The update (v3.0.3) includes a full review and fix to ensure everything is handled safely.
- Virtually all output are now safely escaped using
esc_html(), esc_attr(), and esc_url() – so anything dynamic or user-defined is protected before output.
- Every bit of user input is sanitized, including form submissions, shortcode attributes, REST API responses, and widget data.
- Dynamic variables like
${} are now properly escaped before output, just to be extra safe.
- The shortcode handler was improved, as it now validates
selected_widget_id
- REST API responses were reviewed, and all data returned is sanitized or escaped.
Fingers crossed this fixed the issue, but please let us know if you the problem still exists.
