Search
Search

Change Log

Latest changes

13th April 2026 / v41.3

  • FIX The Mail Log Viewer now reliably displays attachment names without crashing. [LOGIN, MAILER]
  • FIX Corrected an issue that could cause a crash while generating client secret expiration warning emails. [LOGIN, MAILER]
  • FIX Resolved a “Failed to execute ‘querySelector’ on ‘Document'” error in the wizard app triggered by invalid auto-generated element IDs. [LOGIN, MAILER]

10th April 2026 / v41.2

  • FIX Prevented duplicate or incorrect type attributes on script tags, which could cause “Cannot use import statement outside a module” errors. [LOGIN]
  • FIX Resolved a critical error that could occur when obtaining an access token for an embed-app due to an undefined method call. [LOGIN]
  • FIX Automatically disables SSO when the mail function is invoked in the context of the WPO365 | MICROSOFT GRAPH MAILER plugin (preventing the plugin from logging SSO-unconfigured warnings). [MAILER].

2nd April 2026 / v41.1

  • FIX Prevented duplicate or incorrect type attributes on script tags, which could cause “Cannot use import statement outside a module” errors when loading apps to embed Power BI or M*365 services such as SharePoint, Entra ID and Exchange. [LOGIN, MAILER]

30th March 2026 / v41.0

  • CHANGE Added a brand‑new M*365 Apps Framework for embedding content from SharePoint Online, Microsoft Entra ID, Exchange Online, and Power BI, with persistent app configuration stored in the database, a preview option, and a guided configuration wizard. [LOGIN, APPS, INTEGRATE (INTRANET)]
  • CHANGE Redesigned the menu of the plugin’s Configuration Pages – new with a new vertical navigation. [ALL]
  • IMPROVEMENT To align with Microsoft’s current branding, Azure AD has been renamed to Microsoft Entra ID throughout the plugin, and all portal links now open in entra.microsoft.com. [ALL]
  • IMPROVEMENT Added major enhancements to the premium SharePoint Library embed: users can now search the library, upload files, and choose from new card templates or a more customizable HTML table view. [APPS, INTEGRATE (INTRANET)]
  • IMPROVEMENT Enhanced the Exchange Online Calendar embed-app, including a date picker with event cards, and support for displaying events across a rolling one‑year period. [APPS, INTEGRATE (INTRANET)]
  • IMPROVEMENT Refactored the plugin’s “User Registration” configuration page and moved “Roles + Access” to its own configuration page for better clarity and maintainability. [LOGIN]
  • FIX Fixed an issue in the stand‑alone WPO365 | MICROSOFT GRAPH MAILER plugin and tested and confirmed compatibility with GCC High tenants. [MAILER]
  • FIX The WPO365 | PROFESSIONAL now ships with the required integration source code for itthinx Groups. [PROFESSIONAL]
  • FIX Updated the Exchange Online Calendar embed-app so links in event descriptions now open in a new tab. [LOGIN, APPS, INTEGRATE (INTRANET)]
  • FIX Dropped the core‑js polyfill dependency as it is no longer required by the plugin. [LOGIN]

20th February 2026 / v40.3

  • IMPROVEMENT Protecting the Media Library by restricting access to logged-in users is now also supported for Auth.-Only authentication scenarios. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC INTRANET)]
  • IMPROVEMENT When protection of the Media Library is enabled, WPO365 will award a cookie when a user signs in with SSO, further optimizing the performance. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC INTRANET)]
  • FIX When a cookie granting access to the Media Library is not found, WordPress will now loaded in an isolated function to prevent conflicts with other variables. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC INTRANET)]
  • FIX The exported SAML 2.0 service provider XML configuration file is now “well-formed”. [LOGIN]
  • FIX The ROLES + ACCESS (premium) plugin now includes the mapping tool for itthinx Groups. [ROLES + ACCESS]
  • FIX The SCIM (premium) plugin now unlocks the “custom field mapping tool” on the plugin’s “User Sync” configuration page. [SCIM]

15th December 2025 / v40.2

  • SECURITY FIX An XSS vulnerability has been patched. [ALL]

11th December 2025 / v40.1

  • FIX Two free / basic apps for embedding Microsoft 365 services — SharePoint Online Search and Employee Directory — failed to perform their search functionality. [LOGIN]

7th December 2025 / v40.0

  • SECURITY FIX A Server Side Request Forgery (SSRF) vulnerability has been patched. [ALL]
  • BREAKING CHANGE The long-term deprecated version of WPO365 User Synchronization has now been removed. [INTEGRATE (SYNC, INTRANET)]
  • IMPROVEMENT When an administrator enables WPO365’s “shared” WPMU-mode, WPO365 can now be configured to update the user’s WordPress role(s) based on your Entra group-to-WP-role mappings not only for the current site, but also for all subsites where the user is a member. See the online documentation for details. [ROLES + ACCESS, PROFESSIONAL, INTEGRATE, CUSTOMERS (SYNC, INTRANET)]
  • IMPROVEMENT This version introduces a number of enhancements when embedding an Outlook / Exchange Online calendar in WordPress:
    • The free version now supports clickable items to pop up a dialog with the event’s details.
    • Premium versions can now also use a Shared Calendar as their source.
    • The event’s HTML content will now be rendered in an iframe.
    • Event details will now list the event start and end date, location and a clickable link in case of an online meeting.
    • By default will (new) calendars show an extra column for the event’s end date.
    • Multi-day events are now easily identifiable by a dedicated icon.
    • See the updated feature documentation.
  • IMPROVEMENT Confirms support for WordPress 6.9. [ALL]
  • IMPROVEMENT When embedding Power BI content in WordPress for customers, WPO365 will now also update dynamic tokens found in an Effective Identity’s customData property. The online documentation has been updated to reflect this. [APPS, INTEGRATE (INTRANET)]
  • IMPROVEMENT Direct Access to the Media Library now uses a cookie, to prevent 429 Too Many Requests errors and to reduce the server load. The online documentation has been updated accordingly. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • FIX When WPO365 User Synchronization is triggered via an external link, WPO365 now waits for WordPress to fully initialize, ensuring that all hooks (filters and actions) are properly attached. [INTEGRATE (SYNC, INTRANET)]

13th November 2025 / v39.0

  • FEATURE Now you can block direct access to the Media Library, when the selected Authentication scenario is Intranet. Refer to the implementation guide for instructions and restrictions. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • Feature Administrators can now add a new WordPress user from Entra ID directly from WordPress’s built-in Add New User page. Checkout the implementation guide. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • IMPROVEMENT Embed Paginated Reports from Power BI in WordPress. Consult the all new Power BI / WordPress integration tutorial. [M365 APPS, INTEGRATE (INTRANET)]
  • IMPROVEMENT When emails are successfully sent during a retry, the corresponding error message is removed, and the error count on the WPO365 | INSIGHTS Dashboard is updated accordingly. [ALL]
  • IMPROVEMENT Sending WordPress emails via Microsoft Graph is now supported for GCC High tenants. [ALL]
  • FIX SCIM options are now available (again) when the INTRANET premium plugin is detected. [INTRANET]
  • FIX The availability of WPO365 configuration pages—and optionally the license management page—at the network admin level in WordPress Multisite has been reviewed and improved. [ALL]
  • FIX Usability of the Feature status and toggle on the WPO365 Dashboard page has been reviewed and improved. [ALL]
  • FIX The Plugin Self-Test now recognizes if a “groups” claim was received as part of the ID token / SAML response. [ROLES + ACCESS, PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]

2nd September 2025 / v38.0

  • FEATURE See what matters, when it happens Track key WPO365 events like logins, sent emails and user creation and updates with WPO365 Insights and get alerted when when a critical WPO365 event occurs. Consult the updated documentation for instructions how to configure WPO365 Alerts. [ALL PREMIUM]
  • IMPROVEMENT A new Daily WPO365 Insights widget has been added to the WP Admin Dashboard, informing administrator about key WPO365 events like logins, sent emails and user creation and updates. Refer to the update documentation for further details or how to hide the widget. [ALL]
  • IMPROVEMENT Links found in the SharePoint Library will now open the linked document directly when clicked. [ALL]
  • IMPROVEMENT Custom user metadata that is collected during user registration is now be available when the plugin creates a new user in Azure AD B2C / Entra Ext. ID. [CUSTOMERS]
  • FIX If the “Public hompage” option is enabled, WPO365 will now also allow more complex requests containing query parameters. [ALL PREMIUM]
  • FIX The plugin checks whether the request parameter with the key idp_id was added by WPO365, and ignores it if not. [ALL PREMIUM]
  • FIX WPO365 will now use a regular WordPress site option (instead of a transient option) to temporarily save the pre-authenticated link to retrieve the next batch of users during user synchronization. [INTEGRATE, CUSTOMERS (SYNC, INTRANET)]
  • FIX The plugin will now overwrite user identifiers saved as usermeta such as the Entra Tenant ID, Object ID and UPN whenever a user is updated, to make it easier to migrate from one directory to another e.g. AAD B2C to Entra Ext. ID. [CUSTOMERS]
  • FIX Addressed various technical problems to enhance plugin reliability. [ALL]

15th July 2025 / v37.2

  • FIX WPO365 will avoid using “wp_print_inline_script_tag” and instead create a “script” tag itself, if the active WordPress theme does not declare support for the ‘html5’ and ‘script’ features. [ALL]

14th July 2025 / v37.1

  • IMPROVEMENT The built-in WordPress Mailer for Microsoft Graph now supports RBAC for Exchange Online. As a result, administrators should now explicitely configure the desired authorization scenario, as explained in a new lesson in the tutorial. [LOGIN, MICROSOFT GRAPH MAILER]
  • IMPROVEMENT All scripts now are created using either wp_print_script_tag or wp_print_inline_script_tag. As a result, developers can add your own nonce attribute using the wp_script_attributes and wp_inline_script_attributes filters e.g. to enable a Content-Security-Policy (or CSP). [LOGIN, MICROSOFT GRAPH MAILER]
  • FIX For premium plugins, WPO365 would check the license status with every admin request, which could slow down your site unnecessarily. [ALL PREMIUM]
  • FIX Some features were not included in the Plugin Self-Test for the CUSTOMERS premium plugin. [CUSTOMERS]

17th June 2025 / v37.0

  • IMPROVEMENT As of version 37.0, creating new users through the SCIM-based integration with the Microsoft Entra ID Application / User Provisioning service is now available as a free feature. Get started today! [LOGIN]
  • IMPROVEMENT Beginning with version 37.0, WPO365 | LOGIN – available at no cost – can now also populate a new WordPress user’s name and email profile attributes, a capability that previously required the PROFILE+ add-on. [LOGIN]
  • IMPROVEMENT It is now possible to schedule WPO365 User Synchronization without the need to rely on WP Cron by triggering both the start of a new user-sync job and the processing of each batch using an external task scheduler. See the updated tutorial for details. [INTEGRATE (SYNC, INTRANET)]
  • IMPROVEMENT A new filter has been added that allows developers to filter the custom Error Page URL. Consult the updated documentation for details. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • IMPROVEMENT Administrators experiencing issues with WPO365 User Synchronization or the SCIM-based integration with the Microsoft Entra ID Application / User Provisioning service, can now enable a custom logging function that helps collect more data in a separate server log. [SCIM, INTEGRATE, CUSTOMERS (SYNC, INTRANET)]
  • FIX An issue – previously causing a critical error when creating a new WordPress Network Subsite for a new user without a valid email address – has been resolved. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • FIX A bug has been fixed that prevented WPO365 from detecting whether or not a user should be considered a user that signed in with Microsoft and preventing users from changing their email address or password. [LOGIN]
  • FIX A few issues related to saving an (updated) WPO365 configuration (as JSON) on the plugin’s “Import / Export” page have been addressed.
  • FIX The sub headers of the wizard now support rtl-direction.

18th April 2025 / v36.2

  • FIX Functionality for forcing SSO for the (default / custom) login page has been restored. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]

17th April 2025 / v36.1

  • IMPROVEMENT Confirms support for WordPress 6.8. [ALL]
  • IMPROVEMENT An administrator can define a (list of) referrer(s) that are allowed to send credentials to the login page when SSO is forced for the login page. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • IMPROVEMENT Configuring a “GCC (High)” tenant using wp-config.php is now supported for both single and multiple IdP scenarios. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • FIX The function of the “Public Homepage” setting has been restored. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • FIX Support for the plugin User Switching has been restored when SSO is forced for the login page. [ESSENTIALS, PROFESSIONAL, INTEGRATE, CUSTOMERS (LOGIN+, SYNC, INTRANET)]
  • FIX When an administrator configures WPO365 for WPMU to allow partial independence for each subsite, WPO365 will now always require users to re-authenticate when navigating between subsites. [ALL]
  • FIX When “WPO365 User Synchronization” fails because its next-link has expired, it will now correctly send a “failure” notification. [INTEGRATE (SYNC, INTRANET)]

11th March 2025 / v36.0

  • BREAKING CHANGE A previous update that redirected users without privileges for the site they requested to their dashboard URL or primary site in a WordPress Multisite Network has been rolled back. Now, WPO365 will display an access-denied splash screen instead, notifying the user of the denied access. If the user has already authenticated successfully, the screen will also show a list of sites where they have do privileges. [LOGIN]
  • BREAKING CHANGE WPO365 will no longer redirect a user back to the login page of the site they requested in a WordPress Multisite Network when they do not have privileges to access that site. Instead WPO365 will display an access-denied splash screen, notifying the user of the denied access. If the user has already authenticated successfully, the screen will also show a list of sites where they do have privileges. [LOGIN]
  • IMPROVEMENT The Calendar app (to embed an Exchange / Outlook Calendar in WordPress) can now be configured to show the personal calendar of the logged-in user. The tutorial has been updated accordingly. [APPS, INTEGRATE (INTRANET)]
  • IMPROVEMENT The plugin can now also secure the WordPress REST API using App Roles / application-level access tokens (obtained using the client-credentials flow). The documentation has been updated support for this scenario. [ESSENTIALS, PROFESSIONAL, INTEGRATE (LOGIN+, SYNC, INTRANET)]
  • IMPROVEMENT Users that are able to bypass SSO for the login page – by adding the secret key to the URL – are now also able to request a password-reset link and reset their password accordingly. [ESSENTIALS, PROFESSIONAL, CUSTOMERS, INTEGRATE (LOGIN+, SYNC, INTRANET)]
  • IMPROVEMENT Administrators can now configure WPO365 to use a user’s email username as the domain for a new (WordPress Multisite) network subsite (instead of the user’s stringified WP User ID). [ESSENTIALS, PROFESSIONAL, CUSTOMERS, INTEGRATE (LOGIN+, SYNC, INTEGRATE)]
  • FIX The favicon.ico file will now automatically be added to the list of pages freed from authentication, since – on WordPress Multisite – a user may request this file from the main site where the user does not have any privileges. [LOGIN]
  • FIX The plugin will now also redirect users attempting to access the login page when the administrator has enabled SSO for the login page and the user is already logged in. [ESSENTIALS, PROFESSIONAL, CUSTOMERS, INTEGRATE (LOGIN+, SYNC, INTRANET)]
  • FIX WPO365 now will remove any duplicate slashes from the current request URI, to prevent attackers to bypass – for example – SSO when it’s forced for the login page. [LOGIN]
  • FIX The powerbi-client package has been updated to its latest version. [LOGIN, APPS, INTEGRATE (INTRANET)]
  • FIX Fixed a string-format error that caused a critical error when the option to “Create new users in WordPress” would have been unchecked. [ALL PREMIUM]
  • FIX The TLD “lan” has been added to the license-checker list of exceptions. [LOGIN, MSGRAPHMAILER]
  • FIX “WPO365 Audiences” checkboxes on the Users, Posts and Pages screens in WP Admin now again are being displayed correctly. [ROLES + ACCESS, PROFESSIONAL, INTEGRATE (SYNC, INTRANET)]
  • FIX An issue causing – under specific circumstances – an “array-to-string conversion” warning in the Url_Helpers class has been resolved. [LOGIN, MSGRAPHMAILER]

Click here for older entries.

120+

5 Star Reviews

20K

Installations

400K+

Downloads

Latest Articles

Latest News

Release 41.0 introduces three Key Improvements

Release 41.0 introduces three Key Improvements. This release has been a long time in the making, and I hope it [...]

Multi Currency

To better serve our growing international customer base, I’m pleased to share that the website has been updated to support [...]

View all Latest News

Blog

WP Engine: Staging to production

After receiving numerous inquiries from customers using WP Engine‘s hosting platform about staging site deployments, I decided to explore the [...]

Customize your login button

The “Sign in with Microsoft” login button that is displayed on the (default) WordPress login page can now be customized [...]

View all Articles