### Features
- **SMTP Email**: Added third-party email provider integrations (Brevo, SendGrid, Postmark, SparkPost, Emailit, ToSend) as alternatives to raw SMTP credentials. Refactored module into a handler architecture with `EmailHandlerInterface`, `BaseEmailHandler`, and `ProviderRegistry`; `SmtpHandler` is now a thin orchestrator that delegates to the active provider.
- **SMTP Email**: API key verify button with real connection test, improved email logs with auto-refresh, status badges, and error tooltips.
- **Maintenance Mode**: Admin bar one-click toggle with role-based permissions (Pro). New `POST /wpextended/v1/maintenance-mode/toggle` REST endpoint with nonce verification and role-based permission checks.
- **Global**: New `uninstall.php` runs destructive cleanup only when the plugin is uninstalled and `remove_plugin_data` is enabled; deactivation is now non-destructive.
### Fixes
- **Debug Mode**: Pro bootstrap kept registering hooks after module disable, leaving a persistent "WP Debug is currently disabled" admin notice. Bootstrap now bails when the parent module is disabled and clears stored notices.
- **Duplicate Post**: Elementor-built pages lost all styles on duplication because the integration called `files_manager->clear_cache()` (a global cache nuke) instead of regenerating per-post CSS. Now uses `Post_CSS::create($postId)->update()` and clears `_elementor_element_cache`.
- **User Last Login**: Last Login column not rendering values in users list table.
- **Folder Manager**: Block editor folder panel returned "could not move to folder" (404). Fixed by switching from WP core `/wp/v2/{postType}/{postId}` to the plugin's `wpextended/v1/folder-manager/items/move` endpoint which handles post type resolution internally.
- **Rollback Manager**: `ArgumentCountError: Too few arguments to function themeActionLink()` crashed the Themes screen on multisite. The `theme_action_links` filter passes 3 args, not 4; callback signature corrected to use the `WP_Theme` object passed as the 2nd arg.
- **SMTP Email**: Download Logs button did not trigger the CSV export. Rendered element switched from a button-style `link` type to an anchor tag with `data-allow-default` so the browser follows the download URL [Pro].
### Security
- **SMTP Email**: The admin-post handler for exporting email logs as CSV did not enforce a capability check. Added `manage_options` gating consistent with the REST log endpoints; non-admin users now receive 403 [Pro].
### Design Rationale
- Cleanup moved out of `Deactivator` and into `uninstall.php` so users can temporarily deactivate the plugin without losing module settings or custom table data.
- SMTP module refactor favours per-provider HTTP handlers over a monolithic SMTP class; each provider implements `EmailHandlerInterface` for consistent send/test behaviour.
- Maintenance Mode admin bar is always visible for users with toggle permission (red when active, neutral when disabled); admins get a settings sub-link, non-admin toggle users only see the toggle.
### Security
- Fixed privilege escalation vulnerability in Menu Editor module that allowed lower-privileged users to gain elevated capabilities
- Restricted disk usage widget to administrators only
- Removed blanket capability grants on dashboard/profile requests
### Design Rationale
- Menu Editor no longer dynamically grants capabilities to users; instead it validates that the current user already holds the required capability before rendering menu items
- SettingsManager capability field now displays a description warning about high-privilege capabilities rather than injecting runtime grants
### Notes & Caveats
- Users who relied on Menu Editor to grant capabilities to lower roles will need to assign those capabilities via a role management plugin instead
* Added: Folder Manager: Folder panel support in media library popup/modal.
* Added: Folder Manager: Refresh functionality and internationalization support.
* Added: Duplicate Post: Element selection filters and per-duplication modal for choosing which elements to duplicate [Pro].
* Improved: Duplicate Post: Enhanced code structure and UI elements.
* Improved: Folder Manager: Styling and UX improvements.
* Fixed: Menu Editor: Replaced persistent capability changes with in-memory filtering to prevent database capability pollution.
* Fixed: Menu Editor: Virtual capabilities now correctly granted for role-based menu access.
* Fixed: Menu Editor: Per-user deny rules now respected in role-based capability grants.
* Fixed: SMTP Email: PHPMailer state not clearing between wp_mail() calls causing recipient accumulation.
* Fixed: Disable XML-RPC: Refined XML-RPC request handling.
* Fixed: Disable Blog: Redirect conflict with SureCart and similar plugins.
* Fixed: Quick Add Post: Button insertion timing and selector updates.
* Added: Folder Manager: Bulk actions for moving multiple items at once.
* Added: Folder Manager: Off canvas sidebar on smaller screens for mobile responsiveness.
* Added: Global: WordPress 6.9 Support.
* Improved: Admin Customiser: HTML support to admin footer text field.
* Fixed: Admin Customiser: Sidebar icon misaligned.
* Fixed: Admin Customiser: Issue with certain icons in settings not loading due to blocked PHP config setting.
* Fixed: SMTP Email: Bug introduced with WordPress 6.9 with sending from certain WordPress configurations.
* Fixed: Duplicate Posts: Post redirect default value.
* Fixed: Code Snippets: Certain whitespace characters in snippets not running and crashing.
* Fixed: Global: Licensing not activating for certain websites.
* Added: Folder Manager: Organize posts and media into folders with drag-and-drop functionality.
* Added: SVG Upload: Support to restrict to specific user roles
* Improved: Menu Editor: Collapse child menu items for easier drag and drop experience
* Fixed: Menu Editor: Some child menu items being appended to top level menu
* Fixed: SVG Upload: Issue with certain SVG's not being uploaded
* Fixed: Quick Search: Docs link
* Fixed: Admin Customiser: Sidebar icons not hiding when option enabled.
* Fixed: Admin Customiser: Remember me option not applying
* Fixed: Admin Customiser: Custom Message not displaying on login page
* Fixed: SMTP Module: Encoding issue with certain special characters
* Fixed: User Last Login: Added default format fallback when not set specifically
* New: Global: CLI support
* New: Post Type Switcher: Added ability to bulk move multiple posts from one post type to another [Pro]
* New: Post Type Switcher: Added ability to change post type in quick edit view
* Fixed: Framework: Rich text editor field not triggering save tray
* Fixed: Clean Profiles: Sections not hiding correctly
* Improvement: Disable Blog: Added filter to prevent default WordPress taxonomies from being deregistered
* Fixed: Media Trash: Notice not hiding after being dismissed or when disabling the module
* Fixed: Media Replace: PDF preview thumbnails not being deleted, causing orphaned preview thumbnails in the media library
* Fixed: Global: License key not activating when importing config via settings
* Fixed: Custom Login URL: Admin customizer login page logo not displaying when using a custom login URL
* Fixed: Duplicate Post: Default settings not being saved when module is enabled, causing duplicate button to not display
* Fixed: Hide Admin Notices: Defaults not being applied to the module when no settings were changed after module activation