Fixes the archive top bar wiping active search filters when the sort dropdown changes. Strongly recommended for anyone using [uclwp_search_results top_bar="enable"].<\/p>","1.16.0":"
Adds two new single-listing styles, admin-editable price chips, a top bar option on [uclwp_search_results], per-listing map zoom persistence, a columns attribute on search style 2, and a fix for the card image aspect-ratio setting that wasn't applying.<\/p>","1.15.0":"
Adds two new search-form styles (Bar + Hero) with a modern price-range control. Fixes equal-height grid cards, the empty category icon, and overflowing seller emails in the sidebar.<\/p>","1.14.2":"
Fixes the "Invalid LatLng object" Leaflet error when creating a new listing in wp-admin, introduced by the 1.14.1 metabox-assets fix. Strongly recommended for anyone on 1.14.1.<\/p>","1.14.1":"
Bug fix: restores Bootstrap CSS, icons, media uploader and map on the wp-admin Listing Information metabox. No behaviour change anywhere else.<\/p>","1.14.0":"
Release-candidate compliance pass \u2014 clears all Plugin Check errors for WordPress.org submission (escape on dynamic CSS, paginate_links output, translator comments, Tested up to 7.0, plugin name rules). No behaviour change.<\/p>","1.13.0":"
Second WordPress.org Plugin Check compliance pass. Adds ABSPATH guards everywhere, wp_send_json\/wp_json_encode adoption, wp_remote timeout, rel="noopener noreferrer" on target=_blank links, removes deprecated load_plugin_textdomain, prefixes orphan filters. No behaviour change.<\/p>","1.12.0":"
Full sanitization and escaping audit for WordPress.org plugin review compliance. Fixes one display bug in the compare-listings table; removes a second hardcoded reCAPTCHA fallback key; no breaking changes.<\/p>","1.11.0":"
Field display redesigned on single pages and cards (icon + label + value cards, definition lists, or inline pills). Adds Favorites and Dark Mode. Visually backward-compatible \u2014 the new "cards" display becomes the default on single-listing pages.<\/p>","1.10.0":"
Adds three new listing card styles (Minimal, Bold Overlay, Compact), a 14-colour palette wired through CSS variables, card radius and image aspect-ratio settings. Visually backward-compatible.<\/p>","1.9.0":"
Adds a setup wizard, auto-page creation, and a polite review prompt. Builds on the 1.8.0 security hardening.<\/p>","1.8.0":"
Major security hardening release. Adds CSRF protection to every AJAX endpoint, removes plaintext password storage, fixes email header injection, and rate-limits authentication. All sites should update.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":2},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3571494,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3571494,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":3571494,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":3571494,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.1","1.2","1.3","1.4","1.5","1.6","1.7","2.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":2764251,"resolution":"1","location":"assets","locale":"","width":1592,"height":2538},"screenshot-2.png":{"filename":"screenshot-2.png","revision":2764251,"resolution":"2","location":"assets","locale":"","width":1686,"height":687},"screenshot-3.png":{"filename":"screenshot-3.png","revision":2764251,"resolution":"3","location":"assets","locale":"","width":1692,"height":1132},"screenshot-4.png":{"filename":"screenshot-4.png","revision":2764251,"resolution":"4","location":"assets","locale":"","width":1565,"height":3260}},"screenshots":{"1":"Listings archive","2":"Sections Manager","3":"Fields Builder","4":"Frontend Management"}},"plugin_section":[],"plugin_tags":[4531,4527,2466,4528,8379],"plugin_category":[35,39],"plugin_contributors":[187022],"plugin_business_model":[],"class_list":["post-160100","plugin","type-plugin","status-publish","hentry","plugin_tags-classified-ads","plugin_tags-classifieds","plugin_tags-directory","plugin_tags-listings","plugin_tags-marketplace","plugin_category-advertising","plugin_category-business","plugin_contributors-webcodingplace","plugin_committers-webcodingplace"],"banners":{"banner":"https:\/\/ps.w.org\/ultimate-classified-listings\/assets\/banner-772x250.jpg?rev=3571494","banner_2x":"https:\/\/ps.w.org\/ultimate-classified-listings\/assets\/banner-1544x500.jpg?rev=3571494","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/ultimate-classified-listings\/assets\/icon-128x128.png?rev=3571494","icon_2x":"https:\/\/ps.w.org\/ultimate-classified-listings\/assets\/icon-256x256.png?rev=3571494","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/ultimate-classified-listings\/assets\/screenshot-1.png?rev=2764251","caption":"Listings archive"},{"src":"https:\/\/ps.w.org\/ultimate-classified-listings\/assets\/screenshot-2.png?rev=2764251","caption":"Sections Manager"},{"src":"https:\/\/ps.w.org\/ultimate-classified-listings\/assets\/screenshot-3.png?rev=2764251","caption":"Fields Builder"},{"src":"https:\/\/ps.w.org\/ultimate-classified-listings\/assets\/screenshot-4.png?rev=2764251","caption":"Frontend Management"}],"raw_content":"\n
Ultimate Classified Listings is a responsive classifieds and directory plugin for WordPress. It ships nice, clean templates and built-in features like unlimited custom fields, gallery sliders + grids, advanced AJAX search and Google Maps or OpenStreetMap support out of the box.<\/p>\n\n
It's also a full listing management system: register sellers, approve submissions, manage seller profiles, and run your own classifieds, jobs, real-estate, services or community marketplace.<\/p>\n\n
\/your-theme\/ucl\/...<\/code><\/li>\n<\/ul>\n\nQuick Links<\/h4>\n\n\n- Live Demo<\/a><\/strong><\/li>\n
- Documentation<\/a><\/strong><\/li>\n
- AJAX Search<\/a><\/strong><\/li>\n<\/ul>\n\n\n
\n- Navigate to the WordPress Dashboard -> Plugins -> Add New<\/li>\n
- Search for the Ultimate Classified Listings<\/li>\n
- Install and Activate<\/li>\n
- Now configure the settings from the Ultimate Classified Listings -> Settings<\/li>\n<\/ol>\n\n\n
\nIs this plugin free?<\/h3><\/dt>\nYes. The core plugin is free, including maps, AJAX search, frontend submission, and custom fields.<\/p><\/dd>\n
Does it work with Elementor, Gutenberg or Divi?<\/h3><\/dt>\nThe plugin uses shortcodes that work in any builder. Native Gutenberg blocks are on the v3.0 roadmap.<\/p><\/dd>\n
Do I need a Google Maps API key?<\/h3><\/dt>\nNo. The plugin ships OpenStreetMap via Leaflet by default. If you prefer Google Maps, you can add your API key in Settings.<\/p><\/dd>\n
Can I let users pay to post listings?<\/h3><\/dt>\nBuilt-in payment gateways are on the v3.0 roadmap. In v2.x you can use Settings \u2192 Submission Mode to require admin approval before listings are published.<\/p><\/dd>\n
How are seller passwords stored?<\/h3><\/dt>\nAs of 2.0, passwords are no longer stored in plain text in wp_options<\/code>. Newly registered users that require manual approval have their password hashed before storage. Legacy entries from prior versions will receive a one-time password reset email when approved.<\/p><\/dd>\nHow does the plugin protect against CSRF?<\/h3><\/dt>\nEvery AJAX endpoint requires a nonce verified by check_ajax_referer()<\/code>. Public requests use a dedicated public nonce and admin requests use a separate admin nonce, both rotated by WordPress.<\/p><\/dd>\nI'm migrating from another plugin. Is there a migration tool?<\/h3><\/dt>\nMigration tools from Directorist, WP Adverts and Classified Listing are on the v3.x roadmap. For now you can use WP All Import\/Export\/<\/p><\/dd>\n\n<\/dl>\n\n\n
2.0 - 14 June 2026<\/h4>\n\n\n- Bug fix: When the archive\/search-results top bar was rendered (via
[uclwp_search_results top_bar=\"enable\"]<\/code> or anywhere the uclwp_archive_topbar<\/code> action fires) and a visitor changed the sort dropdown, the resulting URL kept only sort_by<\/code> and layout<\/code> and dropped every other active query arg \u2014 keywords, price range, custom-field filters, etc. The top bar now re-emits every other $_GET<\/code> value as a hidden input inside the form (using PHP bracket notation for nested sub-arrays like regular_price[min]<\/code>), so the sort round-trip preserves the active filter set. The grid\/list switcher anchors already used add_query_arg()<\/code> and were unaffected.<\/li>\n- Added: New helper
uclwp_flatten_query_args()<\/code> that flattens nested arrays into name[sub][sub]<\/code> \/ value pairs suitable for hidden form inputs. Reusable from any template that needs to pass current GET state through a <form method=\"GET\"><\/code>.<\/li>\n<\/ul>\n\n1.16.0<\/h4>\n\n\n- Feature: Two new single-listing styles. Pick one in Settings \u2192 Templates Settings \u2192 Single Listing Style. Style 1 (Classic, default) is the existing look. Style 2 (Card Stack) renders each section as a raised card with a coloured left rail and a chip-style heading \u2014 e-commerce \/ property-listing feel. Style 3 (Minimal) drops the card chrome entirely and separates sections with thin top dividers. Implemented as a body class (
ucl-listing-style-1\/2\/3<\/code>) added on single-listing pages; templates are unchanged so all theme overrides keep working.<\/li>\n- Feature: Price quick-pick chips are now editable from the admin. New \"Price Quick-Pick Presets\" textarea in Settings \u2192 Search Settings (right after Total Listings) \u2014 one numeric preset per line; each becomes a \"Up to {price}\" chip under the price range control in search styles 2 and 3. Leave blank to hide the chips entirely. Still filterable in code via
uclwp_search_price_chips<\/code>.<\/li>\n- Feature:
[uclwp_search_results]<\/code> now supports a top_bar=\"enable\"<\/code> attribute (default disable<\/code>) that adds the same sort + grid\/list switcher the [uclwp_listings]<\/code> shortcode renders.<\/li>\n- Feature: Per-listing map zoom level is now saved. The admin metabox map writes the user-chosen zoom into a hidden
ucl_listing_zoom<\/code> input (Leaflet zoomend<\/code> and Google zoom_changed<\/code> events both wired up); both the admin metabox save path and the frontend create\/edit handler persist it; the single-listing template reads it back and the map opens at exactly that zoom on the frontend.<\/li>\n- Improvement: Search style 2 polish \u2014 reduced cell min-height from 46px to 38px, button is now a properly sized pill (not a tall circle), inputs no longer have huge top\/bottom padding. New
columns<\/code> shortcode attribute (1\u20136, default 4) controls how many secondary-field cells appear per row via CSS grid. Mobile collapses to 2 columns at \u2264768px and 1 column at \u2264480px.<\/li>\n- Bug fix: Card image aspect ratio (Settings \u2192 Listings \u2192 Card Image Aspect Ratio) was not being applied. The CSS selector keyed off
[style*=\"--ucl-card-image-ratio\"]<\/code>, which never matched because the variable is emitted via an inline <style><\/code> tag, not the element's style<\/code> attribute. The aspect-ratio rule now applies directly to .uclwp-grid-box-wrap .uclwp-image<\/code> and .uclwp-list-box-wrap .uclwp-image<\/code>, so all four card styles honour the chosen ratio.<\/li>\n<\/ul>\n\n1.15.0<\/h4>\n\n\n- Feature: Two new search-form styles, selectable via
[uclwp_search_form style=\"2\"]<\/code> and [uclwp_search_form style=\"3\"]<\/code>.\n\n\n- Style 2 \u2014 Bar<\/strong>: Compact horizontal pill bar with rounded inputs, designed to sit above an archive grid. Trulia\/Zillow feel.<\/li>\n
- Style 3 \u2014 Hero<\/strong>: Tall hero panel with a prominent keyword box, neat secondary-field grid below, and a final CTA row with a \"Clear filters\" link. Designed to anchor landing or category-archive pages. Configurable heading + sub-heading via the new
search_form_heading<\/code> \/ search_form_subheading<\/code> settings.<\/li>\n<\/ul><\/li>\n- Feature: New
uclwp_render_price_range_search()<\/code> helper renders a modern two-input price control with the currency symbol affixed inside each input, plus optional quick-pick chips (\"Up to $100\", \"Up to $500\", etc.). Used by styles 2 and 3. Preset chip values are filterable via uclwp_search_price_chips<\/code>.<\/li>\n- Improvement: Equal-height listing cards. Cards within the same row now stretch to match the tallest neighbour and push price\/CTA footer rows to the bottom, so grids look tidy even when titles\/excerpts vary in length. Scoped to
.ucl-display-listings<\/code> so single-listing sidebars and the compare box are unaffected.<\/li>\n- Bug fix:
[uclwp_categories]<\/code> (and the underlying render_category_image()<\/code>) no longer renders the saved Bootstrap-icon class. The previous wrapper produced class=\"bi bi-{bi bi-house}\"<\/code>, an invalid class that resolved to nothing. Output is now class=\"bi bi-house\"<\/code> (or the admin-set value). Categories with a saved icon will start rendering it immediately on update.<\/li>\n- Bug fix: Long seller email addresses were overflowing the contact box in the single-listing sidebar. The
<li><\/code> rows now apply overflow: hidden; text-overflow: ellipsis; white-space: nowrap;<\/code> and pick up the missing right padding so the email truncates inside the bordered chip.<\/li>\n<\/ul>\n\n1.14.2<\/h4>\n\n\n- Bug fix: When creating a new listing in wp-admin, Leaflet threw
Invalid LatLng object: (undefined, undefined)<\/code> and the map widget failed to render. Root cause was the v1.14.1 admin-enqueue fix, which preloaded the frontend single-listing map script (assets\/js\/location.js<\/code>) on the post-edit screen. That script expects a different localize payload (ucl_location_settings.latitude\/longitude<\/code>) than the metabox renderer provides (ucl_map_settings.def_lat\/def_long<\/code>), so its values came up undefined. The redundant enqueue has been removed \u2014 the location field renderer enqueues the correct script (assets\/fields\/location.js<\/code>) on its own when the section actually renders.<\/li>\n- Bug fix: Belt-and-braces hardening of the location renderer so that even if a stored listing has empty latitude\/longitude meta the JS still receives a numeric default (US geographic centre, 37.0902 \/ -95.7129). The previous longitude default lost its negative sign so the placeholder pin showed up in central Asia instead of Kansas.<\/li>\n
- Bug fix:
Control.Geocoder.js<\/code> now declares ucl-leaflet-js<\/code> as a dependency so the geocoder loads after Leaflet on the post-edit screen.<\/li>\n<\/ul>\n\n1.14.1<\/h4>\n\n\n- Bug fix: The Listing Information metabox on the wp-admin post-edit screen (
post.php<\/code> \/ post-new.php<\/code> for the uclwp_listing<\/code> CPT) was rendering without Bootstrap CSS, the icon font, the iconpicker JS, the media uploader, or the map widget. The load_admin_scripts()<\/code> enqueue gate previously matched only the plugin's own subpages (slug contained \"uclwp\"); it now also enqueues all required assets when the current admin screen's post_type<\/code> is uclwp_listing<\/code>. Bootstrap stays scoped to .uclwp-bs-wrapper<\/code> so it does not affect the surrounding wp-admin UI.<\/li>\n<\/ul>\n\n1.14.0<\/h4>\n\n
Final WordPress.org Plugin Check pass \u2014 clears all reported errors for plugin-directory submission.<\/p>\n\n
\n- Plugin name: Renamed to \"Ultimate Classified Listings \u2013 Classifieds, Directory & Marketplace\" so the readme title matches the plugin header and the word \"Plugin\" (a restricted term) is no longer part of the displayed name.<\/li>\n
- Tested up to: bumped to 7.0 to match the current WordPress release as required by .org.<\/li>\n
- Escaping: Wrapped the dynamic CSS variable block emitted by
assets\/css\/styles.php<\/code> through wp_strip_all_tags()<\/code> after each value is individually escaped via esc_attr()<\/code>, with phpcs:ignore annotations explaining why the final concatenation is safe.<\/li>\n- Escaping:
paginate_links()<\/code> output in render_pagination()<\/code> now passes through wp_kses_post()<\/code> before echoing.<\/li>\n- i18n: Added
\/* translators: %s ... *\/<\/code> comments above two printf( esc_html__( ... ), ... )<\/code> calls in the setup-wizard \"next steps\" panel that were missing them.<\/li>\n- Sanitization: Added
sanitize_text_field( wp_unslash( ... ) )<\/code> wrappers around $_REQUEST['listing_id']<\/code> reads in class-shortcodes.php delete_listing<\/code>, class-email.php contact_seller<\/code>, class-favorites.php ajax_toggle<\/code>, and shortcodes\/dashboard\/edit.php<\/code>. The values are still validated through uclwp_validate_listing_id()<\/code>.<\/li>\n- Sanitization:
$_SERVER['REQUEST_URI']<\/code> used to build the favorites login-redirect URL now passes through esc_url_raw( wp_unslash( ... ) )<\/code> before home_url()<\/code>.<\/li>\n- Sanitization: Recursive array inputs (
$_POST['uclwp_data']<\/code>, $_REQUEST['sections']<\/code>, $_REQUEST['fields']<\/code>) now have phpcs:ignore annotations documenting that each leaf is sanitized further down. The actual per-leaf sanitization was already in place.<\/li>\n- Sanitization: Login\/register password reads carry phpcs:ignore annotations explaining why passwords must not be passed through
sanitize_text_field()<\/code> (would strip control characters needed for hash comparison).<\/li>\n- File uploads in seller registration carry phpcs:ignore annotations pointing to the nonce check at the top of the handler.<\/li>\n<\/ul>\n\n
1.13.0<\/h4>\n\n
Second WordPress.org Plugin Check pass \u2014 addresses the warnings flagged by the official PCP tool that the manual sanitization audit missed.<\/p>\n\n
\n- Plugin Check: Added
defined( 'ABSPATH' ) || exit;<\/code> guard to 32 files that didn't have one, including all template files, shortcode partials, admin subviews, the inc\/arrays\/ data files and assets\/css\/styles.php.<\/li>\n- Plugin Check: Replaced all
json_encode( $resp )<\/code> AJAX response calls with wp_send_json( $resp )<\/code> so character encoding follows WP's UTF-8 conventions and the response is properly closed via wp_die()<\/code>.<\/li>\n- Plugin Check: Replaced remaining non-AJAX
json_encode()<\/code> calls (Slick \/ image-grid data-attributes) with wp_json_encode()<\/code>.<\/li>\n- Plugin Check: Added explicit
timeout<\/code> argument (10 s) to every wp_remote_post()<\/code> call.<\/li>\n- Plugin Check: Added
rel=\"noopener noreferrer\"<\/code> to every target=\"_blank\"<\/code> link in the admin settings help text, the post-update messages, and the setup-wizard \"next steps\" panel.<\/li>\n- Plugin Check: Removed
load_plugin_textdomain()<\/code> \u2014 WordPress 4.6+ loads translations automatically for plugins hosted on .org and the call is now flagged as discouraged.<\/li>\n- Plugin Check: Replaced bare
die();<\/code> \/ die(0);<\/code> with wp_die();<\/code> in AJAX handlers.<\/li>\n- Plugin Check: Added missing version arguments to every
wp_enqueue_style<\/code> \/ wp_enqueue_script<\/code> call (used UCLWP_VERSION<\/code> for bundled assets and null<\/code> for third-party CDN scripts whose URL already carries a version key).<\/li>\n- Plugin Check: Renamed three filters that were missing the plugin prefix:
no_results_message<\/code> \u2192 uclwp_no_results_message<\/code>, seller_contact_email_message<\/code> \u2192 uclwp_seller_contact_email_message<\/code>, raw_uclwp_price<\/code> \u2192 uclwp_raw_price<\/code>, formatted_uclwp_price<\/code> \u2192 uclwp_formatted_price<\/code>.<\/li>\n- Plugin Check: Removed nested
esc_attr( sanitize_text_field( \u2026 ) )<\/code> double-escape pattern in the search-form field renderer; the value is now sanitized once on input and the existing esc_attr()<\/code> at output point handles HTML-attribute escaping.<\/li>\n- Plugin Check: Google-Maps script URL now built via
add_query_arg()<\/code> instead of string concatenation, and routed through HTTPS unconditionally.<\/li>\n- Plugin Check: Direct
$wpdb->update()<\/code> call in seller-approve flow now has type-specifier arrays for $where and $data and a justification comment explaining why the WP user-API helpers can't be used (the password is already hashed).<\/li>\n<\/ul>\n\n1.12.0<\/h4>\n\n
This release is a full sanitization + escaping pass for WordPress.org plugin review compliance. No behaviour changes; every output path is now explicitly escaped and every input path is unslash + sanitized.<\/p>\n\n
\n- Sanitization: All
$_GET<\/code> \/ $_POST<\/code> \/ $_REQUEST<\/code> access across the plugin now runs through wp_unslash()<\/code> before sanitization, matching WordPress core conventions and WPCS<\/code> requirements.<\/li>\n- Escaping: Replaced
esc_attr_e()<\/code> \/ esc_attr__()<\/code> with the correct esc_html_e()<\/code> \/ esc_html__()<\/code> everywhere the output is HTML body content (labels, table cells, headings, paragraph text). Attribute-context calls (placeholder=\"\"<\/code>, title=\"\"<\/code>, value=\"\"<\/code>, data-*=\"\"<\/code>) remain esc_attr_e()<\/code>.<\/li>\n- Escaping: Replaced
esc_attr()<\/code> with esc_html()<\/code> on user-controlled body text \u2014 listing titles, seller names, emails, phone numbers, category names, etc.<\/li>\n- Escaping: Textarea content now uses
esc_textarea()<\/code> instead of esc_attr()<\/code>.<\/li>\n- Bugfix:
compare-box.php<\/code> printed nothing for compare table column headers due to esc_attr( $label )<\/code> (which returns instead of echoing). Now properly echo esc_html( $label )<\/code>.<\/li>\n- Hardening: Removed the second hardcoded reCAPTCHA fallback key in
templates\/sidebar\/default.php<\/code>. CAPTCHA now fails closed when not configured.<\/li>\n- Hardening:
gdpr_message<\/code> setting in the contact-seller form is now output via wp_kses_post()<\/code> so admins can include safe HTML formatting (was esc_attr()<\/code> which broke the HTML).<\/li>\n- Hardening: Search query builder (
uclwp_get_search_query<\/code>) sanitizes all dynamic orderby<\/code>, meta_key<\/code>, tag<\/code>, and range<\/code> inputs and validates against an allow-list before passing to WP_Query<\/code>.<\/li>\n- Hardening: HTML emails (contact-seller) now
esc_html()<\/code> user-controlled fields (client name, email, phone, message, listing title) before HTML interpolation.<\/li>\n- Hardening: Compare AJAX listing IDs cast through
absint()<\/code>; meta_key segments through