v1.1.0 — wp.org readiness + evidence-log hardening

WWU Withdrawal Button 1.1.0 — the wordpress.org-submission release: Plugin Check fixes + the full security-audit follow-up (evidence-log hardening).

Stable for the EU withdrawal-button mandate (in force since 19 June 2026), for WooCommerce, FluentCart & Easy Digital Downloads — free, GPLv3. No change to the withdrawal flow; existing logs keep verifying.

Evidence-log hardening (security-audit follow-up)

• Keyed hash chain — each row hash is HMAC-SHA256 keyed with the site secret (LogChain v2), so a DB-write attacker without the secret can't forge the chain. Per-row chain version; legacy rows still verify (schema 2→3, automatic migration).
• GDPR IP horizon — the hash commits to the anonymised IP; the full IP is kept in a separate column and erased after the retention window (with the customer e-mail).
• Timestamp verification + retry — RFC 3161 requires HTTPS and binds the token to the exact submitted digest + nonce; failed OpenTimestamps / initial stamps are retried automatically, and the admin surfaces any records not yet externally anchored.

wordpress.org readiness (1.0.1 + 1.1.0)

Plugin Check fixes (unused UI-kit asset excluded, composer.json shipped with the bundled library, Tested up to 7.0, translators-comment + direct-access-guard tidy-ups) + low-risk audit fixes (OpenTimestamps SSRF-guard parity, input wp_unslash, defensive returns).

Install

Download wwu-withdrawal-button.zip below → WordPress admin → Plugins → Add New → Upload Plugin.

This plugin is a technical aid to compliance and is not legal advice.