Yes, typo!

Thanks for letting me know.

did the upgrade but still shows RC4, typo ?

XOOPS 2.7.0-RC5 Released for Testing

DOWNLOAD: https://github.com/XOOPS/XoopsCore27/releases

What's Changed

• chore(deps): bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in #22
• show section for system services always, after controlpanel by @ggoffy in #21
• normalize profile and session indexes for 2.7.0 by @mambax7 in #23
• TinyMCE default config was not actually loading the full plugin set. by @mambax7 in #24
• the /install folder is deleted after installation, so we can't call d… by @mambax7 in #25
• SonarQube settings update by @mambax7 in #26
• fix(install): add menusitems FK during fresh install for schema parity (#9) by @mambax7 in #27
• RC-scoped 3.6.4 fixes for PHP 8, dblayertrap, and filter loading by @mambax7 in #28
• fix for skipping index normalisation on profile_field.field_name, if … by @mambax7 in #29
• Setting utf8mb4 as a default by @mambax7 in #30
• fix(xbootstrap5): load runtime scripts in the right order by @mambax7 in #31

Full Changelog: v2.7.0-RC4...v2.7.0-RC5

The Upgrade deletes obsolete files based on XOOPS 2.5.11 (at least that's what it should do).

However, it will leave old themes, in case people made changes to them and are using them.

If you tell me which obsolete files from XOOPS 2.5.11 are still there, I'll be happy to investigate it to make sure that 2.7.0 Final deletes them.

Yes , I did upgrade but was not aware that was already covered.
For example class/mail directory the contents differs from the orginal 2.7 directory

It's good to hear that the updates were successful.

Did you run the /upgrade? It should remove the majority of, if not all, obsolete files.
Which files do you consider obsolete? Please list them here and I'll look into it.

Updated 4x XOOPS 2.5.11 sites without problems, maybe its good idea to have also a post script to remove absolute old files to keep it clean
thank you

xDonations module for XOOPS 2.7.0 allows a site to accept donations/payments from Paypal and track donations using the Paypal IPN notification.

CODE: https://github.com/mambax7/xdonations/releases

FORK: https://github.com/mambax7/xdonations/

What xDonations does
xDonations provides:
• PayPal donation checkout
• PayPal IPN transaction tracking
• treasury and manual financial register management
• donor and donor-meter blocks
• optional anonymous donations
• optional group/rank assignment after successful donations
• sandbox testing support

Documentation
Local module documentation:
• docs/tutorial.md
• docs/changelog.txt
• docs/compatibility.md

PayPal configuration
The most important module settings are:
• PayPal URL
• Receiver Email
• Thank You URL
• Cancel URL
• Currency Code

PayPal URL
Use one of these values:
• live: http://www.paypal.com
• sandbox: http://www.sandbox.paypal.com

Receiver Email
Receiver Email supports either:
• a single merchant email
• a combined live and sandbox value separated by |

Examples:
merchant@example.com
live@example.com|sandbox@example.com
Behavior:
• live uses the first email
• sandbox uses the second email
• if only one email is provided, that same value is used in both environments
This is especially useful for PayPal Sandbox testing and avoids sandbox INVALID_BUSINESS_ERROR issues caused by posting a live merchant address to the sandbox endpoint.

Development notes
The module now includes:
• safer install/update migrations
• hardened IPN validation
• repository/service extraction for transaction and financial logic
• PHPUnit coverage for critical IPN and utility behavior
• PHPStan configuration at module level

XOOPS 2.7.0 RC4 is available for testing

https://github.com/XOOPS/XoopsCore27/releases/


Thanks to @Ggoffy, @heyula, and @JJDai54 for testing, reporting bugs, and submitting fixes

See details here: https://xoops.org/modules/publisher/item.php?itemid=6114

The XOOPS Development Team is pleased to announce XOOPS 2.7.0 Release Candidate 1.

Quote:

Download RC1: https://github.com/XOOPS/XoopsCore27/releases

This is a release candidate intended for testing only. Use in a production system is not without risks.

Headline Changes

Modern PHP

PHP 7.x support is dropped. PHP 8.2 is the new minimum; CI runs against 8.2, 8.3, 8.4, and 8.5 on every commit. Dead code for older PHP versions is removed, session handlers are consolidated, and the installer enforces the 8.2.0 minimum.

Smarty 4

The template engine moves from the ancient forked Smarty 2 to Smarty 4.5.5. Sites with old Smarty 2 syntax need a review before upgrading. The bundled

upgrade/preflight.php

scanner identifies outdated themes and module templates before you begin.

New Admin Theme: Modern

XOOPS 2.7.0 ships Modern, the first major admin UI refresh in years. The existing Transition theme continues to work. System admin themes gain a template overload capability for customisation without patching core files.

System Menu — Rebuilt Clean-Room

Custom site navigation is now a first-class admin feature. The system menu module is fully rewritten with new tables, controller, templates, CSRF protection, permission handling, cycle detection, and depth limits. Manage categories, items, display order, icons, and per-group permissions from System Admin.

Four New Front-End Theme Platforms

• xSwatch5 — Bootstrap 5.3.8, successor to xSwatch4. Drop in, pick a Bootswatch variant, done.
• xBootstrap5 — Pure Bootstrap 5 reference theme, kept in sync with upstream.
• xTailwind — Tailwind CSS + DaisyUI (35 palettes) + Alpine.js, with a new XoopsFormRendererTailwind so forms render natively without overrides.
• xTailwind2 — Art-directed sibling of xTailwind with curated palettes and stronger visual hierarchy.

Security Hardening

• CSRF tokens on all module admin AJAX requests — previously some GET-based toggle handlers had no token validation.
• SameSite + Secure session cookies are now admin-configurable (Lax/Strict/None) with secure-by-default values.
• eval() removed from core. DB-stored PHP blocks are retired; file-based PHP blocks still work. Protector's lifecycle files also purged of eval().
• unserialize() audit — every core call now uses ['allowed_classes' => false], blocking PHP object injection.
• Protector hardened — proper exec() override, input validation on table prefixes, safe badips file handling, failure-aware admin actions.
• XSS sweep — all SonarCloud-flagged reflected-data paths escaped.
• Open redirect fix — URL scheme check decodes HTML entities before matching, checks scheme only, and is whitelist-based.
• Directory traversal — filename allowlists call basename() before the character check.
• Multibyte validation — form length checks use mb_strlen() throughout; CJK/Arabic/emoji no longer over-count.
• Password comparisons use strict === and hash_equals() throughout.
• Request::getInt() Elvis pitfall fixed — 0 no longer silently falls back.

Form & UI Fixes

• XoopsFormTextDateSelect — renders genuinely empty when stored value is 0 instead of defaulting to today's date.
• DHTML editor image width — strict regex replaces permissive parseInt, so real widths are preserved.
• Required-field asterisks (*) now render correctly in module admin forms.
• Breadcrumbs and xoAdminIcons are consistent across all system admin pages.
• PM recipient pickers filter by module access permission.
• PM delete confirmation UX improved with centred popups and xBootstrap5 templates.