightened filtering of sensitive account fields from merchant panel responses (#16105)
Improvements
REST API v3
Assign Coupon to Affiliate - The coupon update endpoint (PATCH /banners/{id}/coupons/{coupon_id}) now accepts an affiliate_id field to assign an existing coupon code to an affiliate (#16131)
Login
Password Policy - The default password policy no longer requires a special character; passwords still need at least 8 characters including a letter and a digit (#16175)
FlowHunt AI Assistant - The merchant panel now offers an AI assistant powered by FlowHunt — the "AI assistant" button in the screen header opens a chat side panel that helps you navigate and work with Post Affiliate Pro. Activated automatically (#15414)
Security
Improved Output Escaping - Improved escaping of content displayed in the merchant panel (#16089)
Strengthened Access Control - Tightened permission checks on several merchant panel endpoints (#15999)
Improved URL Validation - Stricter validation of URLs processed by tracking scripts (#16041)
Login Protection - Fraud Protection IP rules are now evaluated earlier during login (#16095)
Improvements
REST API v3
Grid Request Limit Documented - The 1-request-per-second limit on list endpoints is now described in the Rate Limiting docs, and exceeding it returns a proper "Too Many Requests" response with a retry hint instead of a generic error (#16133)
Tracking vs. API Access Clarified - The Tools → Integration screen now separates tracking methods from programmatic API access, and the POST /transactions docs clarify that the endpoint creates commission records directly and is not the sale tracking mechanism (#16028)
Integrations
Shopify write_orders Notification - The missing-scope warning now appears only when updating order attributes actually fails, instead of proactively polling the Shopify API on every notification load (#16103)
Shopify Notification Length - The "Stores requiring update" list in the Shopify notification is capped at 10 stores, with an "and X more stores" summary for the rest (#16099)
Plugins
AWeber OAuth 2.0 - The AWeber plugin now uses AWeber's OAuth 2.0 authorization, replacing the discontinued OAuth 1.0 flow; merchants using the plugin need to re-authorize the connection (#16003)
HubSpot Field Mapping - Removed the redundant "unused" option from affiliate-field listboxes in both HubSpot plugins; leaving the field empty is now the single way to express "no mapping" (#16082)
Banners
Open Link Banner in New Tab - Link banners in the affiliate panel now show an "open in new window" icon, so the link can be opened without copy-pasting it (#15445)
Webhooks and Outbound Requests
Default User-Agent - Outbound HTTP requests (webhooks, plugin downloads, license checks) now send a User-Agent header identifying the application, preventing rejections by firewalls and bot filters; white-labeled installations use their configured branding name (#15829)
API Client User-Agent - Applications integrating via the PAP API client library (PapApi.class.php) can now set a default User-Agent for their outgoing calls without affecting the visitor browser data sent to tracking (#15764)
Bug Fixes
REST API v3
PATCH /transactions/{id} Field Names - The endpoint now accepts the documented snake_case total_cost and merchant_note fields instead of their legacy camelCase names (#16132)
Campaign Detail Account Status - GET /campaigns/{id} now returns the actual account approval status (approved, pending, declined, suspended) in account_status instead of an unrelated internal value (#15816)
Deterministic Pagination - Cursor-based pagination on /reports/top-affiliates no longer repeats a row across pages when affiliates share the same name (#15902)
Integrations
Shopify Webhook Processing - Fixed visit processing failing on queued Shopify webhook tasks such as refunds and order status changes (#16059)
Plugins
HubSpot Optional Custom Fields - The "HubSpot - create affiliates" plugin no longer requires all custom field values to be filled in to save the settings (#16047)
Commissions
Sale Filter on Manual Commissions - The Sale filter plugin is now applied when a sale commission with multi-tier support is created manually (#16046)
Affiliates
Number Field Range Filters - Range filters (greater/less than, between) on number-type custom fields now compare values numerically instead of alphabetically, in both the merchant affiliate grid and the API v3 q filter (#16007)
User Interface
Integration Method Instructions - Step-by-step screenshots in Tools → Integration now render correctly, and the marketing banner was removed from the instructions (#16051)
Notification Dismissal - "Don't show this message again" now persists for notifications without an expiry date, such as the "Default campaign is stopped/paused" warning; the dismissal resets once the campaign is active again (#15969)
Themes
Dark Mode Fixes - Fixed unreadable selected items in the top-right user menu in the August theme and the unstyled popup for editing available signup field values (#16068) (#16031)
Coupon Endpoints - Added coupon management under /banners/{id}/coupons — list, get, update, delete, generate, and import coupons (#15358)
Click Details in GET /transactions - The fields parameter on GET /transactions now accepts first/last click details (time, referer, IP, data1, data2) and click count, so click context can be fetched alongside the commission in a single call (#15994)
Integrations
Per-Locale and Per-Domain Campaign Routing in Shopify - Multi-country Shopify stores under one Shopify account can now map each storefront domain, market handle, or locale to a different campaign within a single integration, instead of routing everything to one shared campaign (#15674)
Shopify Billing Address Fields - Billing address fields (name, phone, company, address, city, ZIP, province, country) and a compound full-address option are now available in the Shopify Extra data dropdowns (#15996)
Tracking
Time-Limited UserAgent + IP Association - Added a validity period setting for "Track referrals by UserAgent and IP address", mirroring the existing IP-only setting and defaulting to 2 days. Useful where many users share the same IP and UA (VPNs, iOS user-agent freeze) (#15417)
Plugins
Plugin Capability Tags - The merchant Plugins list now shows capability tags on each plugin (refunds, partial refunds, recurring commissions, coupons, lifetime commissions, customer details) so it's clear at a glance which features each plugin supports (#15102) (#16004)
Improvements
Security
Raw SQL Removed from Event Log - Replaced raw SQL strings in customer event log entries with structured, non-SQL messages (#15955)
Cleaner Event Log During Install - Routine outbox debug entries no longer flood the customer event log during account install (#15956) (#16018)
Maximum Password Length - Removed the admin-configurable "Maximum password length" setting and capped passwords at 72 characters across all accounts (#15975)
User Interface
Password Rules Up-Front - The set-password screen, in-panel password change, and signup forms now show the active password policy as a live hint list with red/green checkmarks, replacing the strength bar that could disagree with what the validator actually accepts (#15944)
Integrations
Shopify write_orders Notification - The write_orders scope warning now appears only when at least one configured store actually lacks the scope, and multi-store setups list which specific stores still need updating (#15958)
Tracking and Callbacks
Block Google Read Aloud Bot - The Google Read Aloud user agent is now treated as a crawler, so its affiliate-link prefetches no longer create duplicate clicks (#15901)
Affiliate Name in Sale Tracking Callbacks - Application Callback URLs fired on commission events can now use {$name}, {$firstname}, {$lastname}, and {$username} (email) merge variables (#15404)
Performance
Faster Campaign Save - Saving a campaign no longer re-stamps every banner's account when the campaign's account hasn't changed — a significant improvement for accounts with thousands of banners and frequent campaign edits (#15961)
Coupon Grids - Coupon grid queries no longer add user-table joins when affiliate columns are not requested (#15859)
Bug Fixes
Integrations
Stripe Subscription Tracking on Additional Config Tabs - Fixed Stripe subscription tracking silently failing on any config tab other than the first, affecting merchants with multiple Stripe configurations (#15964)
Stripe Plan-Based Product ID - Fixed an empty product ID and PHP warning when the Stripe Product ID setting was "Plan's product" or "Plan's ID" and the purchase had no plan attached (#15752)
Plugins
Affiliate Profile Change Webhook with Membership Subscriptions - The webhook now also fires when the Membership Subscriptions Manager changes an affiliate's status (subscription activation, decline/refund, or expiry); previously these automated transitions silently skipped the webhook (#15928)
Themes
Theme Import with Disabled Built-in Parent - Fixed theme import failing with original_theme="..." does not exist when the parent built-in theme had been disabled in Configuration → Design → Themes (#15916)
Theme Import on Built-in Templates with Runtime Variables - Fixed theme import failing with a PHP fatal error and leaving an orphan theme row when the imported zip contained built-in templates referencing runtime variables; invalid templates are now rejected cleanly instead (#15946)
Dark Theme - Country Commissions - Fixed the unreadable light-grey "Custom per Sale commissions for country" section on the Commission settings screen in dark mode (#16000)
Transactions
Original Currency in Commission Import - The "Original currency ID" column (relabelled to "Original currency (ID / code)") now accepts both internal currency IDs and codes (e.g. EUR), and no longer writes a spurious critical event log entry on successful imports (#15980)
Login
Merchant Session Termination on Status Change - When a network owner changes a merchant account's status to pending or declined, the merchant's active session is now closed immediately instead of remaining usable until manual logout (#15777)
Suspend Credit Limit Notifications - Network owners can now be notified — via callback and/or email — when a network account's balance falls below the configured Suspend credit limit value (#15734)
Banners and Campaigns
Search in Category Filter - The banner and campaign category filters now include a search box in both the merchant and affiliate panels — making it easy to find a category when many are configured (#15632)
Improvements
Security
Improved Output Escaping - Hardened content rendering in built-in widgets and the report builder (#15806) (#15745)
Reduced Information Disclosure - Removed unnecessary data from API responses and improved internal error handling (#15617) (#15772)
Strengthened Rate Limiting - Improved rate limiting on multi-operation API requests (#15600)
Hardened IP-Based Controls - Improved IP detection and validation for tracking endpoints and the REST API (#15498) (#15505)
PagSeguro Plugin Hardening - Tightened input validation in the PagSeguro plugin (#15541)
Background Task Hardening - Improved internal data handling in scheduled tasks (#15712)
Login Screens Facelift - Refreshed the login, forgot-password, and set-new-password screens in the signup themes with clearer affiliate vs. merchant role identification and an improved form layout (#15149) (#15741)
Logout Confirmation - After an explicit logout, the login screen now shows a "You have been signed out" confirmation banner (#15684)
Affiliate Panel
Default Affiliate Logout URL - The default affiliate logout URL now points directly to the affiliate login page, matching the merchant side. Existing customized URLs are unaffected (#15695)
Integrations
Shopify Checkout Extensibility - The Shopify integration now supports Checkout Extensibility when "Check missing order on order created" is enabled — except for stores using "Buy Now" buttons that bypass the cart (#14220)
SamCart Partial Refunds - Partial refunds received from SamCart webhooks are now tracked with the correct refund amount (#14614)
SamCart Recurring Refunds - Refunds of recurring SamCart payments now correctly refund the recurring commission, even when no matching recurring rule is configured (previously the initial payment was refunded instead) (#14730)
Plugins
Variables in Default Signup Values - The Default signup values plugin now supports field variables such as {$data1}, {$data2}, allowing hidden fields to be auto-populated from values entered in other signup form fields (#15703)
Performance
Home Screen Stats - Refund and chargeback statistics on the home screen, trends report, and quick report are significantly faster on accounts with large transaction history, and now load in a separate request so a slow stats query no longer holds up the rest of the home screen (#15818) (#15820)
Bug Fixes
REST API v3
fields Parameter on Grid Endpoints - Fixed the fields parameter being silently ignored on several GET endpoints (transactions, affiliates, banners, campaigns, direct-links, and their affiliate-side variants), so the API now correctly returns only the requested fields (#15761)
Integrations
Stripe One-Time Product ID - Fixed Stripe one-time product purchases not having the product ID stored on the transaction, which also caused subsequent refunds for those purchases to fail (#15720)
Shopify Remaining Commission on Refund - Fixed declined or refunded Shopify orders sometimes creating an extra "remaining" commission when nothing should have remained after the refund (#13945)
Affiliate Accounts
Affiliate Status Change Notifications - Fixed the "On affiliate status changed" email being sent to affiliates even when the merchant checked the "Don't send notification" option while changing their status (#15665)
Login
IP Whitelist with Anonymized IPs - Fixed the affiliate and merchant login IP whitelist comparing the anonymized IP against configured entries when "Anonymize IP addresses" was enabled, which blocked valid logins. The "access denied" message now shows the real IP so administrators can correctly whitelist it (#15722)
Extension-less URLs for Banner Images - Banner images now work without a file extension in the URL, so existing banner links remain functional even after image format changes (#14884)
Improved Banner Image Quality - Banners already in WebP format are no longer re-encoded on upload, preventing quality loss and blurry text. WebP conversion quality for other formats was increased from 60% to 80% (#15586)
Commissions
Approval Setting Help Text - Added a tooltip to the commission type Approval setting clarifying that it is overridden when the transaction status is set directly in the tracking request (#15572)
Email Templates
General Affiliate Link Variable - A new variable for the general affiliate link is now available in email templates, making it easier to include affiliate links in welcome and notification emails (#15422)
REST API v3
Additional Transaction Search Fields - The q search parameter on GET /transactions now supports filtering by action code, merchant note, and system note (#15418)
Documented Fields Parameter - The fields parameter for /transactions and /banners endpoints is now included in the API documentation (#15418)
Bug Fixes
User Interface
Dark Theme Read-only Fields - Fixed read-only fields not being properly styled in dark theme (#15424)
