From f663aef43cb21c404b93f4a58f2e161f9afe51e3 Mon Sep 17 00:00:00 2001
From: Adriaan Zonnenberg <a.zonnenberg@sendy.nl>
Date: Thu, 12 Mar 2026 16:41:26 +0100
Subject: [PATCH 1/4] Add auth check to the logout action

---
 lib/Modules/Admin/Settings.php     | 10 +++++++++-
 readme.txt                         |  5 ++++-
 resources/views/admin/settings.php |  2 +-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/lib/Modules/Admin/Settings.php b/lib/Modules/Admin/Settings.php
index ce22e72..c9be3fe 100644
--- a/lib/Modules/Admin/Settings.php
+++ b/lib/Modules/Admin/Settings.php
@@ -249,11 +249,19 @@ public function render_default_shop_dropdown(): void
 
     public function logout_action(): void
     {
-        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
         if (isset($_GET['sendy_logout'])) {
+            if (! current_user_can('manage_woocommerce')) {
+                wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'sendy'), 403);
+            }
+
+            if (! wp_verify_nonce($_GET['_wpnonce'] ?? '', 'sendy_logout')) {
+                wp_die(esc_html__('Nonce verification failed.', 'sendy'), 401);
+            }
+
             update_option('sendy_access_token', null, false);
 
             wp_safe_redirect(admin_url('admin.php?page=sendy'));
+            exit;
         }
     }
 
diff --git a/readme.txt b/readme.txt
index 553675c..41f8593 100644
--- a/readme.txt
+++ b/readme.txt
@@ -52,9 +52,12 @@ Hierop zijn onze [algemene voorwaarden](https://sendy.nl/algemene-voorwaarden/)
 
 == Changelog ==
 
+= Unreleased =
+* Fix CVE-2025-68564 - Protect the logout endpoint
+
 = 3.4.2 =
 * Improve error handling on order pages
-* Fix CVE-2025-68564 - Verify webhook requests using the signature
+* Verify webhook requests using the signature
 
 = 3.4.1 =
 * Fix an error handling issue when creating shipments
diff --git a/resources/views/admin/settings.php b/resources/views/admin/settings.php
index df74075..ff108c5 100644
--- a/resources/views/admin/settings.php
+++ b/resources/views/admin/settings.php
@@ -34,7 +34,7 @@
         ?></p>
 
                     <p>
-                        <a class="button" href="<?php echo esc_url(admin_url('?sendy_logout')); ?>">
+                        <a class="button" href="<?php echo esc_url(wp_nonce_url(admin_url('?sendy_logout'), 'sendy_logout')); ?>">
                             <?php esc_html_e('Log out', 'sendy'); ?>
                         </a>
                     </p>

From 0959309775fcf6aa6b122ccaacc75d3994b32db8 Mon Sep 17 00:00:00 2001
From: Adriaan Zonnenberg <a.zonnenberg@sendy.nl>
Date: Thu, 12 Mar 2026 17:37:19 +0100
Subject: [PATCH 2/4] Add script for pre-releases

---
 .distignore      |  3 +++
 .gitignore       |  1 +
 build_release.sh | 25 +++++++++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100755 build_release.sh

diff --git a/.distignore b/.distignore
index 7767bf0..f304960 100644
--- a/.distignore
+++ b/.distignore
@@ -2,7 +2,9 @@
 /.git
 /.github
 /node_modules
+/.idea
 
+.DS_Store
 .distignore
 .gitignore
 README.md
@@ -16,3 +18,4 @@ webpack.config.js
 .php-cs-fixer.dist.php
 .php-cs-fixer.cache
 .prettierignore
+build_release.sh
diff --git a/.gitignore b/.gitignore
index 02e6e55..bfe73fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ vendor
 node_modules
 build
 .php-cs-fixer.cache
+/*.zip
diff --git a/build_release.sh b/build_release.sh
new file mode 100755
index 0000000..82a5b7a
--- /dev/null
+++ b/build_release.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Bundle the project into a zip file for a pre-release.
+# Mirrors what .github/workflows/publish_release.yml does, but locally.
+
+set -euo pipefail
+
+SLUG="sendy"
+
+composer install --no-dev --no-interaction --optimize-autoloader
+npm ci
+npm run build
+
+rm -f "$SLUG.zip"
+TMPDIR=$(mktemp -d)
+
+rsync -rc --exclude-from=".distignore" . "$TMPDIR/trunk/"
+
+ln -s "$TMPDIR/trunk" "$TMPDIR/$SLUG"
+cd "$TMPDIR"
+zip -r "$OLDPWD/$SLUG.zip" "$SLUG"
+cd "$OLDPWD"
+
+rm -rf "$TMPDIR"
+
+echo "Release package created: $SLUG.zip"

From 69a94fe9d07149c98afd3e90fec8721157cd0283 Mon Sep 17 00:00:00 2001
From: Adriaan Zonnenberg <a.zonnenberg@sendy.nl>
Date: Thu, 12 Mar 2026 17:38:21 +0100
Subject: [PATCH 3/4] Add authorization guards where missing

---
 lib/Modules/Orders/BulkActions.php | 4 ++++
 lib/Modules/Orders/Single.php      | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/lib/Modules/Orders/BulkActions.php b/lib/Modules/Orders/BulkActions.php
index 2675a24..54b4eab 100644
--- a/lib/Modules/Orders/BulkActions.php
+++ b/lib/Modules/Orders/BulkActions.php
@@ -89,6 +89,10 @@ public function handle_bulk_action_print_labels(string $redirect, string $action
             return $redirect;
         }
 
+        if (! current_user_can('manage_woocommerce')) {
+            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'sendy'), 403);
+        }
+
         $shipmentIds = [];
 
         foreach ($objectIds as $objectId) {
diff --git a/lib/Modules/Orders/Single.php b/lib/Modules/Orders/Single.php
index 7c4b24c..6859b43 100644
--- a/lib/Modules/Orders/Single.php
+++ b/lib/Modules/Orders/Single.php
@@ -109,6 +109,10 @@ public function enqueue_assets(): void
     public function handle_create_shipment_from_form(): void
     {
         try {
+            if (! current_user_can('manage_woocommerce')) {
+                throw new \Exception(esc_html__('You do not have sufficient permissions to access this page.', 'sendy'));
+            }
+
             if (! isset($_REQUEST['nonce']) || ! check_ajax_referer('sendy_create_shipment', 'nonce')) {
                 throw new \Exception(esc_html__('Nonce verification failed', 'sendy'));
             }

From ffdfa1de4dae15eb0e2c7e263b98a8b09611c3d7 Mon Sep 17 00:00:00 2001
From: Adriaan Zonnenberg <a.zonnenberg@sendy.nl>
Date: Mon, 30 Mar 2026 11:18:51 +0200
Subject: [PATCH 4/4] 3.4.3

---
 lib/Plugin.php | 2 +-
 readme.txt     | 6 +++---
 sendy.php      | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/Plugin.php b/lib/Plugin.php
index 7ef863e..4cbb179 100644
--- a/lib/Plugin.php
+++ b/lib/Plugin.php
@@ -18,7 +18,7 @@
 
 class Plugin
 {
-    public const VERSION = '3.4.2';
+    public const VERSION = '3.4.3';
 
     public const SETTINGS_ID = 'sendy';
 
diff --git a/readme.txt b/readme.txt
index 41f8593..f1a8db1 100644
--- a/readme.txt
+++ b/readme.txt
@@ -2,8 +2,8 @@
 Plugin Name: Sendy
 Plugin URI: https://app.sendy.nl/
 Description: A WooCommerce plugin that connects your site to the Sendy platform
-Version: 3.4.2
-Stable tag: 3.4.2
+Version: 3.4.3
+Stable tag: 3.4.3
 License: MIT
 Author: Sendy
 Author URI: https://sendy.nl/
@@ -52,7 +52,7 @@ Hierop zijn onze [algemene voorwaarden](https://sendy.nl/algemene-voorwaarden/)
 
 == Changelog ==
 
-= Unreleased =
+= 3.4.3 =
 * Fix CVE-2025-68564 - Protect the logout endpoint
 
 = 3.4.2 =
diff --git a/sendy.php b/sendy.php
index 3b8b31c..8ec0fce 100644
--- a/sendy.php
+++ b/sendy.php
@@ -4,7 +4,7 @@
  * Plugin Name: Sendy
  * Plugin URI: https://app.sendy.nl/
  * Description: A WooCommerce plugin that connects your site to the Sendy platform
- * Version: 3.4.2
+ * Version: 3.4.3
  * Author: Sendy
  * Author URI: https://sendy.nl/
  * License: MIT