The development of this version has cost 1,100 euros. The accumulated cost for this year is 9,500 euros. The accumulated cost since the first version is 208,230 euros, but the cost for you is only the license of 79€.
New branch 30.3.x of the Redsys plugin for WooCommerce from WooCommerce.com.
Branch versions
30.3.0
New:
- Order status override for virtual/downloadable products in Advanced Settings. When all products in an order are virtual or downloadable, the order status can be automatically set to Completed instead of Processing.
- The Redsys response code 0115 (canceled card or closed account) now automatically removes the stored card token, notifies the customer with instructions to add a new payment method (My account > Payment methods), and notifies the administrator.
- Email notification to the administrator when a customer's credit card is automatically removed due to definitive rejection response codes from Redsys (0115, 0172, 0173).
- Improved email to the customer when a card is removed: now includes the last 4 digits of the card, the error code, and a direct link to add a new payment method.
- The COF_INI flag (Credential on File initial) is now saved in the order metadata (_redsys_cof_ini) for all types of COF transactions (R and C), preventing duplicate token creation when COF_INI=N.
Fixed:
- Corrected that the test mode of Conditional Rules now correctly applies to the Redsys gateway URL. Previously, orders with conditional rules that overwrote the test mode continued using the default gateway URL.
- Fixed the duplicate token creation when the customer already has a saved card and COF_INI=N is sent to Redsys.
- Fixed undefined array key notices in save_field_update_order_meta() when conditional rule data is incomplete.
- Fixed the $redsys->debug reference that was using the incorrect variable in the preauthorization log (now uses $this->debug).
- Fixed that sanitize_text_field was applied before substr for HTTP_ACCEPT_LANGUAGE in Google Pay and Apple Pay Checkout, ensuring the correct order of sanitization.
- Google Pay Checkout now ensures that WooCommerce transactional emails are initialized before calling payment_complete() in payment callbacks.
30.3.1
Security:
- [Media] Fixed an authenticated account takeover vulnerability that could allow an attacker to impersonate any user account, including administrators.
- [Low] Fixed unauthenticated access to order status and user data.
Fixed:
- The PayGold link generated from the order metabox in the admin was never saved correctly due to an impossible response code condition in send_paygold_link(). The function now uses the same validation logic as the checkout flow (response code 9998).
- Fixed the undefined variable $description in paygold_metabox_save() when sending a PayGold link from the order edit screen.
- The custom notification domain (redsys_url_notify) failed because check_url() prefixed home_url() to URLs that already had a different domain. check_url() now detects absolute URLs and preserves them as they are.
- get_notify_home_url() now automatically adds https:// when the custom notification domain is saved without a scheme.
- Compatibility with PHP 8.3+ — Fixed deprecation notices when passing null/false to string functions (trim, strlen) from calls to get_option() in get_txnid(), get_token_type(), and connect_standard_imap().
- Compatibility with PHP 8.3+ — Fixed add_submenu_page(null,…) in the setup guide that caused deprecation notices in strpos()/str_replace().
