GTM Kit 2.15.0: a security update and a new settings filter for integrators

GTM Kit 2.15.0 is a small, focused release. It hardens how the settings screen handles links that come from outside your site, and it adds a new gtmkit_settings_registry filter that lets companion plugins add their own settings fields to the GTM Kit settings screen. We recommend updating.

If you only run the free plugin, there is nothing to configure and nothing changes in your data layer. The security fix applies automatically.

What changed

Security hardening on settings links

The GTM Kit settings screen can show a few links that originate from outside your WordPress install: upgrade offers, template suggestions, tutorials, and notifications served from gtmkit.com. As of 2.15.0, every such link is validated before it is ever used for navigation.

There is no action to take and no visible change on a correctly configured site. This is a defensive measure: it ensures that only well-formed, expected links are ever followed from the admin screen, regardless of what remote content is delivered. We recommend updating so the validation is in place.

New gtmkit_settings_registry filter for integrators

GTM Kit’s settings screen now exposes a field registry, and a new gtmkit_settings_registry filter lets a companion plugin register its own settings fields with that screen at runtime, instead of building a separate settings page of its own.

This is groundwork for GTM Kit’s next-generation settings interface, where related settings from across the GTM Kit family can live together in one consistent place rather than scattered across separate screens. 2.15.0 ships the public seam; you will see the payoff as that interface rolls out.

For most site owners this is invisible today. For developers building on top of GTM Kit, it is a documented, supported way to surface your own configuration alongside GTM Kit’s.

Developer notes

• gtmkit_settings_registry lets you register settings fields with the GTM Kit settings screen at runtime. The settings screen now exposes its field registry and related metadata, so an add-on can declare its fields against a stable contract rather than rendering a parallel settings page. This is the seam GTM Kit’s own add-ons use to register their fields.

No filters were removed or changed. There are no breaking changes and no minimum-version changes in this release.

Upgrade notes

Nothing to do. There are no settings changes, no data-layer changes, and no minimum WordPress or WooCommerce version changes. The security validation applies automatically on update. Classic and block WooCommerce tracking, engagement events, and consent behaviour are all unchanged from 2.14.

What’s next

The new settings interface that gtmkit_settings_registry underpins continues to take shape, bringing settings from across the GTM Kit family into one consistent place. More on that as it lands.