Cutmap Editorial Workflow

by aswinikumar

Description

Cutmap Editorial Workflow is a robust, professional-grade content management solution designed for publishers, news portals, and content-heavy websites. It brings structure, accountability, and security to your editorial team by implementing a controlled content creation and review workflow.

Say goodbye to accidental publishes and unreviewed edits. With Cutmap Editorial Workflow, every piece of content goes through a defined chain of command before reaching your audience.

Key Features

Role-Based Access Control: Empowers your team with specialized ‘Creator’ and ‘Approver’ roles, restricting access to only what they need.
Content Isolation: Creators and Approvers only see the tasks assigned to them, reducing clutter and preventing unauthorized edits on other content.
Safe Live Editing: Edit published content safely in the background. The public continues to see the approved version while your team works on revisions.
Centralized Assignment Dashboard: A dedicated space for administrators to monitor all active workflows and assign tasks effortlessly.
Automated Notifications: Keep the workflow moving with real-time email and admin alerts for assignments and status changes.
Audit Trail: Maintain a transparent history of who created, edited, and approved each piece of content.

Installation

Upload the cutmap-editorial-workflow folder to the /wp-content/plugins/ directory.
Activate the plugin through the ‘Plugins’ menu in WordPress.
Use the ‘Workflows’ menu in the admin dashboard to start assigning content.

Faq

Can I use this for Custom Post Types?

Yes, the Cutmap Editorial Workflow supports Posts, Pages, and all registered Custom Post Types.

How do I add a Creator?

The plugin automatically creates a ‘Creator’ role upon activation. You can assign this role to any user from the WordPress ‘Users’ menu.

Reviews

Feedback regarding bugs and issues

By kiyotakakiritoooo on May 1, 2026

Hello sir,

Installed this plugin for just taking a look and the core workflow works fine. creator, approver, assignments all function as expected. the approved snapshot idea is actually very nicee sir. But found some real problems while going through the code the plugin comes with a hardcoded password "W***f***1*3" for sample users I am hiding it so that I don't wanna disclose the password. anyone who reads the source code will know it. not safe at all for a real website.the entire workflow can be bypassed by calling the wordpress REST API directly. send a POST request to wp-json with status publish and it goes live without any approval. the plugin doesnt cover this at all.when an approver rejects a post, the approved snapshot gets overwritten with the rejected content.... so visitors end up seeing the version that was literally just rejected. seems like a bug.every single page load in wp-admin triggers a full database schema check... makes the admin panel noticeably slow especially on shared hosting.... when you uninstall the plugin it only removes the user roles.... the database tables and all the post meta it created are left behind.... had to clean manually with phpmyadmin... The audit log is supposed to track every edit but it keeps overwriting the same row instead of adding new entries. so you lose the history of intermediate changes completely... I just found out these using the normal analysis I do when I install new plugins and sorta stuff... I hope this review and feedback find you well sir...

Changelog

1.4.7

Security: Hardened database queries by replacing serialized lookups with direct relational structures for improved performance and safety.
Security: Eliminated inline JavaScript by moving workflow actions to a dedicated static file.
Security: Added explicit early exits after redirects to ensure execution flow integrity.
Code Quality: Standardized line endings to LF and added .gitattributes for repository consistency.
Cosmetic: Cleaned up package docblocks across the codebase.

1.4.6

Security: Removed hardcoded sample-user password (Workflow@123). Each new sample user now receives a unique password generated via wp_generate_password(16, true), displayed once in the admin notice and never stored in source.
Security: Added rest_pre_insert_{post_type} enforcement to block unauthorized publish attempts via the REST API. Admin-role REST tokens can no longer bypass the editorial workflow when a post has an active assignment.
Bug fix: reject() no longer overwrites the approved content snapshot with the rejected draft. Visitors continue seeing the last explicitly approved version while the creator revises and re-submits.
Performance: dbDelta() schema checks in CUTMAP_DB and CUTMAP_WNS are now guarded by a version option (cew_db_version, cew_wns_version). The expensive schema introspection runs only on activation/upgrade, not on every page load.
Cleanup: uninstall.php now deletes all _cew_* post meta rows and removes plugin version options, leaving no orphaned data after deletion.
Reliability: The ALTER TABLE … DROP INDEX migration for the audit-log unique key now runs reliably on every upgrade because the schema version option is cleared on activation.

1.4.5

Resolved remaining critical security checklist issues including strict nonce validation across all forms/actions.
Sanitized remaining raw $_POST and $_GET superglobal accesses and strictly avoided empty() checks for them.
Re-audited output escaping inside admin tables and guaranteed all display logic passes through esc_html() and esc_url().
Ensured every single admin_post action starts with a firm current_user_can() capability check followed by wp_die().

1.4.4

Hardened admin actions with strict current_user_can() capability checks.
Improved security by ensuring complete table cleanup on uninstall.
Verified input sanitization and output escaping across the plugin.

1.4.3

Removed UTF-8 Byte Order Marks (BOM) from PHP files to satisfy automated checks.

1.4.2

Fixed unescaped translatable label strings in the frontend shortcode output by using esc_html__.

1.4.1

Fixed the_title escaping context from wp_kses_post to esc_html.
Fixed stale admin hook slug to ensure assets enqueue correctly.

1.4.0

Fixed wp_enqueue issues by converting raw script/style tags.
Added rigorous escaping output (wp_kses_post) to all filter callbacks.
Cleaned up unclosed ob_start buffers to ensure safe hook flows.
Changed short prefixes to longer CUTMAP_ prefixes.

1.3.0

Fixed plugin header metadata parsing issues for strict WordPress.org compatibility.

1.2.0

Renamed plugin to Cutmap Editorial Workflow.
Enhanced security: Enqueued all inline scripts and styles using WP core APIs.
Refactored prefixes to comply with WordPress official plugin guidelines.
Improved dashboard UI and workflow assignment screen.

1.1.0

Hardened security and addressed plugin review feedback.
Refined capabilities and user role checks.
Removed redundant database tables for improved performance.

1.0.0

Initial release.
Added Creator and Approver roles.
Added assignment tracking for posts and pages.
Added email notification system.