Bump version to 0.3.9

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,120 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.9] - 2026-01-24
+
+### Added
+
+- "Generate Licenses" button in order meta box for admin-created orders
+- "Generate Missing Licenses" button when some products in an order are missing licenses
+- AJAX handler `ajaxGenerateOrderLicenses()` for manual license generation from admin
+- Warning message when order domain is not set before generating licenses
+
+### Fixed
+
+- **Critical:** Licenses are now generated for orders created manually in admin area
+- Previously, licenses were only generated via checkout hooks, leaving admin-created orders without licenses
+
+### Technical Details
+
+- Added `wclp_generate_order_licenses` AJAX action to `OrderLicenseController`
+- Updated `order-licenses.js` with generate button handler and page reload on success
+- Added CSS styles for generate status messages
+- Updated translations (365 strings)
+
+## [0.3.8] - 2026-01-24
+
+### Fixed
+
+- Fixed duplicate German translation string causing `ArgumentCountError` in settings page
+- The notification settings description had duplicated text with two `%s` placeholders
+
+### Changed
+
+- Updated `magdev/wc-licensed-product-client` to latest version (64d215c)
+
+## [0.3.7] - 2026-01-24
+
+### Added
+
+- Download counter for licensed product versions (tracked per version)
+- Download Statistics admin dashboard widget showing total downloads, top products, and top versions
+- New `DownloadWidgetController` class for download statistics widget
+- New `incrementDownloadCount()`, `getTotalDownloadCount()`, and `getDownloadStatistics()` methods in `VersionManager`
+- New `download_count` column in product versions database table
+
+### Fixed
+
+- Dashboard widget "View All Licenses" link now uses correct page slug (`wc-licenses`)
+- Download links in customer account page no longer result in 404 errors (added query var registration)
+- Added `license-download` endpoint registration during plugin activation
+
+### Changed
+
+- Removed redundant "Status Breakdown" section from dashboard widget (info already shown in stat cards)
+- License Types section in dashboard widget now uses card style matching the stats row above
+- Improved dashboard widget visual consistency
+
+### Technical Details
+
+- Added `addDownloadQueryVar()` method to `DownloadController` for proper endpoint registration
+- Updated `Installer::activate()` to register `license-download` endpoint before flushing rewrite rules
+- Updated translations (356 strings)
+
+## [0.3.6] - 2026-01-23
+
+### Security
+
+- Added CSRF protection (nonce verification) to CSV export functionality
+- Fixed IP header spoofing vulnerability in rate limiting - now requires explicit trusted proxy configuration
+- Enabled explicit Twig autoescape for XSS protection
+- Fixed unescaped status values in CSS classes in Twig templates
+
+### Fixed
+
+- Fixed response signing to use recursive key sorting for client compatibility
+- ResponseSigner now recursively sorts nested array keys alphabetically as required by client implementation
+
+### Changed
+
+- Rate limiting now only trusts proxy headers when `WC_LICENSE_TRUSTED_PROXIES` constant is defined
+- Added Cloudflare IP range support via `WC_LICENSE_TRUSTED_PROXIES = 'CLOUDFLARE'` configuration
+- Improved IP detection with CIDR notation support for trusted proxy ranges
+
+### Technical Details
+
+- Added `recursiveKeySort()` method to `ResponseSigner` for proper response signing
+- Added `isTrustedProxy()`, `isCloudflareIp()`, and `ipMatchesCidr()` methods to `RestApiController`
+- Twig environment now explicitly sets `autoescape => 'html'`
+- Export CSV link now includes nonce via `wp_nonce_url()`
+- Added `export_csv_url()` Twig function for generating export URL with nonce
+
+## [0.3.5] - 2026-01-23
+
+### Added
+
+- Admin dashboard widget showing license statistics on WordPress dashboard
+- Automatic license expiration via daily wp-cron job
+- License expired email notification sent when license auto-expires
+- New `LicenseExpiredEmail` WooCommerce email class (configurable via WooCommerce > Settings > Emails)
+
+### Changed
+
+- Improved download list layout in customer account licenses page
+- Downloads now displayed in two-row format: file link on first row, metadata on second row
+- Better visual separation between download link and version/date/checksum information
+
+### Technical Details
+
+- New `DashboardWidgetController` class in `src/Admin/` for WordPress dashboard widget
+- Widget displays: total licenses, active, expiring soon, expired counts, status breakdown, license types
+- New `LicenseExpiredEmail` class in `src/Email/` for expired license notifications
+- Added `getExpiredActiveLicenses()` and `autoExpireLicense()` methods to `LicenseManager`
+- Daily cron now auto-expires licenses with past expiration date and sends notification emails
+- Updated `templates/frontend/licenses.html.twig` with new two-row structure
+- Added `.download-item`, `.download-row-file`, `.download-row-meta` CSS classes
+- Improved responsive behavior for download metadata
+
 ## [0.3.4] - 2026-01-23
 
 ### Added

CLAUDE.md

@@ -36,6 +36,14 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w
 
 No known bugs at the moment.
 
+### Version 0.3.9
+
+No changes at the moment.
+
+### Version 0.4.0
+
+No changes at the moment.
+
 ## Technical Stack
 
 - **Language:** PHP 8.3.x
@@ -932,3 +940,188 @@ Added current version display on single product pages for licensed products.
 - Only displays for licensed product type
 - Only displays if product has at least one version defined
 - Uses `LicensedProduct::get_current_version()` which queries `VersionManager::getLatestVersion()`
+
+### 2026-01-23 - Version 0.3.5 - Dashboard Widget & Auto-Expire
+
+**Overview:**
+
+Added admin dashboard widget for license statistics and automatic license expiration via daily cron job.
+
+**Implemented:**
+
+- Admin dashboard widget showing license statistics (total, active, expiring soon, expired)
+- Status breakdown display with color-coded badges
+- License type breakdown (time-limited vs lifetime)
+- Daily wp-cron job to auto-expire licenses past their expiration date
+- License expired email notification sent when license auto-expires
+- Downloads in customer account now displayed in two-row format
+
+**New files:**
+
+- `src/Admin/DashboardWidgetController.php` - WordPress dashboard widget controller
+- `src/Email/LicenseExpiredEmail.php` - WooCommerce email for expired license notifications
+
+**Modified files:**
+
+- `src/Plugin.php` - Added DashboardWidgetController instantiation
+- `src/License/LicenseManager.php` - Added `getExpiredActiveLicenses()` and `autoExpireLicense()` methods
+- `src/Email/LicenseEmailController.php` - Added auto-expire logic and LicenseExpiredEmail registration
+- `templates/frontend/licenses.html.twig` - Restructured download list with two-row layout
+- `assets/css/frontend.css` - Added dashboard widget and download list styles
+
+**Technical notes:**
+
+- Dashboard widget uses `wp_add_dashboard_widget()` hook, requires `manage_woocommerce` capability
+- Widget displays statistics from existing `LicenseManager::getStatistics()` method
+- Auto-expire runs during daily `wclp_check_expiring_licenses` cron event
+- `getExpiredActiveLicenses()` finds licenses with past expiration date but still active status
+- `autoExpireLicense()` updates status to expired and returns true if changed
+- LicenseExpiredEmail follows same pattern as LicenseExpirationEmail (warning vs expired)
+- Expired notification tracked via user meta to prevent duplicate emails
+
+### 2026-01-23 - Version 0.3.6 - Security Hardening
+
+**Overview:**
+
+Security audit and implementation alignment with client/server documentation. Fixed response signing compatibility, rate limiting security, and XSS prevention.
+
+**Security Fixes:**
+
+- Added CSRF protection (nonce verification) to CSV export functionality
+- Fixed IP header spoofing vulnerability in rate limiting - now requires explicit trusted proxy configuration
+- Enabled explicit Twig autoescape (`'html'`) for XSS protection
+- Fixed unescaped status values in CSS class names in Twig templates
+
+**Implementation Fixes:**
+
+- Fixed response signing to use recursive key sorting for client library compatibility
+- ResponseSigner now recursively sorts nested array keys alphabetically as required by `magdev/wc-licensed-product-client`
+
+**Modified files:**
+
+- `src/Api/ResponseSigner.php` - Added `recursiveKeySort()` method for proper signature generation
+- `src/Api/RestApiController.php` - Added trusted proxy support with `isTrustedProxy()`, `isCloudflareIp()`, `ipMatchesCidr()` methods
+- `src/Plugin.php` - Added explicit `autoescape => 'html'` to Twig environment
+- `src/Admin/AdminController.php` - Added nonce verification to `handleCsvExport()`, added `export_csv_url()` Twig function
+- `templates/frontend/licenses.html.twig` - Added `esc_attr()` for CSS class status
+- `templates/admin/licenses.html.twig` - Added `esc_attr()` for CSS class status, updated export link to use `export_csv_url()`
+
+**Configuration:**
+
+To enable trusted proxy support for rate limiting, add to `wp-config.php`:
+
+```php
+// For Cloudflare
+define('WC_LICENSE_TRUSTED_PROXIES', 'CLOUDFLARE');
+
+// Or for specific IPs/CIDR ranges
+define('WC_LICENSE_TRUSTED_PROXIES', '10.0.0.1,192.168.1.0/24');
+```
+
+**Technical notes:**
+
+- Rate limiting now only trusts proxy headers (`HTTP_CF_CONNECTING_IP`, `HTTP_X_FORWARDED_FOR`, `HTTP_X_REAL_IP`) when `WC_LICENSE_TRUSTED_PROXIES` constant is defined
+- Without trusted proxy configuration, rate limiting uses `REMOTE_ADDR` only (prevents IP spoofing)
+- Cloudflare IP ranges are hardcoded for convenience (as of 2024)
+- CIDR notation supported for custom proxy ranges
+- Recursive key sorting ensures signature compatibility with SecureLicenseClient
+- References: <https://src.bundespruefstelle.ch/magdev/wc-licensed-product-client/raw/branch/main/docs/server-implementation.md>
+
+**Release v0.3.6:**
+
+- Created release package: `releases/wc-licensed-product-0.3.6.zip` (818 KB)
+- SHA256: `b0063f0312759f090e12faba83de730baf4114139d763e46fad2b781d4b38270`
+- Tagged as `v0.3.6` and pushed to `main` branch
+
+### 2026-01-24 - Version 0.3.7 - Dashboard Improvements & Download Counter
+
+**Overview:**
+
+Fixed dashboard widget bugs, improved UI consistency, and added download tracking functionality with a new statistics widget.
+
+**Bug Fixes:**
+
+- Fixed: Dashboard widget "View All Licenses" link used wrong page slug (`wc-licensed-product-licenses` instead of `wc-licenses`)
+- Fixed: Download links in customer account resulted in 404 errors due to missing query var registration
+- Added `license-download` endpoint registration during plugin activation in `Installer::activate()`
+- Added `addDownloadQueryVar()` method to `DownloadController` for proper WordPress endpoint recognition
+
+**UI Improvements:**
+
+- Removed redundant "Status Breakdown" section from license statistics widget (info already shown in stat cards above)
+- Changed License Types section to use card-style layout matching the stats row above
+- Cleaned up unused CSS for status badges
+
+**New Features:**
+
+- Download counter for licensed product versions (tracked per version in database)
+- New Download Statistics admin dashboard widget showing:
+  - Total downloads count
+  - Top 5 products by downloads
+  - Top 5 versions by downloads
+
+**New files:**
+
+- `src/Admin/DownloadWidgetController.php` - Dashboard widget for download statistics
+
+**New methods in VersionManager:**
+
+- `incrementDownloadCount()` - Atomically increment download count for a version
+- `getTotalDownloadCount()` - Get total downloads across all versions
+- `getDownloadStatistics()` - Get download stats grouped by product and version
+
+**Modified files:**
+
+- `src/Installer.php` - Added `download_count` column to versions table, added `license-download` endpoint registration
+- `src/Product/ProductVersion.php` - Added `downloadCount` property and `getDownloadCount()` method
+- `src/Product/VersionManager.php` - Added download counting methods
+- `src/Frontend/DownloadController.php` - Added query var registration, increment download count on file serve
+- `src/Admin/DashboardWidgetController.php` - Fixed URL, removed Status Breakdown, changed License Types to cards
+- `src/Plugin.php` - Added DownloadWidgetController instantiation
+
+**Technical notes:**
+
+- Download count is incremented atomically using SQL `download_count = download_count + 1`
+- Statistics queries use SQL aggregation with product name enrichment via `wc_get_product()`
+- WordPress endpoints require both `add_rewrite_endpoint()` AND `query_vars` filter registration
+- Existing installations need to flush rewrite rules (Settings > Permalinks > Save) or reactivate plugin
+
+**Release v0.3.7:**
+
+- Created release package: `releases/wc-licensed-product-0.3.7.zip` (827 KB)
+- SHA256: `e93b2ab06f6d43c2179167090e07eda5db6809df6e391baece4ceba321cf33f6`
+- Tagged as `v0.3.7` and pushed to `main` branch
+
+### 2026-01-24 - Version 0.3.8 - Translation Bug Fix
+
+**Overview:**
+
+Fixed a critical translation bug that caused the settings page to crash with an `ArgumentCountError`.
+
+**Bug Fix:**
+
+- Fixed: Duplicate German translation string in `wc-licensed-product-de_CH.po` causing `ArgumentCountError` in settings page
+- Root cause: The notification settings description was duplicated in the translation, resulting in two `%s` placeholders when only one argument was passed to `sprintf()`
+- Location: [wc-licensed-product-de_CH.po:322-328](languages/wc-licensed-product-de_CH.po#L322-L328)
+
+**Modified files:**
+
+- `languages/wc-licensed-product-de_CH.po` - Removed duplicated translation string
+- `languages/wc-licensed-product-de_CH.mo` - Recompiled binary translation
+
+**Technical notes:**
+
+- Error was logged to `tmp/fatal-errors-2026-01-24.log`
+- The German `msgstr` contained the same text twice, each with a `%s` placeholder
+- `sprintf()` at `SettingsController.php:221` only provided one argument for the single `%s` in the English source
+- Translation strings with `%s` placeholders must have exactly matching placeholder counts between source and translation
+
+**Dependency Updates:**
+
+- Updated `magdev/wc-licensed-product-client` from `9f513a8` to `64d215c`
+
+**Release v0.3.8:**
+
+- Created release package: `releases/wc-licensed-product-0.3.8.zip` (829 KB)
+- SHA256: `50ad6966c5ab8db2257572084d2d8a820448df62615678e1576696f2c0cb383d`
+- Tagged as `v0.3.8` and pushed to `main` branch

README.md

@@ -14,10 +14,13 @@ WC Licensed Product adds a new product type "Licensed Product" to WooCommerce, e
 - **Automatic License Generation**: License keys generated on order completion (format: XXXX-XXXX-XXXX-XXXX)
 - **Domain Binding**: Licenses are bound to customer-specified domains
 - **REST API**: Public endpoints for license validation and management
+- **Response Signing**: Optional HMAC-SHA256 cryptographic signatures for API responses
 - **Version Binding**: Optional binding to major software versions
 - **Expiration Support**: Set license validity periods or lifetime licenses
 - **Rate Limiting**: API endpoints protected with rate limiting (30 requests/minute)
+- **Trusted Proxy Support**: Configurable trusted proxies for accurate rate limiting behind CDNs
 - **Checkout Blocks**: Full support for WooCommerce Checkout Blocks (default since WC 8.3+)
+- **Self-Licensing**: The plugin can validate its own license (for commercial distribution)
 
 ### Customer Features
 
@@ -30,6 +33,7 @@ WC Licensed Product adds a new product type "Licensed Product" to WooCommerce, e
 
 - **License Management**: Full CRUD interface for license management
 - **License Dashboard**: Statistics and analytics (WooCommerce > Reports > Licenses)
+- **Dashboard Widget**: License statistics on WordPress admin dashboard
 - **Search & Filtering**: Search by license key, domain, status, or product
 - **Live Search**: AJAX-powered instant search results
 - **Inline Editing**: Edit license status, expiry, and domain directly in the list
@@ -38,7 +42,10 @@ WC Licensed Product adds a new product type "Licensed Product" to WooCommerce, e
 - **CSV Export/Import**: Export and import licenses via CSV
 - **Order Integration**: View and manage licenses directly from order pages
 - **Expiration Warnings**: Automatic email notifications before license expiration
+- **Auto-Expire**: Daily cron job automatically expires licenses past their expiration date
+- **License Testing**: Test licenses against the API directly from admin interface
 - **Version Management**: Manage multiple versions per product with file attachments
+- **SHA256 Checksums**: File integrity verification with SHA256 hash display
 - **Global Settings**: Default license settings via WooCommerce settings tab
 - **WooCommerce HPOS**: Compatible with High-Performance Order Storage
 
@@ -103,6 +110,40 @@ When a customer purchases a licensed product, they must enter the domain where t
 3. Upload a CSV file (supports exported format or simplified format)
 4. Choose options: skip header row, update existing licenses
 
+## Security
+
+The plugin implements several security best practices:
+
+- **Input Sanitization**: All user inputs are sanitized using WordPress functions
+- **Output Escaping**: All output is escaped to prevent XSS attacks
+- **CSRF Protection**: Nonce verification on all forms and AJAX requests
+- **SQL Injection Prevention**: All database queries use prepared statements
+- **Capability Checks**: Admin functions require `manage_woocommerce` capability
+- **Secure Downloads**: File downloads use hash-verified URLs with user authentication
+- **Response Signing**: Optional HMAC-SHA256 signatures for API tamper protection
+
+### Trusted Proxy Configuration
+
+If your server is behind a load balancer, reverse proxy, or CDN (like Cloudflare), you need to configure trusted proxies for accurate rate limiting. Without this, the rate limiter uses the direct connection IP which may be your proxy's IP.
+
+**Configuration (wp-config.php):**
+
+```php
+// For Cloudflare (includes all Cloudflare IP ranges)
+define('WC_LICENSE_TRUSTED_PROXIES', 'CLOUDFLARE');
+
+// For specific proxy IPs
+define('WC_LICENSE_TRUSTED_PROXIES', '10.0.0.1,10.0.0.2');
+
+// For CIDR ranges
+define('WC_LICENSE_TRUSTED_PROXIES', '10.0.0.0/8,192.168.1.0/24');
+
+// Combine multiple methods
+define('WC_LICENSE_TRUSTED_PROXIES', 'CLOUDFLARE,10.0.0.1');
+```
+
+**Note**: Only configure trusted proxies if you actually use them. Without this configuration, rate limiting is more secure against IP spoofing attacks.
+
 ## REST API
 
 Full API documentation available in `openapi.json` (OpenAPI 3.1 specification).
@@ -117,6 +158,12 @@ When the server is configured with a shared secret, all API responses include cr
 define('WC_LICENSE_SERVER_SECRET', 'your-secure-random-string-min-32-chars');
 ```
 
+Generate a secure secret using:
+
+```bash
+openssl rand -hex 32
+```
+
 **Response Headers:**
 
 | Header | Description |
@@ -256,11 +303,12 @@ Content-Type: application/json
 
 ## Email Notifications
 
-The plugin sends automatic email notifications:
+The plugin sends automatic email notifications (configurable via WooCommerce > Settings > Emails):
 
 - **Order Completion**: License keys included in order confirmation emails
 - **Expiration Warning (7 days)**: Reminder sent 7 days before expiration
 - **Expiration Warning (1 day)**: Urgent reminder sent 1 day before expiration
+- **License Expired**: Notification when a license auto-expires
 
 ## Changelog
 

assets/css/frontend.css

@@ -202,18 +202,30 @@
     padding: 0;
 }
 
-.download-list li {
+.download-list li.download-item {
     display: flex;
-    align-items: center;
+    flex-direction: column;
-    gap: 1em;
+    gap: 0.35em;
-    padding: 0.5em 0;
+    padding: 0.75em 0;
     border-bottom: 1px solid #eee;
 }
 
-.download-list li:last-child {
+.download-list li.download-item:last-child {
     border-bottom: none;
 }
 
+.download-row-file {
+    display: flex;
+    align-items: center;
+}
+
+.download-row-meta {
+    display: flex;
+    align-items: center;
+    gap: 1em;
+    padding-left: 1.5em;
+}
+
 .download-link {
     display: inline-flex;
     align-items: center;
@@ -244,7 +256,6 @@
 .download-date {
     color: #999;
     font-size: 0.85em;
-    margin-left: auto;
 }
 
 .download-hash {
@@ -338,15 +349,11 @@
         gap: 0.5em;
     }
 
-    .download-list li {
+    .download-row-meta {
+        padding-left: 0;
         flex-wrap: wrap;
     }
 
-    .download-date {
-        margin-left: 0;
-        width: 100%;
-    }
-
     .woocommerce-licenses-table,
     .woocommerce-licenses-table thead,
     .woocommerce-licenses-table tbody,

assets/js/order-licenses.js

@@ -16,6 +16,9 @@
             // Order domain save
             $('#wclp-save-order-domain').on('click', this.saveOrderDomain.bind(this));
 
+            // Generate licenses button
+            $(document).on('click', '#wclp-generate-licenses', this.generateLicenses.bind(this));
+
             // License domain edit/save/cancel
             $(document).on('click', '.wclp-edit-domain-btn', this.startEditDomain);
             $(document).on('click', '.wclp-save-domain-btn', this.saveLicenseDomain.bind(this));
@@ -135,6 +138,54 @@
             $editBtn.show();
         },
 
+        /**
+         * Generate licenses for order
+         */
+        generateLicenses: function(e) {
+            e.preventDefault();
+
+            var $btn = $(e.currentTarget);
+            var $spinner = $btn.siblings('.spinner');
+            var $status = $btn.siblings('.wclp-generate-status');
+
+            var orderId = $btn.data('order-id');
+
+            $btn.prop('disabled', true);
+            $spinner.addClass('is-active');
+            $status.text('').removeClass('success error');
+
+            $.ajax({
+                url: wclpOrderLicenses.ajaxUrl,
+                type: 'POST',
+                data: {
+                    action: 'wclp_generate_order_licenses',
+                    nonce: wclpOrderLicenses.nonce,
+                    order_id: orderId
+                },
+                success: function(response) {
+                    if (response.success) {
+                        $status.text(response.data.message).addClass('success');
+                        if (response.data.reload) {
+                            // Reload the page after a short delay to show the new licenses
+                            setTimeout(function() {
+                                window.location.reload();
+                            }, 1500);
+                        }
+                    } else {
+                        $status.text(response.data.message || wclpOrderLicenses.strings.error).addClass('error');
+                        $btn.prop('disabled', false);
+                    }
+                },
+                error: function() {
+                    $status.text(wclpOrderLicenses.strings.error).addClass('error');
+                    $btn.prop('disabled', false);
+                },
+                complete: function() {
+                    $spinner.removeClass('is-active');
+                }
+            });
+        },
+
         /**
          * Save license domain
          */

composer.lock

@@ -12,7 +12,7 @@
             "source": {
                 "type": "git",
                 "url": "https://src.bundespruefstelle.ch/magdev/wc-licensed-product-client.git",
-                "reference": "a3a957914fd6ef74cb479e213d1d3bc0606f496b"
+                "reference": "64d215cb265a64ff318cfbb954dd128b0076dc1d"
             },
             "require": {
                 "php": "^8.3",
@@ -52,7 +52,7 @@
                 "issues": "https://src.bundespruefstelle.ch/magdev/wc-licensed-product-client/issues",
                 "source": "https://src.bundespruefstelle.ch/magdev/wc-licensed-product-client"
             },
-            "time": "2026-01-22T20:05:48+00:00"
+            "time": "2026-01-24T13:32:11+00:00"
         },
         {
             "name": "psr/cache",
@@ -894,16 +894,16 @@
         },
         {
             "name": "twig/twig",
-            "version": "v3.22.2",
+            "version": "v3.23.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "946ddeafa3c9f4ce279d1f34051af041db0e16f2"
+                "reference": "a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/946ddeafa3c9f4ce279d1f34051af041db0e16f2",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9",
-                "reference": "946ddeafa3c9f4ce279d1f34051af041db0e16f2",
+                "reference": "a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9",
                 "shasum": ""
             },
             "require": {
@@ -957,7 +957,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.22.2"
+                "source": "https://github.com/twigphp/Twig/tree/v3.23.0"
             },
             "funding": [
                 {
@@ -969,7 +969,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-12-14T11:28:47+00:00"
+            "time": "2026-01-23T21:00:41+00:00"
         }
     ],
     "packages-dev": [],

releases/wc-licensed-product-0.3.4.sha256

@@ -0,0 +1 @@
+36a81c00eb03adf5dfa633891664d44b7e5225bf1ee594904f8acc9adec6bb47  releases/wc-licensed-product-0.3.4.zip

releases/wc-licensed-product-0.3.7.zip.sha256

@@ -0,0 +1 @@
+e93b2ab06f6d43c2179167090e07eda5db6809df6e391baece4ceba321cf33f6  wc-licensed-product-0.3.7.zip

src/Admin/AdminController.php

@@ -572,6 +572,11 @@ final class AdminController
      */
     private function handleCsvExport(): void
     {
+        // Verify nonce for CSRF protection
+        if (!wp_verify_nonce($_GET['_wpnonce'] ?? '', 'export_licenses_csv')) {
+            wp_die(__('Security check failed.', 'wc-licensed-product'));
+        }
+
         if (!current_user_can('manage_woocommerce')) {
             wp_die(__('You do not have permission to export licenses.', 'wc-licensed-product'));
         }
@@ -954,7 +959,7 @@ final class AdminController
                             <span class="dashicons dashicons-admin-network"></span>
                             <?php esc_html_e('Manage Licenses', 'wc-licensed-product'); ?>
                         </a>
-                        <a href="<?php echo esc_url(admin_url('admin.php?page=wc-licenses&action=export_csv')); ?>" class="button">
+                        <a href="<?php echo esc_url(wp_nonce_url(admin_url('admin.php?page=wc-licenses&action=export_csv'), 'export_licenses_csv')); ?>" class="button">
                             <span class="dashicons dashicons-download"></span>
                             <?php esc_html_e('Export to CSV', 'wc-licensed-product'); ?>
                         </a>
@@ -1048,6 +1053,12 @@ final class AdminController
         $this->twig->addFunction(new \Twig\TwigFunction('transfer_nonce', function (): string {
             return wp_create_nonce('transfer_license');
         }));
+        $this->twig->addFunction(new \Twig\TwigFunction('export_csv_url', function (): string {
+            return wp_nonce_url(
+                admin_url('admin.php?page=wc-licenses&action=export_csv'),
+                'export_licenses_csv'
+            );
+        }));
 
         try {
             echo $this->twig->render('admin/licenses.html.twig', [
@@ -1187,7 +1198,7 @@ final class AdminController
         ?>
         <div class="wrap">
             <h1 class="wp-heading-inline"><?php esc_html_e('Licenses', 'wc-licensed-product'); ?></h1>
-            <a href="<?php echo esc_url(admin_url('admin.php?page=wc-licenses&action=export_csv')); ?>" class="page-title-action">
+            <a href="<?php echo esc_url(wp_nonce_url(admin_url('admin.php?page=wc-licenses&action=export_csv'), 'export_licenses_csv')); ?>" class="page-title-action">
                 <span class="dashicons dashicons-download" style="vertical-align: middle;"></span>
                 <?php esc_html_e('Export CSV', 'wc-licensed-product'); ?>
             </a>

src/Admin/DashboardWidgetController.php

@@ -0,0 +1,147 @@
+<?php
+/**
+ * Dashboard Widget Controller
+ *
+ * @package Jeremias\WcLicensedProduct\Admin
+ */
+
+declare(strict_types=1);
+
+namespace Jeremias\WcLicensedProduct\Admin;
+
+use Jeremias\WcLicensedProduct\License\License;
+use Jeremias\WcLicensedProduct\License\LicenseManager;
+
+/**
+ * Handles the WordPress admin dashboard widget for license statistics
+ */
+final class DashboardWidgetController
+{
+    private LicenseManager $licenseManager;
+
+    public function __construct(LicenseManager $licenseManager)
+    {
+        $this->licenseManager = $licenseManager;
+        $this->registerHooks();
+    }
+
+    /**
+     * Register WordPress hooks
+     */
+    private function registerHooks(): void
+    {
+        add_action('wp_dashboard_setup', [$this, 'registerDashboardWidget']);
+    }
+
+    /**
+     * Register the dashboard widget
+     */
+    public function registerDashboardWidget(): void
+    {
+        if (!current_user_can('manage_woocommerce')) {
+            return;
+        }
+
+        wp_add_dashboard_widget(
+            'wclp_license_statistics',
+            __('License Statistics', 'wc-licensed-product'),
+            [$this, 'renderWidget']
+        );
+    }
+
+    /**
+     * Render the dashboard widget content
+     */
+    public function renderWidget(): void
+    {
+        $stats = $this->licenseManager->getStatistics();
+        $licensesUrl = admin_url('admin.php?page=wc-licenses');
+        ?>
+        <style>
+            .wclp-widget-stats {
+                display: grid;
+                grid-template-columns: repeat(2, 1fr);
+                gap: 12px;
+                margin-bottom: 16px;
+            }
+            .wclp-stat-card {
+                background: #f8f9fa;
+                border: 1px solid #e2e4e7;
+                border-radius: 4px;
+                padding: 12px;
+                text-align: center;
+            }
+            .wclp-stat-card.highlight {
+                border-left: 3px solid #7f54b3;
+            }
+            .wclp-stat-card.warning {
+                border-left: 3px solid #f0b849;
+            }
+            .wclp-stat-card.danger {
+                border-left: 3px solid #dc3232;
+            }
+            .wclp-stat-card.success {
+                border-left: 3px solid #46b450;
+            }
+            .wclp-stat-number {
+                font-size: 28px;
+                font-weight: 600;
+                color: #1d2327;
+                line-height: 1.2;
+            }
+            .wclp-stat-label {
+                font-size: 12px;
+                color: #646970;
+                text-transform: uppercase;
+                letter-spacing: 0.5px;
+                margin-top: 4px;
+            }
+            .wclp-widget-footer {
+                margin-top: 16px;
+                padding-top: 12px;
+                border-top: 1px solid #e2e4e7;
+                text-align: center;
+            }
+            .wclp-widget-footer a {
+                text-decoration: none;
+            }
+        </style>
+
+        <div class="wclp-widget-stats">
+            <div class="wclp-stat-card highlight">
+                <div class="wclp-stat-number"><?php echo esc_html(number_format_i18n($stats['total'])); ?></div>
+                <div class="wclp-stat-label"><?php esc_html_e('Total Licenses', 'wc-licensed-product'); ?></div>
+            </div>
+            <div class="wclp-stat-card success">
+                <div class="wclp-stat-number"><?php echo esc_html(number_format_i18n($stats['by_status'][License::STATUS_ACTIVE])); ?></div>
+                <div class="wclp-stat-label"><?php esc_html_e('Active', 'wc-licensed-product'); ?></div>
+            </div>
+            <div class="wclp-stat-card warning">
+                <div class="wclp-stat-number"><?php echo esc_html(number_format_i18n($stats['expiring_soon'])); ?></div>
+                <div class="wclp-stat-label"><?php esc_html_e('Expiring Soon', 'wc-licensed-product'); ?></div>
+            </div>
+            <div class="wclp-stat-card danger">
+                <div class="wclp-stat-number"><?php echo esc_html(number_format_i18n($stats['by_status'][License::STATUS_EXPIRED])); ?></div>
+                <div class="wclp-stat-label"><?php esc_html_e('Expired', 'wc-licensed-product'); ?></div>
+            </div>
+        </div>
+
+        <div class="wclp-widget-stats">
+            <div class="wclp-stat-card">
+                <div class="wclp-stat-number"><?php echo esc_html(number_format_i18n($stats['expiring'])); ?></div>
+                <div class="wclp-stat-label"><?php esc_html_e('Time-limited', 'wc-licensed-product'); ?></div>
+            </div>
+            <div class="wclp-stat-card">
+                <div class="wclp-stat-number"><?php echo esc_html(number_format_i18n($stats['lifetime'])); ?></div>
+                <div class="wclp-stat-label"><?php esc_html_e('Lifetime', 'wc-licensed-product'); ?></div>
+            </div>
+        </div>
+
+        <div class="wclp-widget-footer">
+            <a href="<?php echo esc_url($licensesUrl); ?>" class="button button-secondary">
+                <?php esc_html_e('View All Licenses', 'wc-licensed-product'); ?>
+            </a>
+        </div>
+        <?php
+    }
+}

src/Admin/DownloadWidgetController.php

@@ -0,0 +1,184 @@
+<?php
+/**
+ * Download Statistics Widget Controller
+ *
+ * @package Jeremias\WcLicensedProduct\Admin
+ */
+
+declare(strict_types=1);
+
+namespace Jeremias\WcLicensedProduct\Admin;
+
+use Jeremias\WcLicensedProduct\Product\VersionManager;
+
+/**
+ * Handles the WordPress admin dashboard widget for download statistics
+ */
+final class DownloadWidgetController
+{
+    private VersionManager $versionManager;
+
+    public function __construct(VersionManager $versionManager)
+    {
+        $this->versionManager = $versionManager;
+        $this->registerHooks();
+    }
+
+    /**
+     * Register WordPress hooks
+     */
+    private function registerHooks(): void
+    {
+        add_action('wp_dashboard_setup', [$this, 'registerDashboardWidget']);
+    }
+
+    /**
+     * Register the dashboard widget
+     */
+    public function registerDashboardWidget(): void
+    {
+        if (!current_user_can('manage_woocommerce')) {
+            return;
+        }
+
+        wp_add_dashboard_widget(
+            'wclp_download_statistics',
+            __('Download Statistics', 'wc-licensed-product'),
+            [$this, 'renderWidget']
+        );
+    }
+
+    /**
+     * Render the dashboard widget content
+     */
+    public function renderWidget(): void
+    {
+        $stats = $this->versionManager->getDownloadStatistics();
+        ?>
+        <style>
+            .wclp-download-widget-stats {
+                display: grid;
+                grid-template-columns: 1fr;
+                gap: 12px;
+                margin-bottom: 16px;
+            }
+            .wclp-download-stat-card {
+                background: #f8f9fa;
+                border: 1px solid #e2e4e7;
+                border-radius: 4px;
+                padding: 12px;
+                text-align: center;
+                border-left: 3px solid #2271b1;
+            }
+            .wclp-download-stat-number {
+                font-size: 32px;
+                font-weight: 600;
+                color: #1d2327;
+                line-height: 1.2;
+            }
+            .wclp-download-stat-label {
+                font-size: 12px;
+                color: #646970;
+                text-transform: uppercase;
+                letter-spacing: 0.5px;
+                margin-top: 4px;
+            }
+            .wclp-download-list {
+                margin: 0;
+                padding: 0;
+                list-style: none;
+            }
+            .wclp-download-list li {
+                display: flex;
+                justify-content: space-between;
+                align-items: center;
+                padding: 8px 0;
+                border-bottom: 1px solid #e2e4e7;
+            }
+            .wclp-download-list li:last-child {
+                border-bottom: none;
+            }
+            .wclp-download-list .product-name {
+                font-weight: 500;
+                color: #1d2327;
+                flex: 1;
+                overflow: hidden;
+                text-overflow: ellipsis;
+                white-space: nowrap;
+                margin-right: 12px;
+            }
+            .wclp-download-list .version-info {
+                font-size: 12px;
+                color: #646970;
+            }
+            .wclp-download-list .download-count {
+                background: #e7f5ff;
+                color: #0a4b78;
+                padding: 2px 8px;
+                border-radius: 10px;
+                font-size: 12px;
+                font-weight: 600;
+                white-space: nowrap;
+            }
+            .wclp-download-section-title {
+                margin: 16px 0 8px 0;
+                font-size: 13px;
+                color: #1d2327;
+                font-weight: 600;
+            }
+            .wclp-no-downloads {
+                color: #646970;
+                font-style: italic;
+                text-align: center;
+                padding: 12px 0;
+            }
+        </style>
+
+        <div class="wclp-download-widget-stats">
+            <div class="wclp-download-stat-card">
+                <div class="wclp-download-stat-number"><?php echo esc_html(number_format_i18n($stats['total'])); ?></div>
+                <div class="wclp-download-stat-label"><?php esc_html_e('Total Downloads', 'wc-licensed-product'); ?></div>
+            </div>
+        </div>
+
+        <h4 class="wclp-download-section-title">
+            <?php esc_html_e('Top Products', 'wc-licensed-product'); ?>
+        </h4>
+        <?php if (!empty($stats['by_product'])): ?>
+            <ul class="wclp-download-list">
+                <?php foreach (array_slice($stats['by_product'], 0, 5) as $product): ?>
+                    <li>
+                        <span class="product-name"><?php echo esc_html($product['product_name']); ?></span>
+                        <span class="download-count">
+                            <?php echo esc_html(number_format_i18n($product['downloads'])); ?>
+                        </span>
+                    </li>
+                <?php endforeach; ?>
+            </ul>
+        <?php else: ?>
+            <p class="wclp-no-downloads"><?php esc_html_e('No downloads yet', 'wc-licensed-product'); ?></p>
+        <?php endif; ?>
+
+        <h4 class="wclp-download-section-title">
+            <?php esc_html_e('Top Versions', 'wc-licensed-product'); ?>
+        </h4>
+        <?php if (!empty($stats['by_version'])): ?>
+            <ul class="wclp-download-list">
+                <?php foreach (array_slice($stats['by_version'], 0, 5) as $version): ?>
+                    <li>
+                        <span class="product-name">
+                            <?php echo esc_html($version['product_name']); ?>
+                            <span class="version-info">v<?php echo esc_html($version['version']); ?></span>
+                        </span>
+                        <span class="download-count">
+                            <?php echo esc_html(number_format_i18n($version['downloads'])); ?>
+                        </span>
+                    </li>
+                <?php endforeach; ?>
+            </ul>
+        <?php else: ?>
+            <p class="wclp-no-downloads"><?php esc_html_e('No downloads yet', 'wc-licensed-product'); ?></p>
+        <?php endif; ?>
+        <?php
+    }
+}

src/Admin/OrderLicenseController.php

@@ -36,6 +36,7 @@ final class OrderLicenseController
         // Handle AJAX actions
         add_action('wp_ajax_wclp_update_order_domain', [$this, 'ajaxUpdateOrderDomain']);
         add_action('wp_ajax_wclp_update_license_domain', [$this, 'ajaxUpdateLicenseDomain']);
+        add_action('wp_ajax_wclp_generate_order_licenses', [$this, 'ajaxGenerateOrderLicenses']);
 
         // Enqueue admin scripts
         add_action('admin_enqueue_scripts', [$this, 'enqueueScripts']);
@@ -126,6 +127,18 @@ final class OrderLicenseController
 
             <h4><?php esc_html_e('Licenses', 'wc-licensed-product'); ?></h4>
 
+            <?php
+            // Count licensed products to check if all have licenses
+            $licensedProductCount = 0;
+            foreach ($order->get_items() as $item) {
+                $product = $item->get_product();
+                if ($product && $product->is_type('licensed')) {
+                    $licensedProductCount++;
+                }
+            }
+            $missingLicenses = $licensedProductCount - count($licenses);
+            ?>
+
             <?php if (empty($licenses)): ?>
                 <p class="description">
                     <?php esc_html_e('No licenses have been generated for this order yet.', 'wc-licensed-product'); ?>
@@ -137,6 +150,20 @@ final class OrderLicenseController
                         <em><?php esc_html_e('Licenses will be generated when the order is marked as paid/completed.', 'wc-licensed-product'); ?></em>
                     <?php endif; ?>
                 </p>
+                <?php if ($orderDomain && $order->is_paid()): ?>
+                    <p style="margin-top: 10px;">
+                        <button type="button" class="button button-primary" id="wclp-generate-licenses" data-order-id="<?php echo esc_attr($order->get_id()); ?>">
+                            <?php esc_html_e('Generate Licenses', 'wc-licensed-product'); ?>
+                        </button>
+                        <span class="spinner" style="float: none; margin-top: 4px;"></span>
+                        <span class="wclp-generate-status"></span>
+                    </p>
+                <?php elseif (!$orderDomain): ?>
+                    <p class="description" style="margin-top: 10px; color: #d63638;">
+                        <span class="dashicons dashicons-warning"></span>
+                        <?php esc_html_e('Please set the order domain above before generating licenses.', 'wc-licensed-product'); ?>
+                    </p>
+                <?php endif; ?>
             <?php else: ?>
                 <table class="widefat striped wclp-licenses-table">
                     <thead>
@@ -223,6 +250,29 @@ final class OrderLicenseController
                     );
                     ?>
                 </p>
+
+                <?php if ($missingLicenses > 0 && $orderDomain && $order->is_paid()): ?>
+                    <p style="margin-top: 10px;">
+                        <span class="dashicons dashicons-warning" style="color: #dba617;"></span>
+                        <?php
+                        printf(
+                            /* translators: %d: Number of missing licenses */
+                            esc_html(_n(
+                                '%d licensed product is missing a license.',
+                                '%d licensed products are missing licenses.',
+                                $missingLicenses,
+                                'wc-licensed-product'
+                            )),
+                            $missingLicenses
+                        );
+                        ?>
+                        <button type="button" class="button" id="wclp-generate-licenses" data-order-id="<?php echo esc_attr($order->get_id()); ?>">
+                            <?php esc_html_e('Generate Missing Licenses', 'wc-licensed-product'); ?>
+                        </button>
+                        <span class="spinner" style="float: none; margin-top: 4px;"></span>
+                        <span class="wclp-generate-status"></span>
+                    </p>
+                <?php endif; ?>
             <?php endif; ?>
         </div>
 
@@ -248,6 +298,9 @@ final class OrderLicenseController
             .wclp-lifetime { color: #0073aa; font-weight: 500; }
             .wclp-edit-domain-btn { color: #0073aa; text-decoration: none; }
             .wclp-edit-domain-btn .dashicons { font-size: 16px; width: 16px; height: 16px; }
+            .wclp-generate-status { font-style: italic; margin-left: 8px; }
+            .wclp-generate-status.success { color: #46b450; }
+            .wclp-generate-status.error { color: #dc3232; }
         </style>
         <?php
     }
@@ -284,8 +337,9 @@ final class OrderLicenseController
             'strings' => [
                 'saving' => __('Saving...', 'wc-licensed-product'),
                 'saved' => __('Saved!', 'wc-licensed-product'),
-                'error' => __('Error saving. Please try again.', 'wc-licensed-product'),
+                'error' => __('Error. Please try again.', 'wc-licensed-product'),
                 'invalidDomain' => __('Please enter a valid domain.', 'wc-licensed-product'),
+                'generating' => __('Generating...', 'wc-licensed-product'),
             ],
         ]);
     }
@@ -392,4 +446,96 @@ final class OrderLicenseController
         $pattern = '/^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/';
         return (bool) preg_match($pattern, $domain);
     }
+
+    /**
+     * AJAX handler for generating order licenses
+     */
+    public function ajaxGenerateOrderLicenses(): void
+    {
+        check_ajax_referer('wclp_order_license_actions', 'nonce');
+
+        if (!current_user_can('manage_woocommerce')) {
+            wp_send_json_error(['message' => __('Permission denied.', 'wc-licensed-product')]);
+        }
+
+        $orderId = absint($_POST['order_id'] ?? 0);
+
+        if (!$orderId) {
+            wp_send_json_error(['message' => __('Invalid order ID.', 'wc-licensed-product')]);
+        }
+
+        $order = wc_get_order($orderId);
+        if (!$order) {
+            wp_send_json_error(['message' => __('Order not found.', 'wc-licensed-product')]);
+        }
+
+        // Check if order is paid
+        if (!$order->is_paid()) {
+            wp_send_json_error(['message' => __('Order must be paid before licenses can be generated.', 'wc-licensed-product')]);
+        }
+
+        // Get domain
+        $domain = $order->get_meta('_licensed_product_domain');
+        if (empty($domain)) {
+            wp_send_json_error(['message' => __('Please set the order domain before generating licenses.', 'wc-licensed-product')]);
+        }
+
+        // Generate licenses for each licensed product
+        $generated = 0;
+        $skipped = 0;
+
+        foreach ($order->get_items() as $item) {
+            $product = $item->get_product();
+            if ($product && $product->is_type('licensed')) {
+                $license = $this->licenseManager->generateLicense(
+                    $orderId,
+                    $product->get_id(),
+                    $order->get_customer_id(),
+                    $domain
+                );
+
+                if ($license) {
+                    // Check if this is a new license or existing
+                    $existingLicenses = $this->licenseManager->getLicensesByOrder($orderId);
+                    $isNew = true;
+                    foreach ($existingLicenses as $existing) {
+                        if ($existing->getProductId() === $product->get_id() && $existing->getId() !== $license->getId()) {
+                            $isNew = false;
+                            break;
+                        }
+                    }
+                    if ($isNew) {
+                        $generated++;
+                    } else {
+                        $skipped++;
+                    }
+                }
+            }
+        }
+
+        if ($generated > 0) {
+            wp_send_json_success([
+                'message' => sprintf(
+                    /* translators: %d: Number of licenses generated */
+                    _n(
+                        '%d license generated successfully.',
+                        '%d licenses generated successfully.',
+                        $generated,
+                        'wc-licensed-product'
+                    ),
+                    $generated
+                ),
+                'generated' => $generated,
+                'skipped' => $skipped,
+                'reload' => true,
+            ]);
+        } else {
+            wp_send_json_success([
+                'message' => __('All licenses already exist for this order.', 'wc-licensed-product'),
+                'generated' => 0,
+                'skipped' => $skipped,
+                'reload' => false,
+            ]);
+        }
+    }
 }

src/Api/ResponseSigner.php

@@ -94,8 +94,8 @@ final class ResponseSigner
         $timestamp = time();
         $signingKey = $this->deriveKey($licenseKey);
 
-        // Sort keys for consistent ordering
+        // Recursively sort keys for consistent ordering (required by client implementation)
-        ksort($data);
+        $data = $this->recursiveKeySort($data);
 
         // Build signature payload
         $payload = $timestamp . ':' . json_encode(
@@ -109,6 +109,33 @@ final class ResponseSigner
         ];
     }
 
+    /**
+     * Recursively sort array keys alphabetically
+     *
+     * @param mixed $data The data to sort
+     * @return mixed The sorted data
+     */
+    private function recursiveKeySort(mixed $data): mixed
+    {
+        if (!is_array($data)) {
+            return $data;
+        }
+
+        // Check if array is associative (has string keys)
+        $isAssociative = array_keys($data) !== range(0, count($data) - 1);
+
+        if ($isAssociative) {
+            ksort($data);
+        }
+
+        // Recursively sort nested arrays
+        foreach ($data as $key => $value) {
+            $data[$key] = $this->recursiveKeySort($value);
+        }
+
+        return $data;
+    }
+
     /**
      * Derive a unique signing key for a license
      *

src/Api/RestApiController.php

@@ -95,29 +95,152 @@ final class RestApiController
 
     /**
      * Get client IP address
+     *
+     * Security note: Only trust proxy headers when explicitly configured.
+     * Set WC_LICENSE_TRUSTED_PROXIES constant or configure trusted_proxies
+     * in wp-config.php to enable proxy header support.
+     *
+     * @return string Client IP address
      */
     private function getClientIp(): string
     {
+        // Get the direct connection IP first
+        $remoteAddr = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
+
+        // Only check proxy headers if we're behind a trusted proxy
+        if ($this->isTrustedProxy($remoteAddr)) {
+            // Check headers in order of trust preference
             $headers = [
                 'HTTP_CF_CONNECTING_IP', // Cloudflare
                 'HTTP_X_FORWARDED_FOR',
                 'HTTP_X_REAL_IP',
-            'REMOTE_ADDR',
             ];
 
             foreach ($headers as $header) {
                 if (!empty($_SERVER[$header])) {
                     $ips = explode(',', $_SERVER[$header]);
                     $ip = trim($ips[0]);
-                if (filter_var($ip, FILTER_VALIDATE_IP)) {
+                    if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
                         return $ip;
                     }
                 }
             }
+        }
+
+        // Validate and return direct connection IP
+        if (filter_var($remoteAddr, FILTER_VALIDATE_IP)) {
+            return $remoteAddr;
+        }
 
         return '0.0.0.0';
     }
 
+    /**
+     * Check if the given IP is a trusted proxy
+     *
+     * @param string $ip The IP address to check
+     * @return bool Whether the IP is a trusted proxy
+     */
+    private function isTrustedProxy(string $ip): bool
+    {
+        // Check if trusted proxies are configured
+        if (!defined('WC_LICENSE_TRUSTED_PROXIES')) {
+            return false;
+        }
+
+        $trustedProxies = WC_LICENSE_TRUSTED_PROXIES;
+
+        // Handle string constant (comma-separated list)
+        if (is_string($trustedProxies)) {
+            $trustedProxies = array_map('trim', explode(',', $trustedProxies));
+        }
+
+        if (!is_array($trustedProxies)) {
+            return false;
+        }
+
+        // Check for special keywords
+        if (in_array('CLOUDFLARE', $trustedProxies, true)) {
+            // Cloudflare IP ranges (simplified - in production, fetch from Cloudflare API)
+            if ($this->isCloudflareIp($ip)) {
+                return true;
+            }
+        }
+
+        // Check direct IP match or CIDR notation
+        foreach ($trustedProxies as $proxy) {
+            if ($proxy === $ip) {
+                return true;
+            }
+
+            // Support CIDR notation
+            if (str_contains($proxy, '/') && $this->ipMatchesCidr($ip, $proxy)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if IP is in Cloudflare range
+     *
+     * @param string $ip The IP to check
+     * @return bool Whether IP belongs to Cloudflare
+     */
+    private function isCloudflareIp(string $ip): bool
+    {
+        // Cloudflare IPv4 ranges (as of 2024)
+        $cloudflareRanges = [
+            '173.245.48.0/20',
+            '103.21.244.0/22',
+            '103.22.200.0/22',
+            '103.31.4.0/22',
+            '141.101.64.0/18',
+            '108.162.192.0/18',
+            '190.93.240.0/20',
+            '188.114.96.0/20',
+            '197.234.240.0/22',
+            '198.41.128.0/17',
+            '162.158.0.0/15',
+            '104.16.0.0/13',
+            '104.24.0.0/14',
+            '172.64.0.0/13',
+            '131.0.72.0/22',
+        ];
+
+        foreach ($cloudflareRanges as $range) {
+            if ($this->ipMatchesCidr($ip, $range)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if an IP matches a CIDR range
+     *
+     * @param string $ip The IP to check
+     * @param string $cidr The CIDR range (e.g., "192.168.1.0/24")
+     * @return bool Whether the IP matches the CIDR range
+     */
+    private function ipMatchesCidr(string $ip, string $cidr): bool
+    {
+        [$subnet, $bits] = explode('/', $cidr);
+
+        if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) ||
+            !filter_var($subnet, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            return false;
+        }
+
+        $ipLong = ip2long($ip);
+        $subnetLong = ip2long($subnet);
+        $mask = -1 << (32 - (int) $bits);
+
+        return ($ipLong & $mask) === ($subnetLong & $mask);
+    }
+
     /**
      * Register REST API routes
      */

src/Email/LicenseEmailController.php

@@ -55,6 +55,7 @@ final class LicenseEmailController
     public function registerEmailClasses(array $email_classes): array
     {
         $email_classes['WCLP_License_Expiration'] = new LicenseExpirationEmail();
+        $email_classes['WCLP_License_Expired'] = new LicenseExpiredEmail();
         return $email_classes;
     }
 
@@ -69,10 +70,13 @@ final class LicenseEmailController
     }
 
     /**
-     * Send expiration warning emails
+     * Send expiration warning emails and auto-expire licenses
      */
     public function sendExpirationWarnings(): void
     {
+        // First, auto-expire licenses that have passed their expiration date
+        $this->autoExpireAndNotify();
+
         // Check if expiration emails are enabled in settings
         if (!SettingsController::isExpirationEmailsEnabled()) {
             return;
@@ -107,6 +111,41 @@ final class LicenseEmailController
         }
     }
 
+    /**
+     * Auto-expire licenses and send expired notifications
+     */
+    private function autoExpireAndNotify(): void
+    {
+        // Get licenses that should be auto-expired
+        $expiredActiveLicenses = $this->licenseManager->getExpiredActiveLicenses();
+
+        if (empty($expiredActiveLicenses)) {
+            return;
+        }
+
+        // Get the WooCommerce email instance for expired notifications
+        $mailer = WC()->mailer();
+        $emails = $mailer->get_emails();
+
+        /** @var LicenseExpiredEmail|null $expiredEmail */
+        $expiredEmail = $emails['WCLP_License_Expired'] ?? null;
+
+        foreach ($expiredActiveLicenses as $license) {
+            // Auto-expire the license
+            $wasExpired = $this->licenseManager->autoExpireLicense($license->getId());
+
+            if ($wasExpired && $expiredEmail && $expiredEmail->is_enabled()) {
+                // Check if we haven't already sent an expired notification
+                if (!$this->licenseManager->wasExpirationNotified($license->getId(), 'license_expired')) {
+                    // Send expired notification email
+                    if ($expiredEmail->trigger($license)) {
+                        $this->licenseManager->markExpirationNotified($license->getId(), 'license_expired');
+                    }
+                }
+            }
+        }
+    }
+
     /**
      * Process and send expiration warnings for a specific time frame
      *

src/Email/LicenseExpiredEmail.php

@@ -0,0 +1,335 @@
+<?php
+/**
+ * License Expired Email
+ *
+ * @package Jeremias\WcLicensedProduct\Email
+ */
+
+declare(strict_types=1);
+
+namespace Jeremias\WcLicensedProduct\Email;
+
+use Jeremias\WcLicensedProduct\License\License;
+use WC_Email;
+
+/**
+ * License Expired Email class
+ *
+ * Sends email notifications to customers when their licenses have expired.
+ * Uses WooCommerce's transactional email system for consistent styling and customization.
+ */
+class LicenseExpiredEmail extends WC_Email
+{
+    /**
+     * License object
+     */
+    public ?License $license = null;
+
+    /**
+     * Product name
+     */
+    public string $product_name = '';
+
+    /**
+     * Expiration date formatted
+     */
+    public string $expiration_date = '';
+
+    /**
+     * Customer display name
+     */
+    public string $customer_name = '';
+
+    /**
+     * Constructor
+     */
+    public function __construct()
+    {
+        $this->id = 'wclp_license_expired';
+        $this->customer_email = true;
+        $this->title = __('License Expired', 'wc-licensed-product');
+        $this->description = __('License expired emails are sent to customers when their licenses have expired.', 'wc-licensed-product');
+
+        $this->placeholders = [
+            '{site_title}' => $this->get_blogname(),
+            '{product_name}' => '',
+            '{expiration_date}' => '',
+        ];
+
+        // Call parent constructor
+        parent::__construct();
+    }
+
+    /**
+     * Get email subject
+     */
+    public function get_default_subject(): string
+    {
+        return __('[{site_title}] Your license for {product_name} has expired', 'wc-licensed-product');
+    }
+
+    /**
+     * Get email heading
+     */
+    public function get_default_heading(): string
+    {
+        return __('License Expired', 'wc-licensed-product');
+    }
+
+    /**
+     * Trigger the email
+     *
+     * @param License $license License object
+     */
+    public function trigger(License $license): bool
+    {
+        $this->setup_locale();
+
+        $customer = get_userdata($license->getCustomerId());
+        if (!$customer || !$customer->user_email) {
+            $this->restore_locale();
+            return false;
+        }
+
+        $this->license = $license;
+        $this->recipient = $customer->user_email;
+        $this->customer_name = $customer->display_name ?: __('Customer', 'wc-licensed-product');
+
+        $product = wc_get_product($license->getProductId());
+        $this->product_name = $product ? $product->get_name() : __('Unknown Product', 'wc-licensed-product');
+
+        $expiresAt = $license->getExpiresAt();
+        $this->expiration_date = $expiresAt ? $expiresAt->format(get_option('date_format')) : '';
+
+        // Update placeholders
+        $this->placeholders['{product_name}'] = $this->product_name;
+        $this->placeholders['{expiration_date}'] = $this->expiration_date;
+
+        if (!$this->is_enabled() || !$this->get_recipient()) {
+            $this->restore_locale();
+            return false;
+        }
+
+        $result = $this->send(
+            $this->get_recipient(),
+            $this->get_subject(),
+            $this->get_content(),
+            $this->get_headers(),
+            $this->get_attachments()
+        );
+
+        $this->restore_locale();
+
+        return $result;
+    }
+
+    /**
+     * Get content HTML
+     */
+    public function get_content_html(): string
+    {
+        ob_start();
+
+        // Use WooCommerce's email header
+        wc_get_template('emails/email-header.php', ['email_heading' => $this->get_heading()]);
+
+        $this->render_email_body_html();
+
+        // Use WooCommerce's email footer
+        wc_get_template('emails/email-footer.php', ['email' => $this]);
+
+        return ob_get_clean();
+    }
+
+    /**
+     * Get content plain text
+     */
+    public function get_content_plain(): string
+    {
+        ob_start();
+
+        echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
+        echo esc_html(wp_strip_all_tags($this->get_heading()));
+        echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n";
+
+        $this->render_email_body_plain();
+
+        return ob_get_clean();
+    }
+
+    /**
+     * Render HTML email body content
+     */
+    private function render_email_body_html(): void
+    {
+        $account_url = wc_get_account_endpoint_url('licenses');
+        ?>
+        <p><?php printf(esc_html__('Hello %s,', 'wc-licensed-product'), esc_html($this->customer_name)); ?></p>
+
+        <p style="color: #dc3232; font-weight: 600;">
+            <?php printf(
+                esc_html__('Your license for %1$s has expired on %2$s.', 'wc-licensed-product'),
+                '<strong>' . esc_html($this->product_name) . '</strong>',
+                esc_html($this->expiration_date)
+            ); ?>
+        </p>
+
+        <p>
+            <?php esc_html_e('Your license is no longer valid and the product will stop working until you renew.', 'wc-licensed-product'); ?>
+        </p>
+
+        <h2><?php esc_html_e('Expired License Details', 'wc-licensed-product'); ?></h2>
+
+        <div style="margin-bottom: 40px;">
+            <table class="td" cellspacing="0" cellpadding="6" style="width: 100%; font-family: 'Helvetica Neue', Helvetica, Roboto, Arial, sans-serif;" border="1">
+                <tbody>
+                    <tr>
+                        <th class="td" scope="row" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;"><?php esc_html_e('Product:', 'wc-licensed-product'); ?></th>
+                        <td class="td" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;"><?php echo esc_html($this->product_name); ?></td>
+                    </tr>
+                    <tr>
+                        <th class="td" scope="row" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;"><?php esc_html_e('License Key:', 'wc-licensed-product'); ?></th>
+                        <td class="td" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;">
+                            <code style="background: #f5f5f5; padding: 3px 8px; border-radius: 3px; font-family: monospace;">
+                                <?php echo esc_html($this->license->getLicenseKey()); ?>
+                            </code>
+                        </td>
+                    </tr>
+                    <tr>
+                        <th class="td" scope="row" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;"><?php esc_html_e('Domain:', 'wc-licensed-product'); ?></th>
+                        <td class="td" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;"><?php echo esc_html($this->license->getDomain()); ?></td>
+                    </tr>
+                    <tr>
+                        <th class="td" scope="row" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;"><?php esc_html_e('Expired on:', 'wc-licensed-product'); ?></th>
+                        <td class="td" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>; color: #dc3232; font-weight: 600;"><?php echo esc_html($this->expiration_date); ?></td>
+                    </tr>
+                    <tr>
+                        <th class="td" scope="row" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;"><?php esc_html_e('Status:', 'wc-licensed-product'); ?></th>
+                        <td class="td" style="text-align:<?php echo is_rtl() ? 'right' : 'left'; ?>;">
+                            <span style="background: #f8d7da; color: #721c24; padding: 3px 10px; border-radius: 12px; font-size: 12px; font-weight: 500;">
+                                <?php esc_html_e('Expired', 'wc-licensed-product'); ?>
+                            </span>
+                        </td>
+                    </tr>
+                </tbody>
+            </table>
+        </div>
+
+        <?php
+        $additional_content = $this->get_additional_content();
+        if ($additional_content) :
+            ?>
+            <p><?php echo wp_kses_post($additional_content); ?></p>
+        <?php endif; ?>
+
+        <p style="margin-top: 25px;">
+            <a href="<?php echo esc_url($account_url); ?>" class="button" style="display: inline-block; background-color: #7f54b3; color: #ffffff; padding: 12px 24px; text-decoration: none; border-radius: 4px; font-weight: 600;">
+                <?php esc_html_e('View My Licenses', 'wc-licensed-product'); ?>
+            </a>
+        </p>
+        <?php
+    }
+
+    /**
+     * Render plain text email body content
+     */
+    private function render_email_body_plain(): void
+    {
+        printf(esc_html__('Hello %s,', 'wc-licensed-product'), esc_html($this->customer_name));
+        echo "\n\n";
+
+        printf(
+            esc_html__('Your license for %1$s has expired on %2$s.', 'wc-licensed-product'),
+            esc_html($this->product_name),
+            esc_html($this->expiration_date)
+        );
+        echo "\n\n";
+
+        echo esc_html__('Your license is no longer valid and the product will stop working until you renew.', 'wc-licensed-product');
+        echo "\n\n";
+
+        echo "----------\n";
+        echo esc_html__('Expired License Details', 'wc-licensed-product') . "\n";
+        echo "----------\n\n";
+
+        echo esc_html__('Product:', 'wc-licensed-product') . ' ' . esc_html($this->product_name) . "\n";
+        echo esc_html__('License Key:', 'wc-licensed-product') . ' ' . esc_html($this->license->getLicenseKey()) . "\n";
+        echo esc_html__('Domain:', 'wc-licensed-product') . ' ' . esc_html($this->license->getDomain()) . "\n";
+        echo esc_html__('Expired on:', 'wc-licensed-product') . ' ' . esc_html($this->expiration_date) . "\n";
+        echo esc_html__('Status:', 'wc-licensed-product') . ' ' . esc_html__('Expired', 'wc-licensed-product') . "\n\n";
+
+        $additional_content = $this->get_additional_content();
+        if ($additional_content) {
+            echo "----------\n\n";
+            echo esc_html(wp_strip_all_tags(wptexturize($additional_content)));
+            echo "\n\n";
+        }
+
+        echo esc_html__('View My Licenses', 'wc-licensed-product') . ': ' . esc_url(wc_get_account_endpoint_url('licenses')) . "\n\n";
+
+        echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
+    }
+
+    /**
+     * Default content to show below main email content
+     */
+    public function get_default_additional_content(): string
+    {
+        return __('To continue using this product, please renew your license.', 'wc-licensed-product');
+    }
+
+    /**
+     * Initialize settings form fields
+     */
+    public function init_form_fields(): void
+    {
+        $placeholder_text = sprintf(
+            /* translators: %s: list of placeholders */
+            __('Available placeholders: %s', 'wc-licensed-product'),
+            '<code>{site_title}, {product_name}, {expiration_date}</code>'
+        );
+
+        $this->form_fields = [
+            'enabled' => [
+                'title' => __('Enable/Disable', 'wc-licensed-product'),
+                'type' => 'checkbox',
+                'label' => __('Enable this email notification', 'wc-licensed-product'),
+                'default' => 'yes',
+            ],
+            'subject' => [
+                'title' => __('Subject', 'wc-licensed-product'),
+                'type' => 'text',
+                'desc_tip' => true,
+                'description' => $placeholder_text,
+                'placeholder' => $this->get_default_subject(),
+                'default' => '',
+            ],
+            'heading' => [
+                'title' => __('Email heading', 'wc-licensed-product'),
+                'type' => 'text',
+                'desc_tip' => true,
+                'description' => $placeholder_text,
+                'placeholder' => $this->get_default_heading(),
+                'default' => '',
+            ],
+            'additional_content' => [
+                'title' => __('Additional content', 'wc-licensed-product'),
+                'description' => __('Text to appear below the main email content.', 'wc-licensed-product') . ' ' . $placeholder_text,
+                'css' => 'width:400px; height: 75px;',
+                'placeholder' => $this->get_default_additional_content(),
+                'type' => 'textarea',
+                'default' => '',
+                'desc_tip' => true,
+            ],
+            'email_type' => [
+                'title' => __('Email type', 'wc-licensed-product'),
+                'type' => 'select',
+                'description' => __('Choose which format of email to send.', 'wc-licensed-product'),
+                'default' => 'html',
+                'class' => 'email_type wc-enhanced-select',
+                'options' => $this->get_email_type_options(),
+                'desc_tip' => true,
+            ],
+        ];
+    }
+}

src/Frontend/DownloadController.php

@@ -35,6 +35,9 @@ final class DownloadController
         // Add download endpoint
         add_action('init', [$this, 'addDownloadEndpoint']);
 
+        // Register query var for the endpoint
+        add_filter('query_vars', [$this, 'addDownloadQueryVar']);
+
         // Handle download requests
         add_action('template_redirect', [$this, 'handleDownloadRequest']);
     }
@@ -47,6 +50,15 @@ final class DownloadController
         add_rewrite_endpoint('license-download', EP_ROOT | EP_PAGES);
     }
 
+    /**
+     * Register the download query var
+     */
+    public function addDownloadQueryVar(array $vars): array
+    {
+        $vars[] = 'license-download';
+        return $vars;
+    }
+
     /**
      * Handle download request
      */
@@ -160,8 +172,12 @@ final class DownloadController
         $downloadUrl = $version->getDownloadUrl();
 
         if ($attachmentId) {
+            // Increment download count before serving
+            $this->versionManager->incrementDownloadCount($versionId);
             $this->serveAttachment($attachmentId, $version->getVersion());
         } elseif ($downloadUrl) {
+            // Increment download count before redirect
+            $this->versionManager->incrementDownloadCount($versionId);
             // Redirect to external URL
             wp_redirect($downloadUrl);
             exit;

src/Installer.php

@@ -35,8 +35,9 @@ final class Installer
         // Set version in options
         update_option('wc_licensed_product_version', WC_LICENSED_PRODUCT_VERSION);
 
-        // Register the licenses endpoint before flushing rewrite rules
+        // Register endpoints before flushing rewrite rules
         add_rewrite_endpoint('licenses', EP_ROOT | EP_PAGES);
+        add_rewrite_endpoint('license-download', EP_ROOT | EP_PAGES);
 
         // Flush rewrite rules for REST API and My Account endpoints
         flush_rewrite_rules();
@@ -103,6 +104,7 @@ final class Installer
             download_url VARCHAR(512) DEFAULT NULL,
             attachment_id BIGINT UNSIGNED DEFAULT NULL,
             file_hash VARCHAR(64) DEFAULT NULL,
+            download_count BIGINT UNSIGNED NOT NULL DEFAULT 0,
             is_active TINYINT(1) NOT NULL DEFAULT 1,
             released_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
             created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,

src/License/LicenseManager.php

@@ -862,6 +862,56 @@ class LicenseManager
         return (bool) get_user_meta($license->getCustomerId(), $metaKey, true);
     }
 
+    /**
+     * Get licenses that have passed their expiration date but are still marked as active
+     *
+     * @return array Array of License objects that need to be auto-expired
+     */
+    public function getExpiredActiveLicenses(): array
+    {
+        global $wpdb;
+
+        $tableName = Installer::getLicensesTable();
+        $now = new \DateTimeImmutable();
+
+        $sql = "SELECT * FROM {$tableName}
+                WHERE expires_at IS NOT NULL
+                AND expires_at < %s
+                AND status = %s";
+
+        $rows = $wpdb->get_results(
+            $wpdb->prepare($sql, $now->format('Y-m-d H:i:s'), License::STATUS_ACTIVE),
+            ARRAY_A
+        );
+
+        return array_map(fn(array $row) => License::fromArray($row), $rows ?: []);
+    }
+
+    /**
+     * Auto-expire a license and return true if status was changed
+     *
+     * @param int $licenseId License ID
+     * @return bool True if license was expired, false if already expired or error
+     */
+    public function autoExpireLicense(int $licenseId): bool
+    {
+        $license = $this->getLicenseById($licenseId);
+        if (!$license) {
+            return false;
+        }
+
+        // Only expire if currently active and past expiration date
+        if ($license->getStatus() !== License::STATUS_ACTIVE) {
+            return false;
+        }
+
+        if (!$license->isExpired()) {
+            return false;
+        }
+
+        return $this->updateLicenseStatus($licenseId, License::STATUS_EXPIRED);
+    }
+
     /**
      * Import a license from CSV data
      *

src/Plugin.php

@@ -10,6 +10,8 @@ declare(strict_types=1);
 namespace Jeremias\WcLicensedProduct;
 
 use Jeremias\WcLicensedProduct\Admin\AdminController;
+use Jeremias\WcLicensedProduct\Admin\DashboardWidgetController;
+use Jeremias\WcLicensedProduct\Admin\DownloadWidgetController;
 use Jeremias\WcLicensedProduct\Admin\OrderLicenseController;
 use Jeremias\WcLicensedProduct\Admin\SettingsController;
 use Jeremias\WcLicensedProduct\Admin\VersionAdminController;
@@ -97,6 +99,7 @@ final class Plugin
         $this->twig = new Environment($loader, [
             'cache' => WP_CONTENT_DIR . '/cache/wc-licensed-product/twig',
             'auto_reload' => true, // Always check for template changes
+            'autoescape' => 'html', // Explicitly enable HTML autoescape for XSS protection
         ]);
 
         // Add WordPress functions as Twig functions
@@ -151,6 +154,8 @@ final class Plugin
             new VersionAdminController($this->versionManager);
             new OrderLicenseController($this->licenseManager);
             new SettingsController();
+            new DashboardWidgetController($this->licenseManager);
+            new DownloadWidgetController($this->versionManager);
 
             // Show admin notice if unlicensed and not on localhost
             if (!$isLicensed && !$licenseChecker->isLocalhost()) {

src/Product/ProductVersion.php

@@ -24,6 +24,7 @@ class ProductVersion
     private ?string $downloadUrl;
     private ?int $attachmentId;
     private ?string $fileHash;
+    private int $downloadCount;
     private bool $isActive;
     private \DateTimeInterface $releasedAt;
     private \DateTimeInterface $createdAt;
@@ -44,6 +45,7 @@ class ProductVersion
         $version->downloadUrl = $data['download_url'] ?: null;
         $version->attachmentId = !empty($data['attachment_id']) ? (int) $data['attachment_id'] : null;
         $version->fileHash = $data['file_hash'] ?? null;
+        $version->downloadCount = (int) ($data['download_count'] ?? 0);
         $version->isActive = (bool) $data['is_active'];
         $version->releasedAt = new \DateTimeImmutable($data['released_at']);
         $version->createdAt = new \DateTimeImmutable($data['created_at']);
@@ -144,6 +146,11 @@ class ProductVersion
         return $this->fileHash;
     }
 
+    public function getDownloadCount(): int
+    {
+        return $this->downloadCount;
+    }
+
     /**
      * Get the download URL from attachment
      */
@@ -197,6 +204,7 @@ class ProductVersion
             'download_url' => $this->downloadUrl,
             'attachment_id' => $this->attachmentId,
             'file_hash' => $this->fileHash,
+            'download_count' => $this->downloadCount,
             'is_active' => $this->isActive,
             'released_at' => $this->releasedAt->format('Y-m-d H:i:s'),
             'created_at' => $this->createdAt->format('Y-m-d H:i:s'),

src/Product/VersionManager.php

@@ -276,4 +276,98 @@ class VersionManager
 
         return (int) $count > 0;
     }
+
+    /**
+     * Increment download count for a version
+     */
+    public function incrementDownloadCount(int $versionId): bool
+    {
+        global $wpdb;
+
+        $tableName = Installer::getVersionsTable();
+        $result = $wpdb->query(
+            $wpdb->prepare(
+                "UPDATE {$tableName} SET download_count = download_count + 1 WHERE id = %d",
+                $versionId
+            )
+        );
+
+        return $result !== false;
+    }
+
+    /**
+     * Get total download count across all versions
+     */
+    public function getTotalDownloadCount(): int
+    {
+        global $wpdb;
+
+        $tableName = Installer::getVersionsTable();
+        $count = $wpdb->get_var("SELECT COALESCE(SUM(download_count), 0) FROM {$tableName}");
+
+        return (int) $count;
+    }
+
+    /**
+     * Get download statistics per product
+     */
+    public function getDownloadStatistics(): array
+    {
+        global $wpdb;
+
+        $tableName = Installer::getVersionsTable();
+
+        // Get total downloads
+        $totalDownloads = $this->getTotalDownloadCount();
+
+        // Get downloads per product (top 10)
+        $byProduct = $wpdb->get_results(
+            "SELECT product_id, SUM(download_count) as downloads
+             FROM {$tableName}
+             GROUP BY product_id
+             ORDER BY downloads DESC
+             LIMIT 10",
+            ARRAY_A
+        );
+
+        // Get downloads per version (top 10)
+        $byVersion = $wpdb->get_results(
+            "SELECT id, product_id, version, download_count
+             FROM {$tableName}
+             WHERE download_count > 0
+             ORDER BY download_count DESC
+             LIMIT 10",
+            ARRAY_A
+        );
+
+        // Enrich product data with names
+        $productsWithNames = [];
+        foreach ($byProduct ?: [] as $row) {
+            $product = wc_get_product((int) $row['product_id']);
+            $productsWithNames[] = [
+                'product_id' => (int) $row['product_id'],
+                'product_name' => $product ? $product->get_name() : __('Unknown Product', 'wc-licensed-product'),
+                'downloads' => (int) $row['downloads'],
+            ];
+        }
+
+        // Enrich version data with product names
+        $versionsWithNames = [];
+        foreach ($byVersion ?: [] as $row) {
+            $product = wc_get_product((int) $row['product_id']);
+            $versionsWithNames[] = [
+                'version_id' => (int) $row['id'],
+                'product_id' => (int) $row['product_id'],
+                'product_name' => $product ? $product->get_name() : __('Unknown Product', 'wc-licensed-product'),
+                'version' => $row['version'],
+                'downloads' => (int) $row['download_count'],
+            ];
+        }
+
+        return [
+            'total' => $totalDownloads,
+            'by_product' => $productsWithNames,
+            'by_version' => $versionsWithNames,
+        ];
+    }
 }

templates/admin/licenses.html.twig

@@ -1,6 +1,6 @@
 <div class="wrap">
     <h1 class="wp-heading-inline">{{ __('Licenses') }}</h1>
-    <a href="{{ admin_url }}?action=export_csv" class="page-title-action">
+    <a href="{{ export_csv_url() }}" class="page-title-action">
         <span class="dashicons dashicons-download" style="vertical-align: middle;"></span>
         {{ __('Export CSV') }}
     </a>
@@ -143,8 +143,8 @@
                             </td>
                             <td class="wclp-editable-cell" data-field="status" data-license-id="{{ item.license.id }}">
                                 <span class="wclp-display-value">
-                                    <span class="license-status license-status-{{ item.license.status }}">
+                                    <span class="license-status license-status-{{ esc_attr(item.license.status) }}">
-                                        {{ item.license.status|capitalize }}
+                                        {{ esc_html(item.license.status)|capitalize }}
                                     </span>
                                 </span>
                                 <button type="button" class="wclp-edit-btn button-link" title="{{ __('Edit') }}">

templates/frontend/licenses.html.twig

@@ -12,8 +12,8 @@
                             {{ esc_html(item.product_name) }}
                         {% endif %}
                     </h3>
-                    <span class="license-status license-status-{{ item.license.status }}">
+                    <span class="license-status license-status-{{ esc_attr(item.license.status) }}">
-                        {{ item.license.status|capitalize }}
+                        {{ esc_html(item.license.status)|capitalize }}
                     </span>
                 </div>
 
@@ -57,12 +57,14 @@
                         <h4>{{ __('Available Downloads') }}</h4>
                         <ul class="download-list">
                             {% for download in item.downloads %}
-                                <li>
+                                <li class="download-item">
+                                    <div class="download-row-file">
                                         <a href="{{ esc_url(download.download_url) }}" class="download-link">
                                             <span class="dashicons dashicons-download"></span>
                                             {{ esc_html(download.filename ?: 'Version ' ~ download.version) }}
                                         </a>
-                                    <span class="download-version">v{{ esc_html(download.version) }}</span>
+                                    </div>
+                                    <div class="download-row-meta">
                                         <span class="download-date">{{ esc_html(download.released_at) }}</span>
                                         {% if download.file_hash %}
                                             <span class="download-hash" title="{{ esc_attr(download.file_hash) }}">
@@ -70,6 +72,7 @@
                                                 <code>{{ download.file_hash[:12] }}...</code>
                                             </span>
                                         {% endif %}
+                                    </div>
                                 </li>
                             {% endfor %}
                         </ul>

wc-licensed-product.php

@@ -3,7 +3,7 @@
  * Plugin Name: WooCommerce Licensed Product
  * Plugin URI: https://src.bundespruefstelle.ch/magdev/wc-licensed-product
  * Description: WooCommerce plugin to sell software products using license keys with domain-based validation.
- * Version: 0.3.4
+ * Version: 0.3.9
  * Author: Marco Graetsch
  * Author URI: https://src.bundespruefstelle.ch/magdev
  * License: GPL-2.0-or-later
@@ -28,7 +28,7 @@ if (!defined('ABSPATH')) {
 }
 
 // Plugin constants
-define('WC_LICENSED_PRODUCT_VERSION', '0.3.4');
+define('WC_LICENSED_PRODUCT_VERSION', '0.3.9');
 define('WC_LICENSED_PRODUCT_PLUGIN_FILE', __FILE__);
 define('WC_LICENSED_PRODUCT_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('WC_LICENSED_PRODUCT_PLUGIN_URL', plugin_dir_url(__FILE__));