OliveroDev Media Audit – Media Library Cleaner & Optimizer

Changelog

3.4.8

• Fix: PHP fatal error in Logger — includes() is not a valid PHP function. Replaced with the correct ABSPATH . wp-admin/includes/ path with file_exists() guard, matching the pattern used in the Scanner class.

3.4.7

• Fix: Elementor 4.x Grid background images (Spacer widget inside Grid container) are now detected during scans — the scanner explicitly processes all _elementor_data rows for atomic $$type format IDs, including rows without upload URLs that step 7’s URL filter previously skipped.

3.4.6

• Fix: Broaden Elementor 4.x $$type detection to match ANY $$type object (image, background, grid, etc.) with a numeric "value", not only "image-attachment-id". Previously missed backgrounds on Grid → Spacer and similar nested element structures.

3.4.5

• Fix: Elementor 4.x atomic format detection now covers all keys, not just "id". Background images stored under "background_image", "image", or any other key using $$type objects are now detected.
• Fix: “Where is it used?” now searches _elementor_data and _elementor_css postmeta for both classic and atomic ID patterns + URL, fixing the “No specific location found” message for Elementor content.

3.4.4

• Fix: Elementor 4.x compatibility — the scanner now detects attachment IDs stored in the new atomic JSON format ($$type descriptors). Elementor 4.x stores "id": {"$$type":"image-attachment-id","value":N} instead of the classic "id":N, and the previous regex missed it entirely. Background images on Containers/Sections now show as “used” on Elementor 4.x sites.

3.4.3

• Fix: Protocol-agnostic URL matching — the scanner now checks both http and https variants when scanning postmeta, options, usermeta, and termmeta. Fixes false positives where page builders (Elementor, etc.) stored URLs with a different scheme than the current site URL.
• Fix: Elementor CSS transient is now cleared on save_post, so newly generated CSS files are picked up on the next scan instead of being missed due to stale cache.

3.4.2

• Security: Hardened SQLi prevention — table and column names are validated against a whitelist before being used in database queries.
• Security: Added realpath() resolution to prevent symlink-based path traversal in file deletion routines.
• Security: File size helper now validates the path is within the uploads directory.
• Security: Escaped wp_get_attachment_image() output to prevent stored XSS via image alt text.
• Security: Replaced FILTER_UNSAFE_RAW with direct sanitize_key() calls for all input variables.
• Security: Added index.php to logs directory for directory listing hardening.
• Security: Elementor CSS file reading now validates files are within the expected directory.

3.4.1

• Fix: “Start New Scan” / “Resume” button icon now stays white at rest (was inheriting an inconsistent blue/green from the admin color scheme) and turns purple while the scan animation is running.

3.4.0

• New: Slider safety net — the scanner now also checks Smart Slider 3 and LayerSlider tables (in addition to the existing Slider Revolution check). Images used inside these sliders are detected as “in use” and protected from accidental deletion, even when only referenced via shortcode.

3.3.11

• Rewrite: Inverted-Index scan engine — builds a complete set of in-use attachment IDs once per scan (scanning every content source in a single DB pass), then per-file checks are O(1) array lookups. Eliminates the N×M LIKE queries that caused false negatives and timeouts.
• Fix: “everything shows as unused” — root cause was unreliable LIKE-query approach. The new engine uses PHP regex on fetched content, exact ID queries, and a URL→ID reverse map, eliminating LIKE escaping bugs entirely.

• Detection now covers: post_content (regex), postmeta, wp_options, wp_usermeta, wp_termmeta, Elementor CSS files (disk), Elementor compressed data, Slider Revolution, featured images, WooCommerce galleries, ACF ID fields, shortcode gallery IDs, site icon, custom logo.

• New: Real-time scan counter — dashboard shows “X unused found” updating live while scan runs, eliminating the perception that the plugin found nothing during long scans.

• Fix: Sort by Size on Unused tab no longer breaks the unused filter — the OR clause was overriding the unused-only condition.
• Fix: Sort by Size on Library tab now includes all files regardless of scan status.

3.3.8

• Fix: Library tab no longer shows blank page on fresh installs — rows without scan data show a “Not scanned” badge instead of triggering 1000+ live queries per page load.
• Fix: Sorting by Size without a prior scan no longer returns zero results.
• New: “Not scanned” status badge with muted style for files not yet analyzed.

3.3.7

• Fix: WooCommerce product gallery images (_product_image_gallery) now correctly detected as in-use — previously showed as unused on WooCommerce sites.
• Fix: ACF image and file fields storing attachment IDs now detected via ACF shadow key join — eliminates false positives on ACF-powered sites.
• Security: Replaced data-imghtml + .html() in delete modal with data-imgurl + document.createElement('img') — removes potential XSS vector in file preview.

3.3.6

• New: AJAX tab navigation — switching between Dashboard, Unused Files, Library, and Settings no longer triggers a full page reload. Includes skeleton loader for instant visual response.
• New: Adaptive scan engine — batch size auto-adjusts based on server throughput, memory limit, and PHP time limit. Starts at 5 items and grows or shrinks per batch to prevent timeouts on any hosting environment.
• New: Offset-based scan pagination — replaces page-based approach so batch size can safely change between requests without skipping or double-scanning files.
• Fix: render_media_row() no longer calls the full scanner on every page render — reads cached postmeta instead, reducing page load from 1000+ queries to ~20.
• Fix: Cron scan updated to use offset-based scan_batch() signature.

3.3.5

• Fix: Elementor CSS scan — now scans all *.css files in uploads/elementor/css/ without a stale post-ID filter, using a 1-minute file-list transient and 2-minute per-file object cache.

3.3.1

• Fix: Fatal error on activation — oliverodev_media_audit_get_filesystem() called includes() which is not a valid PHP or WordPress function. Replaced with a direct filesize() call; WP_Filesystem is unnecessary for reading file sizes.

3.3.0

• New: CSS background-image detection — now detects media files used in inline styles and custom CSS (parallax backgrounds, hero sections, etc). Fixes issue where background images were incorrectly marked as unused and deleted.
• New: Private method check_css_background_usage() searches for url() patterns in post_content and postmeta.
• Fix: RevSlider table check was using undefined $terms variable — changed to $search_terms.

3.2.9

• Fix: “Where is it used?” now correctly finds Gutenberg block references. Previously returned “No specific location found” for images inserted via Gutenberg blocks because the search only used the full URL. Now also searches for wp-image-{id} CSS class and "id":N JSON block patterns — matching all detection methods used by the scanner.

3.2.8

• Improved: PRO upgrade banner completely redesigned with benefit-focused messaging, risk-oriented copy, and trial-first CTA (“Try PRO Free — 3 Days”). Dynamic unused file count shown in the banner copy.

3.2.7

• New: “Where is it used?” button on every Used file — shows the exact posts, pages, or theme settings referencing each file.
• New: Real-time scan counter — displays “Scanning X of Y files · Z remaining” during active scans.
• New: Delete confirmation modal — shows file thumbnail, name, and size before permanent deletion instead of a plain browser dialog.
• New: Export CSV — download a spreadsheet of all unused files directly from the Unused Files tab.

3.2.6

• Fix: Removed false positive detections caused by overly broad serialized-integer patterns (i:N;, ,N,, ,N") being matched in postmeta, usermeta, termmeta, and options tables.
• Fix: Removed unreliable exact-integer postmeta match that incorrectly flagged files as used when unrelated meta keys (e.g. _edit_last, counters) happened to store the same number as a media ID.
• Improvement: JSON and HTML id-based patterns ("id":N, data-id="N", etc.) are now scoped exclusively to post_content where Gutenberg blocks live, eliminating false positives in meta tables.

3.2.5

• Hide the “Get PRO” banner when PRO is already active via license integration.

3.2.4

• Maintenance release for ww.wp.xz.cn package compliance and metadata alignment.

3.2.3

• Fixed PRO upgrade link to Freemius checkout.

3.2.2

• Added animated PRO upgrade banner in dashboard.
• Added link to upgrade to PRO version.

3.2.1

• Improved ww.wp.xz.cn submission compatibility and plugin metadata.
• Added plugin text domain loading.
• Refreshed compatibility metadata.

3.2.0

• Refactored scanning architecture for improved performance.
• Updated compatibility metadata.