Skip to main content

Changelog

2026

3.4.3 (May 19, 2026)

  • Security: REST API optimizer now stores only a validated plugin directory slug instead of a full filesystem path, preventing an attacker with burst_* option write access from pivoting to loading code outside the plugins directory.
  • Security: Removed the generic options/set REST endpoint; settings changes now go through the typed fields/set endpoint, which validates each option against its registered schema.
  • Security: Application Password authentication checks are now scoped to Burst REST endpoints, so Burst auth probing no longer affects unrelated REST routes (e.g. WooCommerce).
  • Improvement: AI ability function names preserve hyphens, ensuring function names roundtrip back to the original ability IDs.
  • Improvement: Data-sharing payload now reports active plugin versions, share-link and report-link counts, Team Updraft install sources per plugin, MainWP/Abilities API toggles, and report enabled state.
  • Improvement: "Enable AI chat" and "MainWP integration disabled" tasks can now be dismissed permanently.
  • Improvement: MainWP integration task link points to the correct advanced settings route.
  • Fix: MainWP proxy and admin helper now listen for the correct application_password_did_authenticate action, restoring Application Password authentication for MainWP and other Basic Auth flows.

3.4.2.1 (May 14, 2026)

  • New: "Persistent object cache recommended" task warns when very slow analytics queries are detected without a persistent object cache.
  • New: "MainWP integration disabled" task prompts you to enable the integration when MainWP Child is active but the Burst integration is off.
  • New: BURST_TRACK_ONLY constant disables the admin and registers only the tracking endpoints for headless or tracking-only installs.
  • Security: MainWP Application Password authentication now validates credentials atomically via wp_validate_application_password, returning the authenticated user ID instead of relying on a separate username comparison.
  • Improvement: Bounce metrics now read from the burst_sessions table directly, removing the session_bounces derived join from every dashboard query.
  • Improvement: Statistics derived-table subqueries project only the columns the outer query references, shrinking the materialized intermediate set on long date ranges.
  • Improvement: Added composite indexes (time, uid) and (time, session_id) on burst_statistics.
  • Improvement: Dashboard query results are cached per request with a single-flight lock when a persistent object cache is active, preventing duplicate heavy queries during request bursts.
  • Improvement: Statistics, goal, and subscription SELECT queries carry a MAX_EXECUTION_TIME hint with a cooldown marker after a timeout, preventing repeated runaway queries from blocking the dashboard.
  • Improvement: burst_query_stats writes retry on deadlock and suppress noisy db_error output.
  • Improvement: Subscription providers (EDD Recurring, Subscriben, WooCommerce Subscriptions) walk results with keyset pagination on the primary key and share per-request row caches across MRR, churn, distribution, retention, and product metrics.
  • Improvement: Pre-aggregated order-item totals are used when a query does not break down by product, avoiding row multiplication from joining burst_order_items.
  • Improvement: Ecommerce foreign keys converted from varchar(255) to INT UNSIGNED with additional indexes on the orders, order-items, cart, and cart-items tables.
  • Improvement: MainWP integration setting is hidden when the MainWP Child plugin is not installed.
  • Fix: Shared sales access correctly updates user_can_view_sales instead of user_can_view when no share token is present.

3.4.2 (May 12, 2026)

  • New: Burst AI Chat assistant in the dashboard, powered by the WordPress AI Client; requires the Abilities API setting and a configured AI provider.
  • New: "Enable MainWP Dashboard Integration" advanced setting. Existing MainWP users must enable this setting after upgrade to continue using the integration.
  • New: Granular REST datatable endpoints data/datatable/{id} and data/ecommerce/datatable/{id} with per-endpoint metric allow-lists.
  • Breaking: Generic data/datatable and data/ecommerce/datatable REST endpoints have been removed; use the new per-datatable endpoints instead.
  • Breaking: Story report share URLs now use path-based routing (/burst-dashboard/story/) instead of the legacy hash route; existing share links auto-upgrade in the browser.
  • Breaking: The subscriptions tab is no longer shareable via share links.
  • Security: MainWP signed requests embed a single-use nonce with a 5-minute TTL, preventing signature replay attacks.
  • Security: MainWP authentication endpoint accepts only requests with the dashboard header, a valid Application Password, or an explicit burst_nonce, blocking CSRF against logged-in admins.
  • Security: Shared-link viewer role can no longer create Application Passwords; existing viewer Application Passwords are removed on upgrade.
  • Security: Shared dashboard sessions are restricted per REST endpoint based on the tabs allowed by the share token, with deny-by-default for unmapped endpoints.
  • Security: Datatable endpoints enforce per-table metric allow-lists; metrics outside a table's schema are rejected.
  • Security: Abilities API endpoints require the manage capability (previously view), and chat requests are rate-limited per user.
  • Security: Story report endpoint now validates the share token format before returning report data.
  • Security: Auto-installer requires the install_plugins capability, validates the download URL against an allow-list of Burst hosts, validates the license before installing, and verifies the authenticated Basic Auth user matches the header.
  • Security: Translation language pack downloads sanitize the remote filename with basename() to prevent path traversal outside the languages directory.
  • Security: REST API optimizer matches the Burst namespace against the URL path only and anchors at the namespace boundary, preventing query-string spoofing and lookalike namespace bypasses.
  • Improvement: Sales and subscriptions abilities accept filters and limit parameters; the data ability accepts an interval override and a datatable_id when requesting datatable rows.
  • Improvement: Plugin activation time is normalized to the oldest statistics timestamp on upgrade when older data is detected.
  • Fix: Dark-mode pre-render flash for users who explicitly choose the light theme on a dark OS.

3.4.1 (April 29, 2026)

  • New: Abilities API integration exposes nine read-only Burst abilities (live visitors, live traffic, today summary, tasks, tracking status, license notices, data, sales, subscriptions) for AI agents and automation, gated by a new "Enable Abilities API" advanced setting and per-user rate limiting.
  • Security: REST API AJAX fallback now splits read and write actions into separate handlers (burst_rest_api_fallback_get_action / burst_rest_api_fallback_do_action), each enforcing the appropriate view or manage capability before dispatch.
  • Security: MainWP auth endpoint now rejects unauthenticated unsigned callers and subscribers in its permission callback, requiring either a valid MainWP signature with a capable user or an already-logged-in admin holding manage_burst_statistics.
  • Security: MainWP CORS no longer sends Access-Control-Allow-Credentials during the unpaired bootstrap, so the first signed handshake cannot rely on a logged-in cookie.
  • Security: MainWP signed-request handler now verifies the resolved user holds manage_burst_statistics before switching context.
  • Security: Posts REST endpoint now requires the manage capability instead of the view capability.
  • Improvement: Share links list moved to a unified list_share_links action and share-link filters now return reindexed arrays for predictable JSON output.
  • Fix: Datatable column rendering no longer errors when a metric label is missing from the lookup table; the metric key is humanized as a fallback.

3.4.0 (April 20, 2026)

  • New: Application Password support.
  • New: Headless setup support with client plugin downloader, signed REST endpoints (burst/v1/client/*), and BURST_HEADLESS_DOMAIN constant for tracking remote frontends.
  • New: MainWP support.
  • New: Subscription analytics dashboard with MRR, active/canceled/trialling counts, churn percentage, lifetime value, new vs renewal revenue charts, gateway/currency/country distribution, and monthly cohort retention.
  • New: Subscription integrations for WooCommerce Subscriptions, EDD Recurring, and Subscriben with daily aggregation, backfill cron, and per-product breakdowns.
  • New: "All time" date range option in dashboards, anchored to the plugin activation date.
  • New: Adblocker detection modal shown when Burst Statistics fails to load in the admin.
  • New: Dark mode pre-render script prevents white flash when opening the dashboard.
  • New: BURST_ALLOWED_ORIGINS and BURST_HEADLESS_DOMAIN now accept hostnames with or without protocol for the tracking endpoint.
  • Security: Reports REST endpoint now enforces a manage_burst_statistics capability check before returning report data.
  • Security: Daily cron destroys all sessions for the burst_statistics_viewer shared user, ensuring viewer sessions never exceed 24 hours.
  • Security: Database metrics collector now validates table names against the whitelist instead of relying on esc_sql().
  • Improvement: Query fingerprinting replaces raw SQL hashing in burst_query_stats, producing deterministic stats per query family with date-range bucketing and a 100-row cap on slowest queries.
  • Improvement: Insights chart returns raw timestamps and interval metadata so the frontend formats dates with Intl.DateTimeFormat, fixing locale and timezone edge cases.
  • Improvement: Monthly and weekly report scheduling now uses wp_date() for site timezone matching instead of UTC.
  • Improvement: Report sending uses a per-report transient lock to prevent duplicate emails when parallel cron runs overlap.
  • Improvement: Subscription event listeners debounce real-time "today" aggregation updates with a 60-second window.
  • Improvement: GeoIP database update writes to a temporary file and atomically swaps it in, preventing corrupted databases when extraction fails.
  • Improvement: Integrations now load split admin/frontend script files, reducing frontend overhead.
  • Improvement: Activation redirect moved to the frontend bootstrap and gated by capability and request-context checks.
  • Improvement: Datatable colors use CSS custom properties for consistent theming across light and dark modes.
  • Improvement: Bounce threshold (default 5000ms) is now filterable via burst_bounce_time.
  • Improvement: Reset routine refuses to drop tables that don't start with the burst_ prefix, protecting third-party tables registered via filters.
  • Improvement: Malicious data detection runs on a delayed single-event cron to avoid missing-table errors after reset.
  • Improvement: Menu and goal type configuration adds icons and hides hook-type goals when cookieless tracking is enabled in headless mode.
  • Improvement: Subscription summary tables are skipped during cached data lookups when not yet populated, avoiding query errors.
  • Fix: Truncating the referrers table now checks the table exists first to prevent errors after a data reset.
  • Fix: Referrer filter exclusion no longer matches NULL values, restoring expected exclusion behavior.
  • Fix: Goal statistics return a safe empty payload during database upgrades instead of querying tables that may not exist yet.
  • Fix: Tracking script no longer enqueues on the frontend when BURST_HEADLESS_DOMAIN is defined.

3.3.0 (March 25, 2026)

  • Breaking: Browser, device, platform, bounce, and first-time-visit columns moved from burst_statistics to burst_sessions table; a background migration runs automatically on upgrade.
  • New: Time-per-session filter for advanced statistics segmentation.
  • New: Dark mode logo support in email reports.
  • Security: Share links no longer grant access to sales/ecommerce data by default; the sales tab must be explicitly included when sharing.
  • Security: Test hit detection now validates a nonce to prevent bypassing IP blocking.
  • Security: Ecommerce data endpoints now enforce the view_sales capability check.
  • Improvement: Monthly chart intervals are calendar-aware, ensuring every month in a long date range is represented correctly.
  • Improvement: Bounce and first-time-visit recalculation now updates the sessions table directly, eliminating subquery joins.
  • Improvement: Archive exports include session-level fields; restore correctly splits columns between the statistics and sessions tables.
  • Improvement: Archiving automatically deletes orphaned sessions after statistics rows are removed.
  • Improvement: Share link and story URL schemes are normalized to match BURST_URL, fixing http/https mismatches during cron.
  • Improvement: Menu capability checks now use the plugin's wrapper functions, respecting any capability overrides.
  • Fix: Auto-installer PHP notice when license or item_id request params are absent.
  • Fix: Report status shows "Ready to share" instead of "Ready to send" for non-scheduled reports.
  • Fix: Double nonce verification call in verify_nonce() removed; now uses the pre-computed result.
  • Fix: Frontend statistics browser and platform filters now correctly resolve names to lookup table IDs.

3.2.3.3 (March 18, 2026)

  • New: Exclude option for filters.
  • Improvement: Added automated tests ("tested up to", story reporting).
  • Fix: Classic email report custom logo and archive table recreation after wipe/reset.

3.2.3.2 (March 12, 2026)

  • Fix: Story report logo fix build completion.

3.2.3.1 (March 11, 2026)

  • Fix: Story report logo customization.

3.2.3 (March 10, 2026)

  • Fix: Share link loading for non-logged-in users.

3.2.2 (March 9, 2026)

  • Security: Missing authorization check for report management fixed.
  • Fix: Sanitizer handling of table prefixes.

3.2.1 (March 5, 2026)

  • Improvement: Turbo default enabled + recommendation notice when cookieless mode is enabled.
  • Improvement: Added PharData class check to avoid fatal errors.
  • Fix: Cron scheme handling, reporting settings duplication, and classic premium report URL warning.

3.2.0 (February 23, 2026)

  • New: Anonymous data-sharing option for product improvements.
  • New: Redesigned reporting and shareable customer story reports.
  • New: Discord invite notice.
  • Fix: REST API tracking non-JSON handling, bounce calculations, and merge setting default logic.

3.1.6.1 (January 21, 2026)

  • New: Custom block option.
  • Fix: Cross-year week number edge case.
  • Fix: React error on some clean installs.

3.1.6 (January 19, 2026)

  • Fix: Archive old-data deletion SQL issue.
  • Fix: Browser/OS device filtering in insights.
  • Improvement: Added automated test coverage and persistent sorting.
  • Improvement: Continent filtering.

3.1.5 (January 6, 2026)

  • New: Share-link for current view/filters/date range.
  • Improvement: UX and mobile responsiveness improvements.
  • Improvement: Revenue formatting, URL wrapping, and broader PHPCS/test coverage.
  • Fix: Local storage filter errors, HTTPS mixed-content issues, RTL onboarding CSS loading, and license expiration calculation.

2025

3.1.4.1 (December 23, 2025)

  • Fix: Trailing slash consistency in stored referrers.

3.1.4 (December 20, 2025)

  • New: Low/high traffic anomaly notification.
  • Improvement: Datatable/loading styling and query performance (referrers/parameters).
  • Improvement: Added optimizer exclusions and fallback logic for scripts/variables generation.
  • Improvement: Added more metrics and parameter filtering.
  • Fix: Device filtering and region/state loading in world map.

3.1.3 (December 11)

  • Improvement: Expanded ghost mode obfuscation.
  • Fix: Insight chart date labels and placeholder formatting.

3.1.2 (December 9)

  • New: Ghost option and URL-synced current filter.
  • Improvement: Query/data refactors and upgrade UX.
  • Fix: CSV-related sales tab React error and activation-time filtering issue.

3.1.1 (December 1)

  • New: CSV exports from data tables.
  • Improvement: New archive months filter and reporting optimizer exclusions.
  • Fix: WooCommerce permalink manager conflict and PHP warning.

3.1.0.4 (November 25)

  • Fix: Escaped values during archive restore.
  • Improvement: Added automated tests for hook goals and archive restore.

3.1.0.3 (November 21)

  • Fix: Hook goals parameter issue causing PHP error and failed tracking.
  • Improvement: Known UID column-size compatibility and updater edge-case handling.

3.1.0.2 (November 20)

  • Fix: Archived months not shown in archiving UI.

3.1.0.1 (November 18)

  • Improvement: Added predefined goals test.
  • Fix: Settings save flow requiring reload.

3.1.0

  • Performance: Tracking workload offloaded to batched cron processing.
  • Improvement: User Agent parser improvements and API request controller.
  • Fix: Filters, capability gating, sales tab cleanup, and page-count cache staleness.

3.0.2 (November 7)

  • Fix: False positive database table notice without WooCommerce.
  • Improvement: EDD Stripe trial counting logic.

3.0.1 (November 6)

  • Fix: Ecommerce + cookieless UID handling.
  • Fix: Ecommerce table recreation after reset.

3.0.0 (November 4)

  • New: Dedicated WooCommerce + EDD sales dashboard.
  • New: Raised minimum requirements (PHP 8.0, WordPress 6.4).
  • Fix: Multiple compatibility/licensing/tracking/task issues.

Older entries

Year not explicitly shown in readme. Since November 2025 we've started adding the release dates in the changelogs.

2.2.9.3

  • Improvement: Time range logic parity and advanced-filter performance limits.
  • Fix: Domain filtering external link behavior, Fluent CRM warning, milestone/licensing fixes.

2.2.9.2

  • Improvement: UI alignment and cleanup of obsolete upgrade/log files/hooks.

2.2.9.1

  • Improvement: Date range options for page/post overviews.
  • Fix: Onboarding wizard data storage issue.

2.2.9

  • New: Page/post count time-range limiting for performance.
  • Fix: Code directory move for translations and queried object ID handling.
  • Improvement: Goal selector and Geo-IP null-edge handling.

2.2.8.1

  • New: Entry and exit pages filter.
  • Improvement: PHP notice dismissal.

2.2.8

  • New: Improved cookieless tracking library.
  • Improvement: Fallback database upgrade mechanism.

2.2.7

  • New: Detailed live visitors tab.
  • Improvement: Mobile responsiveness and fallback licensing domain.
  • Fix: Multisite network activation endpoint detection issue.

2.2.6.2

  • Improvement: Upgrade fallback mechanism.

2.2.6.1

  • Fix: Hook goal cookieless tracking method.

2.2.6

  • Improvement: More accurate page-specific pageviews and cookieless hook goals.
  • Improvement: Remaining CSS migration to Tailwind.
  • Fix: Parameter/value grouping on parameters overview.

2.2.5

  • Fix: Bounce and bounce-rate calculation.
  • Fix: Archiving upgrade link.

2.2.4

  • New: Site Health debug info and wildcard page URL filtering.
  • Improvement: Task revalidation, endpoint safety checks, and broader performance improvements.
  • Fix: Empty-table summary upgrade edge case and the_content null-value edge case.