Skip to main content

Flavor Starter Theme - Changelog

[7.4.0] - 2026-06-23 — On-demand theme modules & safer AI image import

Added

  • Theme modules now install on demand. Activating your license no longer downloads all 36 modules up front — a fresh activation installs just the theme core, and you add each module you want with a single click from the Modules tab. Installed modules get an "Uninstall" action that removes the files but keeps your settings (re-installing restores them). Existing sites keep every module they already have.

Fixed

  • Hardened the AI stock-photo import. The import-to-Media-Library action now only downloads from the Unsplash and Pexels image services over HTTPS, and the Google Gemini API key is no longer placed in request URLs. No change to how you use the feature.

[7.3.2] - 2026-06-15 — Theme-only autonomy & smarter AI provider handling

Updated

  • The theme now runs fully standalone without the WP eCommerce Core plugin: storefront-only settings are clearly disabled with a single notice when the shop plugin isn't active, the page builder's Save as Template works on its own, and product URLs return a proper "not found" page on a content-only site.
  • AI content generation now automatically uses whichever provider key you've configured — with a clear pointer to Theme Options → AI if none is set.

Fixed

  • Restore points are now captured before component updates (enabling one-click rollback — see Flavor Core), and the Design System "Add Class" button icons are aligned.

[7.3.1] - 2026-06-08 — AI key security & admin reliability

Fixed

  • AI provider API keys are now encrypted at rest. The keys you enter for AI content/image providers (Gemini, OpenAI, Anthropic, Unsplash, Pexels) are now stored encrypted on the server — matching what the screen always promised. Existing keys upgrade automatically the next time you save.
  • Admin pages no longer break for non-administrator staff when "Minify JavaScript" is on. On managed sites a Shop Manager could see eCommerce admin tabs render empty; the front-end JavaScript optimizer no longer touches admin app bundles. (If you hit this before, you can safely re-enable "Minify JavaScript".)

[7.3.0] - 2026-06-01 — Flavor AI groundwork & smoother cart

Added

  • The theme now reports its AI content configuration to the new Flavor AI page in Flavor Core.

Fixed

  • The "Disable Application Passwords" security toggle (Optimize → Security & API) is now self-aware: when AI Access is active it shows as locked with an explanation instead of silently having no effect — and Application Passwords are no longer disabled unconditionally (they're required for AI-assistant connections).
  • Cleared a harmless but noisy repeated cart-sync log on the storefront.

[7.2.1] - 2026-05-22 — Patch: WP color-scheme checkbox safety net + theme-core sync hardening + flavor-builder defensive guard

Stable patch release promoted from v7.2.1-beta.1. Closes 5 small-surface findings discovered during smoke testing — most visible: the global admin checkbox visual safety net that fixes "invisible-fill" checkboxes on WP color schemes that don't expose the accent variable.

Updated

  • Tested up to WP 7.0. Header bump only — no code changes required against the 7.0 surface.

Fixed

  • Admin checkboxes now always show a visible fill — even on WP color schemes that don't expose the accent variable. WP 7.0's "Fresh" color scheme (and a couple of others) don't define --wp-admin-theme-color, which is what WP core's checkbox styling depends on. Result: every checked checkbox across Flavor admin pages rendered with no visible fill. Theme-global CSS now provides a fallback chain so the checkbox/radio always shows a colored fill — falling back to Flavor brand indigo on schemes that don't expose the variable, while respecting the user's chosen accent on schemes that do (Default, Coffee, Midnight, Ocean, etc.). Covers every admin page where .wrap is the outer wrapper — Flavor Options, all module settings pages, the WP eCommerce admin SPA, the Flavor Core Debug Viewer + License page, and even pure WP admin pages (Tools / Settings / etc.) as a bonus uniform brand treatment.

  • Theme Core component version display now reflects the actual deployed version after fat-bundle updates. Before this fix, the Flavor Core dashboard could show "Theme Core v1.0.4" right after you'd just updated to a theme version that bundled Theme Core v1.0.6 — the option holding the version got out of sync with the on-disk bytes. The theme now auto-resyncs the stored Theme Core version after every theme update, comparing against a FLAVOR_THEME_CORE_VERSION constant that gets auto-reconciled from the build pipeline.

  • "Check for Updates" button on the Flavor Core dashboard now properly checks the theme-core component too. Previously, the button silently skipped theme-core in the Hub round-trip (legacy guard from when theme-core had no independent version) — so even when a newer theme-core was available on the Hub, the operator would see "no updates available" and have no recovery path. Now every installed component, theme-core included, participates in the check.

  • Flavor Builder overview page no longer spams the debug log when ContactFormModule is disabled. A raw COUNT(*) query against the flavor_forms table (owned by the ContactFormModule) was crashing on every Flavor Builder admin page load when the module hadn't been enabled. Now guarded with a table-exists probe; defaults to 0 forms when absent.

Internal

  • Licensing surface — theme half now extends a shared base class living in Flavor Core. The theme's licensing gate is now a thin ~200 LOC subclass of Flavor_Core_License_Gate_Base (~53% reduction). Eliminates the parallel-implementation drift class between theme + plugin licensing surfaces. Public surface preserved exactly — every existing call site keeps working unchanged.

  • Theme — Flavor_Migrator static cache + flavor-starter/inc/licensing-core-adapter.php deletion. Reduces duplicate SHOW TABLES LIKE queries per request + removes a 250-LOC adapter file that was never loaded post the F77c migration.

Module Bumps

  • SMTP Mailer v1.0.1 → v1.0.4 — Defensive boolean coercion on the 5 checkbox-backed admin settings (belt-and-suspenders against WP's checked() helper quirk on non-canonical saved types) + cleanup of an earlier scope-local color-scheme override now superseded by the theme-global F238 safety net.

Promoted from the 7.2.0-beta cycle (May 8 → May 14) after a four-iteration validation pass. Three improvement areas land together — Header/Footer Builder feature completeness, cross-module breakpoint coordination, and Mega Menu architecture cleanup — plus reliability polish for the post-update module loading and theme integrity verification.

Added

  • Footer Builder feature completeness (3 long-standing gaps closed). Payment Icons block now has an admin-configurable list (12 supported methods including Visa, Mastercard, PayPal, Apple Pay, Google Pay, Stripe, Viva Wallet, IRIS) — previously the footer only showed 5 hardcoded icons regardless of what the operator had enabled. Social Media block now shares its network registry with the Header (was duplicated, drifted): both surfaces now show the same 11 networks (Facebook, Instagram, Twitter, LinkedIn, YouTube, TikTok, Pinterest, Threads, WhatsApp, Telegram, Viber). Newsletter block now has a working subscribe form (previously decorative-only) — supports any newsletter provider via configurable POST endpoint, with operator-side hooks for adding provider-specific fields (e.g. MailChimp merge tags). Empty endpoint = decorative fallback.

  • Mega-menu drawer affordance — chevron indicators on default-header sub-menus. Top-level navigation items with children now show a chevron ("▾") indicator on hover, and nested sub-menus show a right-chevron ("▸") signaling "opens to the side". CSS-only; uses currentColor so it inherits theming.

Fixed

  • Theme integrity verifier — install-date detection on fresh sites. New theme installs now always identify their activation date correctly. Older sites that previously ran the buggy detection code transparently fall back to the legacy timestamp — no admin action required. Eliminates a silent every-page-load grace-period reset.

  • No more "Module class does not exist" warning storm during updates. When the theme updates, you may have seen 20–40 diagnostic warnings appear in the Debug Viewer per page load. These were noise — the theme self-recovers within seconds. The detection now uses three tiers (WordPress transient + AJAX action + filesystem modification time) so the update window is reliably caught, and noise is suppressed when an update is in progress. Real "module missing" alarms still fire for genuine corruption.

  • Cross-module breakpoint coordination cleaner across viewports. Header-Footer-Builder and Mega-menu modules now agree on a single source-of-truth tablet breakpoint (the Design System token), instead of each emitting its own @media queries with !important overrides to fight cascade order. Visible improvement: cleaner mobile-vs-desktop transitions for the navigation drawer, no more "navigation looks slightly different at exactly 1024px width" edge cases.

  • Default header drawer now has a close (X) button. When the mega-menu module is inactive, the fallback mobile drawer was missing a close affordance — only the hamburger toggle could re-close it. Now both paths (mega-menu enabled and disabled) show a top-right close button.

  • Default header desktop sub-menus now render properly as dropdowns. Sub-menu items were rendering inline in the navigation bar instead of as a dropdown. Added proper dropdown styling: white background, soft shadow, rounded corners, subtle entrance animation, hover/focus reveal, nested sub-menus open to the right.

  • Mega-menu back-button styling fix at custom breakpoints. When admins customized the mobile breakpoint to non-default values (e.g. 1200px instead of 1024px), the drawer back button could render with default browser button styling at certain widths. Now styled consistently regardless of breakpoint config.

  • Footer Builder block settings panel now renders help text. Fields that define a help description (e.g. the Payment Icons CSV slug list) now display the help string below the input.

  • PayPal payment icon SVG fix — was rendering as "P PJ" due to malformed path data; now renders properly as "PayPal" in two-color blue.

  • Theme admin page assets now load reliably even on slug collisions. Hardcoded WordPress admin hook suffixes were replaced with runtime-captured values across 5 admin pages. Edge case fix: if another plugin already registered a conflicting slug, WordPress would append "-2" and our admin assets would silently fail to enqueue. Now environment-independent.

  • Mega-menu architecture cleanup. Drawer styling wins via selector specificity instead of stylesheet load order, so future CSS reorganization can't silently break it. Two defensive !important declarations removed (they guarded a hypothetical PHP renderer path that doesn't exist). Migration race window closed — concurrent first-page-load requests can no longer write conflicting settings.

  • Themable submenu colors. Mobile submenu background and text colors are now exposed as Design System CSS variables (--mobile-submenu-bg, --mobile-submenu-text) so designers can theme them without overriding stylesheets.


[7.1.0] - 2026-05-05 — Minor: Unified debug experience + Cart/Checkout regression fix

A focused minor release on the development/debugging tooling layer plus one regression fix that surfaced during the beta validation cycle. Both improvements are gated behind the FLAVOR_DEBUG constant — production sites without it are unaffected.

Added

  • Unified Debug Bar (single source). The Debug Bar is now a single React-based panel across the entire theme. The old PHP fallback bar (which occasionally rendered with mismatched styles when JavaScript was slow to mount) has been retired in favor of one consistent surface — cleaner UI, no chrome duplication, consistent behavior across all pages. Visible only when FLAVOR_DEBUG is enabled.
  • Logger writes now appear in the Debug Bar Errors tab live. Anything sent through the Flavor logger at warning level or higher (including WordPress internal-API misuse notices) now also surfaces in the per-request Errors tab during development — no more switching between log files and the bar to see what just fired. The full log history remains available at Flavor → Debug as before.

Fixed

  • Cart & Checkout regression caught during beta validation (with FLAVOR_DEBUG enabled). A latent bug in the cart panel data collector — four stale method names referring to an older cart API — became fatal when the React Debug Panel started invoking it directly on cart/checkout request paths in v7.1.0-beta.1. Cart and Checkout pages could blank-page during development. Fixed the data collector and added defensive error handling so any future similar issue downgrades to a silent panel error rather than a page crash. Production sites without FLAVOR_DEBUG were never affected.

[7.0.0] - 2026-05-04 — Major: Licensing consolidation + Design System refactor + Theme tab removal

Major release closing two architectural plans plus a key UX consolidation.

Breaking

  • Centralized licensing. Theme licensing is now fully managed by Flavor Core. The theme's internal license client + fingerprint files were retired — Flavor Core is the single source of truth. A one-shot migration runs automatically on first admin load: legacy theme license stores are copied into Flavor Core's encrypted store and the legacy files are removed. No customer action required — your active license stays active. Requires Flavor Core v2.4.0+.
  • Legacy "Theme" tab removed from Flavor Options. The 18 settings it owned (11 colors + 7 typography fields) are now exclusively managed by the Design System tab — which exposes a richer surface (per-heading h1–h6 weights instead of single, fluid clamp() text scales instead of static, 50+ Google Fonts catalog instead of 12). A one-shot migration carries customer-customized values across automatically — no manual re-entry required. Settings already customized on the Design System tab always win the conflict.

Added

  • Responsive Design System foundation (multi-phase refactor). Multi-phase responsive design system overhaul completed across the theme: 27 new chrome tokens (icon sizes, hit-targets, logo height clamps, row heights, fluid text scale, container widths, transitions, shadow elevations) using clamp() for fluid scaling. The previously-unused Mobile-First admin toggle in Design System is now operational. New opt-in component contract (.fds-el BEM family + .fds-row flex container family + .fds-text--* fluid text classes) for module authors.
  • Default header + default footer now use Design System tokens. All hardcoded spacing, transitions, and breakpoints replaced with flavor-ds-* tokens — your site's chrome now responds to Design System adjustments automatically.
  • Header-Footer-Builder migration. The custom header/footer builder now emits CSS custom properties for logo size, search width, and footer logo size — defeating specificity wars in mobile media queries. Net: cleaner mobile responsive behavior, no more !important clutter.
  • Mega Menu refactor + breakpoint coordination. Resolved the long-standing parallel-implementation drift between the theme's mobile breakpoint and the mega menu's mobile breakpoint. The mega menu now auto-syncs with the Design System Tablet Breakpoint by default, with an opt-in override checkbox for sites that need a different switch point. 94% reduction in !important usage on the affected surfaces (85 → 5 rules).
  • 5 modules tokenized. Advanced Wishlist, GDPR, Product Compare, Product FAQ, Gift Cards now consume Design System tokens for transitions and spacing.
  • Component delivery is channel-aware. Theme component downloads now declare your site's chosen update channel (Stable or Beta) on Hub calls. Pairs with the Flavor Core channel selector at Flavor → Settings.

Fixed

  • Faster theme option saves (~20-40ms per save) — every "Save" button on every Flavor Options tab is now half the database cost.
  • Mobile horizontal overflow fix at narrow viewports (≤470px). A long site title could push the header layout past the viewport edge, causing horizontal scroll. Closed via flex layout fixes plus a defensive overflow-x: clip baseline.
  • Add-to-cart button no longer wraps to 2 lines at viewports 410-440px. Tuned the button's minimum width so the flex layout wraps to its own row cleanly.
  • SEO module settings save completely repaired (was silently writing default values regardless of input — see SEO module v1.0.3).
  • Builder block render warnings on PHP 8+ eliminated (4 sibling render-side noise warnings closed).
  • Theme migrator admin-page hot path — heavy diagnostic query removed from every admin page load.
  • Data Sovereignty Analyzer correctly recognizes Flavor Core as a legitimate namespace (was flagging valid entries as suspicious).
  • Code Compliance Scanner no longer flags pre-bootstrap recovery primitives as violations (@bootstrap-primitive whitelist tag added).

[5.1.1] - 2026-04-28 — Patch: license auto-recovery + cleaner debug logs

A small but useful patch released alongside Plugin v9.1.1 and Flavor Core v2.2.1. Two related improvements that surfaced during real-world testing of the v5.1.0 security release:

Fixed

  • License recovery now self-heals. When the local license token and the Hub's record drift out of sync (for example, after a host migration or a config change), component downloads previously returned a 403 error and the only fix was to manually deactivate and reactivate the license, then force a component reinstall from the admin. Now the recovery happens transparently in a single round-trip on the first failure — no manual intervention required.
  • Debug log no longer floods during component install. During a theme upgrade with many active modules, the debug log could fill with hundreds of false "module class missing" notices that were not actual errors but timing artifacts from the install window. Two-layer fix eliminates the spam: the install window flag now stays alive through the whole component download phase, and a per-class hourly throttle keeps any residual notice from repeating more than once per hour. Requires Flavor Core v2.2.1+.

[5.1.0] - 2026-04-27 — Security hardening release

Significant security hardening across the storefront and admin surfaces. The Wishlist and Compare modules gain proper CSRF protection on every action, the licensing trust chain is reinforced (component verification fails closed when crypto isn't available, unsigned manifests now require an explicit dev-only constant), and the Flavor → Debug viewer becomes the single source of truth for debug settings (the legacy Debug tab in Theme Options has been retired). Module updates: Advanced Wishlist v2.1.2, Product Compare v1.0.1, Advanced Options v1.0.1.

Added

  • Centralized AJAX security gate. All AJAX-based module actions can now share a single CSRF protection layer. Future modules adopting it inherit the protection automatically.
  • Stronger license trust chain. Component installer now strictly validates the destination path against an allowlist and refuses unsigned packages outside dedicated developer environments. Requires Flavor Core v2.2+ and Hub v1.3+.

Updated

  • Advanced Wishlist v2.1.2 — security upgrade. All wishlist actions (add / remove / share / move / set default / etc.) now require a per-session security token. Cross-origin form-spamming attacks against logged-in customers are blocked. Action recommended: clear browser cache after update.
  • Product Compare v1.0.1 — security upgrade. Same per-session token requirement applied to all four compare actions (add, remove, get, clear). Anonymous and logged-in flows continue to work; only forged cross-origin requests are blocked.
  • Debug viewer is now the only debug surface. The previous "Debug" tab inside Theme Options has been removed — toggles, panel selection, system info, and diagnostics all live in Flavor → Debug. Bookmarked URLs still load gracefully (no fatal errors). The Diagnostic Tools (Data Sovereignty Analyzer, Code Compliance Scanner, WordPress Core Diagnostics) moved to Theme Options → Tools and are now hidden by default — set FLAVOR_ADMIN_TOOLS in wp-config.php to expose them on dev environments.

Fixed

  • Advanced Options v1.0.1 — security fix. Closed an unauthenticated file-upload endpoint that was registered but never used. Legitimate product-options file uploads continue to work via the standard cart flow with an extra layer of file-type validation (magic-byte check + dangerous-extension blocklist).
  • Debug Bar memory leak. A listener registered on every render of the Debug Bar wasn't being cleaned up — fixed.
  • Debug Bar hook timeline now captures custom hooks. Previously only 8 lifecycle hooks were tracked; you'll now see all module-specific hooks too (capped at 200 unique entries per request).
  • Quieter admin notices during Flavor Core updates. The brief window during which modules' class files are being replaced no longer triggers a flood of "module not found" warnings.

[5.0.1] - 2026-04-24 — Admin polish, responsive improvements & PHP 8.4 compatibility

Patch release focused on admin UI polish, mobile responsiveness, and a PHP 8.4 forward-compatibility fix. Also includes integration with the new Debug Viewer shipped in Flavor Core v2.1.0. Module updates: B2B / Wholesale (PHP 8.4 fix) and Mega Menu (admin cleanup).

Added

  • Debug Viewer integration. Theme log calls now flow into the new unified Flavor → Debug viewer introduced in Flavor Core v2.1.0 — browse, filter, and download logs from a single place. Requires Flavor Core v2.1+.

Fixed

  • Sidebar cart: Show Shipping Estimate toggle now works. When disabled, both the shipping row and the free-shipping progress bar are correctly hidden.
  • Mega Menu admin: 10 toggle switches are now visible again. They had become invisible after an earlier admin framework refactor; clicking the setting label now works as expected on Fullscreen Mode, Back Button, Close on Outside Click, Overlay, Close Button, and the four color fields.
  • Empty-state cards and modal dialogs now render correctly across the admin (B2B / Wholesale, Flash Sales, Gift Cards, Product Bundles, Product Labels, Promotions, Request-a-Quote, Stock Alerts) — they were previously appearing as plain unstyled text.
  • Top Bar / Info Bar (Theme Options → Core → Header / Footer): column content now correctly preserves HTML (anchor links, <strong>, images) on save and processes shortcodes on render (e.g. [flavor_icon name="phone"]). Checkbox toggles also correctly show/hide their dependent fields (heights, font-sizes, colors).
  • Default header mobile menu now opens as a full-screen drawer, matching the custom header behaviour and removing the duplicate close button on mobile.
  • Responsive header polish. Header / Footer Builder has unified mobile/tablet/desktop breakpoints (≤ 767 / 768–1023 / ≥ 1024px) with automatic mobile adjustments: fluid search bar, proportional logo sizing, wrapping button / phone / email text, reduced gaps. New ≤ 479px sub-tier for narrow phones (e.g. 375px iPhone portrait).
  • PHP 8.4 compatibility: fixed a deprecated implicit-nullable parameter in the B2B / Wholesale module — sites running PHP 8.4+ will no longer see the deprecation warning.

[5.0.0] - 2026-04-22 — Modern module system & full source-code protection

Major release combining two significant architectural changes. Modernised module system — a cleaner, more reliable way for modules to declare themselves and their versions, fixing long-standing cases where component updates didn't propagate to the admin UI. Full source-code encryption — every plugin file shipped through the theme is now ionCube-encoded (previously only licensing files were protected), including all theme components delivered through Flavor Hub.

Breaking

  • Full source-code encryption. Every theme PHP file is now ionCube-encoded in production builds, except the WordPress-required entry points (functions.php, index.php). Requires ionCube Loader 14+ on your server — already a requirement for the licensing system.
  • Legacy module-registration API removed. Third-party modules that used the old array-based registration will need to migrate to the new class-based API (see the Module Development Guide). All built-in modules were migrated automatically — no action needed for customers who only use shipped modules.
  • All Hub-delivered theme components are encrypted. The 36 theme components previously shipped as plain PHP are now encrypted like the rest of the theme.

Added

  • Modernised module base class. New AbstractModule foundation lets each module self-describe its ID, version, category, and metadata — eliminating the old hardcoded version list that could go out of sync.
  • Reliable component updates. When a component is updated through the Hub, the new version now correctly appears in the admin UI every time.
  • Module Development Guide (v2). Rewritten from scratch for the new module system — hello-world walkthrough, complete API reference, migration notes. See the developer documentation.

[4.5.3] - 2026-04-22 — Debug Logs integration

Patch release connecting the theme's logging to the new file-based debug logger shipped in Flavor Core v1.2.0. When Core is active, theme log entries are now collected in wp-content/flavor-logs/ for easier debugging.

Updated

  • Theme logs now flow into the Flavor Core debug logger when Core v1.2.0+ is active. Enable with define('FLAVOR_DEBUG', true); in wp-config.php.

[4.5.2] - 2026-04-21 — Source Cleanup & Cache Performance

Small patch release closing two findings discovered during debugging. Neither is user-visible but both were silent waste: junk directories polluting installs, and redundant DB queries from the theme cache for absent keys.

Fixed

  • Brace-literal junk directories removed from theme source tree — 19 empty directories with names like {assets,templates} across 15 modules (from initial project scaffolding, created by a cross-platform shell command that didn't expand braces properly). These empty dirs were packed into every build and replicated to every customer install. Zero functional impact but polluted file listings. Cleaned and added prevention in the build pipeline so this class of artefact can't recur.
  • Faster admin page loads — the theme's cache layer no longer re-queries the database for keys that are known to be absent within a single request. On fresh-install admin pages, this reduces duplicate queries by ~98%.

[4.5.1] - 2026-04-20 — Post-Update Stability: Rewrite Rule Race, Cache Invalidation & Wishlist Fix

Emergency patch release to fix a cascade of issues where the single product page (and other routes) broke after a Core-driven theme or plugin update. Root cause diagnosed as a non-deterministic rewrite-rule registration race between theme and plugin, combined with missing post-update cache/rewrite invalidation. Also fixes a long-standing fatal in the Advanced Wishlist module.

Fixed

  • Single product page broke after Core-driven plugin update — Duplicate rewrite rule registration race between theme + plugin for the same ^product/([^/]+)/?$ pattern, with non-deterministic winner after a plugin reactivation cycle. Fix: theme now registers rewrite rules on init with priority 20 so it always wins after plugin's priority 10, plus fallback that accepts the plugin's wpec_product query var defensively.
  • Advanced Wishlist dropdown fatal for logged-in users — Template called unimplemented isInAnyWishlist() method. Fix: implemented the method on AdvancedWishlistModule, joining wishlist_items × wishlists by user_id.
  • Theme caches + rewrite rules left stale after update — OpCache + custom cache tables + WP rewrite cache were not cleared post-update. Fix: theme bootstrap now picks up flavor_opcache_reset_needed + flavor_rewrite_flush_needed transients (set by Flavor Core's invalidate_caches_after_update()) and runs the corresponding resets on next request.

Full Version History

For the complete changelog including all previous versions, contact our support team.