# WP Bannerize Pro
Contributors: gfazioli
Donate link: https://www.paypal.com/donate/?hosted_button_id=L77YYA8AVH2UW
Tags: banner, advertising, ads, campaign, analytics
Requires at least: 6.2
Tested up to: 6.9
Stable tag: 1.13.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

Bannerize simplifies banner creation and management. Track views and clicks to gauge campaign success.

## Description

Bannerize is a WordPress plugin for creating and managing advertising banners with built-in analytics. Create image, HTML, or text banners, organize them into campaigns, and track impressions, clicks, and click-through rates to measure the effectiveness of your advertising.

For full documentation, visit the [Bannerize website](https://bannerize.vercel.app).

### Banner Types

* **Image Banners** — Upload from your WordPress media library or link to external image URLs
* **HTML Banners** — Use the rich text editor to create custom HTML, embed third-party ad code, iframes, or video players
* **Text Banners** — Simple text-based banners with full formatting support

### Display Methods

* **Gutenberg Block** — Native block editor integration with campaign and banner selection
* **Shortcode** — `[wp_bannerize_pro]` with filtering by campaign, order, layout, device, and geolocation
* **Widget** — Dedicated sidebar widget with all configuration options
* **PHP Function** — `wp_bannerize_pro()` and `get_wp_bannerize_pro()` for theme templates

### Analytics

* **Impressions Tracking** — Records every banner view with timestamp, referrer, IP, and user agent
* **Clicks Tracking** — Records every banner click with the same contextual data
* **CTR Calculation** — Automatic click-through rate computation
* **Trend Charts** — Visualize performance over time (hourly, daily, weekly, monthly)
* **Top Performers** — Rankings of best-performing banners and campaigns
* **Export** — Download analytics data in CSV or SQL format
* **Auto Cleanup** — Configurable data retention policies

### Advanced Features

* **Campaigns** — Organize banners into campaigns for grouped display and filtering
* **Scheduling** — Set start and end dates for time-limited promotions
* **Performance Limits** — Set maximum impressions and clicks per banner
* **Drag & Drop Sorting** — Reorder banners with ease
* **Device Targeting** — Show banners only on mobile or desktop
* **Geolocation** — Target banners by visitor country (via IPStack)
* **User Roles** — Three built-in roles: Banners Manager, Campaigns Manager, Campaigns Viewer
* **Custom Templates** — Override banner and campaign archive templates

### Dashboard Widget

A compact dashboard widget showing key banner performance metrics at a glance.

## Installation

1. Upload the entire content of plugin archive to your `/wp-content/plugins/` directory.
2. Activate the plugin through the 'Plugins' menu in WordPress (deactivate and reactivate if you're upgrading).
3. Done. Enjoy.

For detailed instructions, see the [installation guide](https://bannerize.vercel.app/docs/getting-started/installation).

## Screenshots

1. Add new banner by local media library
2. Add new banner text
3. Real time preview
4. Date range rules
5. Enable impressions and click for single banner
6. Banner campaigns
7. Analytics overview
8. Single report with filters
9. Settings
10. Widget

## FAQ

= 1. What is Bannerize? =
Bannerize is a WordPress banner management plugin with built-in analytics. It helps you create, organize, and track the performance of advertising banners on your site.

= 2. Where can I find the documentation? =
Full documentation, guides, and release notes are available at [bannerize.vercel.app](https://bannerize.vercel.app).

= 3. What banner formats are supported? =
Bannerize supports three types: local images (from your media library), remote images (external URLs), and HTML/text banners (custom HTML, ad code, iframes).

= 4. How do I display banners? =
You can display banners using a Gutenberg block, shortcode (`[wp_bannerize_pro]`), sidebar widget, or PHP function (`wp_bannerize_pro()`).

= 5. Can I track banner performance? =
Yes. Bannerize tracks impressions, clicks, and click-through rate (CTR) for every banner. View analytics in the Bannerize dashboard and export data in CSV or SQL format.

= 6. Can I customize the HTML output? =
Yes. Use the `wp_bannerize_classes` filter to add custom CSS classes, or configure custom templates in Settings. See [Customize Output](https://bannerize.vercel.app/docs/display-banners/customize-output).

= 7. Does Bannerize support geolocation? =
Yes. With an IPStack API key, you can target banners by visitor country using the `[wp_bannerize_pro_geo]` shortcode or the widget geo field.

= 8. Can I request a new feature? =
Yes! Please submit feature requests at [the support forum](https://wordpress.org/support/plugin/wp-bannerize-pro/).

= 9. Can I report a bug? =
Yes! Please report bugs at [the support forum](https://wordpress.org/support/plugin/wp-bannerize-pro/).

## Changelog

### 1.13.0

Feature, Security & Compatibility Update

#### New Features

* Added WebP image format support for local and remote banners
* WebP banners can now be uploaded from the media library or linked via external URLs
* Updated remote image validation to accept image/webp content type

#### Security

* Hardened analytics queries: campaign and banner ID filters now use $wpdb->prepare() placeholders instead of string interpolation
* Fixed invalid SQL placeholder (%1s) in analytics cleanup LIMIT clause, replaced with %d
* Hardened meta key JOINs in banner query builder with $wpdb->prepare() for all meta_key values
* Fixed SQL export using unescaped table name in INSERT statements
* Added capability check (manage_banners) to admin error notice display
* Used esc_html__() for translatable admin notice output

#### Bug Fixes

* Fixed PHP 8.0+ function str_starts_with() usage that broke compatibility with PHP 7.4
* Fixed duplicate entries in image MIME types array
* Fixed uninitialized $width and $height variables when image size detection fails
* Fixed potential fatal error when mime type is not detected during banner save
* Fixed string-to-integer comparison in banner list column for max impressions/clicks
* Fixed Gutenberg block missing "type" field for orderby attribute in block.json causing REST API warnings
* Fixed fatal error "read property ID on null" in getBannerClasses() when banner post is null
* Fixed esc_attr() used instead of esc_html() for impressions/clicks column output
* Fixed incorrect sanitization order (absint on esc_attr result) in pagination input

#### Improvements

* Redesigned horizontal layout with modern flexbox and responsive 2-column grid on wide screens, single column on mobile
* Vertical layout now uses flexbox with consistent gap spacing
* Banner images are fully responsive with max-width: 100% and auto height
* Refactored banner query meta key JOINs from repetitive code to loop-based construction
* Removed dead code: commented-out create_function() reference
* Refreshed readme.txt with structured description, expanded FAQ, and documentation links
* Rewrote README.md with badges, features, tech stack, and project structure

### 1.12.0

Security, Bug Fixes & Improvements

#### Security

* Fixed SQL injection vulnerabilities in analytics queries (impressions, clicks, CTR trends)
* Fixed SQL injection in the legacy importer controller
* Fixed XSS in banner rendering: added proper escaping for image src, alt, title, link href, and target attributes
* Fixed XSS in text banner rendering: added escaping for width/height style attributes
* Fixed stored XSS risk: sanitized IP address and User-Agent before saving to the database
* Fixed SSRF in image size detection: replaced raw cURL and getimagesize() with wp_remote_get()
* Fixed SSRF in remote image validation: replaced raw cURL with wp_remote_head()
* Hardened options update endpoint with schema validation, key whitelist, and sanitize_file_name() for template paths
* Hardened wp_loaded banner endpoint: added post type check, ID validation, null safety, and wp_kses_post() output filtering
* Removed full plugin options exposure from public frontend
* Used wp_json_encode() for all inline script output to prevent script injection

#### Bug Fixes

* Fixed Gutenberg block not filtering by campaign
* Fixed banner layout always forced to vertical regardless of the layout parameter
* Fixed banner preview meta box not appearing in the editor
* Fixed analytics data not deleted when a banner is permanently removed
* Fixed cron cleanup events not cleared when tracking is disabled or plugin is deactivated
* Fixed N+1 query issue: banner click/impression counts with value 0 no longer trigger unnecessary COUNT queries
* Fixed resetOptions calling a non-existent AJAX action
* Fixed DataTable crash when a banner has no campaigns assigned
* Fixed CSV export using incorrect escape sequence instead of RFC 4180 standard

#### Improvements

* Replaced remove_all_filters('parse_query') with explicit suppress_filters
* Replaced deprecated get_terms() positional arguments with array syntax
* Replaced date() with gmdate() for WordPress coding standards
* Aligned all SQL queries to use %i placeholder for table identifiers
* Removed all debug error_log() calls and console.log() from production code
* Migrated CPT meta box registration to registerMetaBoxes()

### 1.11.0

Security & Enhancement Updates

#### Security

* Added SSRF protection for external banner image URLs
* Added wp_bannerize_is_remote_image() validation method
* Only allows JPEG, PNG, and GIF formats from external sources
* Added admin error notice when invalid image URLs are submitted

#### Improvements

* Standardized code formatting and indentation
* Added user-friendly error messages for invalid banner image URLs

## Upgrade Notice

### 1.13.0
Adds WebP image support and fixes PHP 7.4 compatibility. Recommended update for all users.

### 1.12.0
Major security update with SQL injection, XSS, and SSRF fixes. Bug fixes for Gutenberg block, layout, analytics, and CSV export. Recommended update for all users.

### 1.11.0
Security update with SSRF protection for external banner images. Recommended update.
