sendynl · adriaanzon · Mar 30, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.distignore b/.distignore
@@ -2,7 +2,9 @@
 /.git
 /.github
 /node_modules
+/.idea
 
+.DS_Store
 .distignore
 .gitignore
 README.md
@@ -16,3 +18,4 @@ webpack.config.js
 .php-cs-fixer.dist.php
 .php-cs-fixer.cache
 .prettierignore
+build_release.sh
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@ vendor
 node_modules
 build
 .php-cs-fixer.cache
+/*.zip
diff --git a/build_release.sh b/build_release.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Bundle the project into a zip file for a pre-release.
+# Mirrors what .github/workflows/publish_release.yml does, but locally.
+
+set -euo pipefail
+
+SLUG="sendy"
+
+composer install --no-dev --no-interaction --optimize-autoloader
+npm ci
+npm run build
+
+rm -f "$SLUG.zip"
+TMPDIR=$(mktemp -d)
+
+rsync -rc --exclude-from=".distignore" . "$TMPDIR/trunk/"
+
+ln -s "$TMPDIR/trunk" "$TMPDIR/$SLUG"
+cd "$TMPDIR"
+zip -r "$OLDPWD/$SLUG.zip" "$SLUG"
+cd "$OLDPWD"
+
+rm -rf "$TMPDIR"
+
+echo "Release package created: $SLUG.zip"
diff --git a/lib/Modules/Admin/Settings.php b/lib/Modules/Admin/Settings.php
@@ -249,11 +249,19 @@ public function render_default_shop_dropdown(): void
 
     public function logout_action(): void
     {
-        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
         if (isset($_GET['sendy_logout'])) {
+            if (! current_user_can('manage_woocommerce')) {
+                wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'sendy'), 403);
+            }
+
+            if (! wp_verify_nonce($_GET['_wpnonce'] ?? '', 'sendy_logout')) {
+                wp_die(esc_html__('Nonce verification failed.', 'sendy'), 401);
+            }
+
             update_option('sendy_access_token', null, false);
 
             wp_safe_redirect(admin_url('admin.php?page=sendy'));
+            exit;
         }
     }
 

diff --git a/lib/Modules/Orders/BulkActions.php b/lib/Modules/Orders/BulkActions.php
@@ -89,6 +89,10 @@ public function handle_bulk_action_print_labels(string $redirect, string $action
             return $redirect;
         }
 
+        if (! current_user_can('manage_woocommerce')) {
+            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'sendy'), 403);
+        }
+
         $shipmentIds = [];
 
         foreach ($objectIds as $objectId) {

diff --git a/lib/Modules/Orders/Single.php b/lib/Modules/Orders/Single.php
@@ -109,6 +109,10 @@ public function enqueue_assets(): void
     public function handle_create_shipment_from_form(): void
     {
         try {
+            if (! current_user_can('manage_woocommerce')) {
+                throw new \Exception(esc_html__('You do not have sufficient permissions to access this page.', 'sendy'));
+            }
+
             if (! isset($_REQUEST['nonce']) || ! check_ajax_referer('sendy_create_shipment', 'nonce')) {
                 throw new \Exception(esc_html__('Nonce verification failed', 'sendy'));
             }

diff --git a/lib/Plugin.php b/lib/Plugin.php
@@ -18,7 +18,7 @@
 
 class Plugin
 {
-    public const VERSION = '3.4.2';
+    public const VERSION = '3.4.3';
 
     public const SETTINGS_ID = 'sendy';
 

diff --git a/readme.txt b/readme.txt
@@ -2,8 +2,8 @@
 Plugin Name: Sendy
 Plugin URI: https://app.sendy.nl/
 Description: A WooCommerce plugin that connects your site to the Sendy platform
-Version: 3.4.2
-Stable tag: 3.4.2
+Version: 3.4.3
+Stable tag: 3.4.3
 License: MIT
 Author: Sendy
 Author URI: https://sendy.nl/
@@ -52,9 +52,12 @@ Hierop zijn onze [algemene voorwaarden](https://sendy.nl/algemene-voorwaarden/)
 
 == Changelog ==
 
+= 3.4.3 =
+* Fix CVE-2025-68564 - Protect the logout endpoint
+
 = 3.4.2 =
 * Improve error handling on order pages
-* Fix CVE-2025-68564 - Verify webhook requests using the signature
+* Verify webhook requests using the signature
 
 = 3.4.1 =
 * Fix an error handling issue when creating shipments

diff --git a/resources/views/admin/settings.php b/resources/views/admin/settings.php
@@ -34,7 +34,7 @@
         ?></p>
 
                     <p>
-                        <a class="button" href="<?php echo esc_url(admin_url('?sendy_logout')); ?>">
+                        <a class="button" href="<?php echo esc_url(wp_nonce_url(admin_url('?sendy_logout'), 'sendy_logout')); ?>">
                             <?php esc_html_e('Log out', 'sendy'); ?>
                         </a>
                     </p>

diff --git a/sendy.php b/sendy.php
@@ -4,7 +4,7 @@
  * Plugin Name: Sendy
  * Plugin URI: https://app.sendy.nl/
  * Description: A WooCommerce plugin that connects your site to the Sendy platform
- * Version: 3.4.2
+ * Version: 3.4.3
  * Author: Sendy
  * Author URI: https://sendy.nl/
  * License: MIT
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,3 +2,4 @@ vendor @@
     node_modules
     build
     .php-cs-fixer.cache
+    /*.zip