GivePayments for WooCommerce

Changelog

1.0.14

• Added: the GivePayments API is now fully authoritative for recurring subscription scheduling — subscription status changes (cancellation, completion, payment failure, re-activation) are driven by GivePayments webhooks and reflected automatically in WooCommerce.
• Added: cancelling a subscription in WooCommerce now also cancels the recurring billing instruction in GivePayments for all supported subscription plugins (WooCommerce Subscriptions, Flexible Subscriptions, WP Swings SFW, and YITH).
• Fixed: cancelling a subscription in one place (WooCommerce or GivePayments portal) no longer triggers a redundant cancel attempt in the other, preventing confusing duplicate notes and unnecessary API calls.
• Fixed: Flexible Subscriptions (FSB) subscriptions can now be cancelled correctly — the plugin now follows FSB’s required cancellation flow instead of attempting a direct status jump that FSB rejects.
• Fixed: WP Swings SFW subscriptions now show as cancelled in the WPS SFW interface after a webhook-driven cancellation, not just in the WooCommerce order screen.
• Fixed: YITH subscriptions created at checkout now correctly inherit the GivePayments recurring billing reference, ensuring webhook-driven status updates and cancellations work for YITH from the first billing cycle.
• Fixed: YITH subscriptions created before this update are automatically healed on the next webhook delivery — the plugin locates the correct subscription via the parent order and repairs the missing reference so future events are handled without manual intervention.
• Fixed: a fatal PHP error that could occur on Flexible Subscriptions admin screens when WooCommerce Payments is also active, caused by a type incompatibility between the two plugins.
• Fixed: subscription metadata is now stored correctly on stores using WooCommerce’s High-Performance Order Storage (HPOS), preventing silent data loss on HPOS-enabled setups.

1.0.13

• Fixed: voided payment webhook now acquires the shared refund accounting lock (gp_refund_acct_) instead of a separate gp_void_acct_ key, preventing a concurrent voided + refunded delivery from each winning an independent lock and creating duplicate WooCommerce refund records.
• Fixed: transition_order_to_refunded() re-reads the order status after winning the status mutex so a second concurrent delivery that waited for the lock does not fire update_status(‘refunded’) on an already-refunded order, preventing duplicate woocommerce_order_status_refunded hook invocations.
• Fixed: voided payment webhook now deletes the gp_refund_pending_note_ option set by a preceding refund.created event, preventing a stale wp_options row when a refund attempt is abandoned and the payment is voided instead.
• Fixed: refund.created webhook now guards against terminal order statuses (refunded/cancelled/failed) before calling GIVEPAYMENTS_Refund_Guard::mark_pending(), preventing refund-pending meta from being written on already-resolved orders and corrupting the can_refund_order() predicate.
• Fixed: amount arithmetic in the refunded webhook handler now uses wc_format_decimal() instead of raw float subtraction, matching the precision used by the chargeback and pre-chargeback refund paths and eliminating rounding drift on stores with non-standard decimal settings.
• Added: pre-chargeback refund events handling — pre_chargeback_refund.created, pre_chargeback_refund.approved, pre_chargeback_refund.settled, and pre_chargeback_refund.voided are now fully handled, triggering the appropriate WooCommerce refund record and order status transitions.
• Added: warning log entry when a webhook payload arrives without an event id, clearly flagging that duplicate-delivery protection is disabled for that request.

1.0.12

• Fixed: chargeback.created and chargeback.settled webhook events now create a WooCommerce refund record matching the full order amount, preventing the refunded amount from displaying as $0 on the order screen.
• Fixed: refund accounting lock for chargeback events is now ownership-safe — a unique token is stored with the lock and verified before release, preventing a stalled process from accidentally releasing a lock held by a concurrent delivery.
• Fixed: money arithmetic in refund accounting now uses wc_format_decimal() instead of raw float casts, eliminating rounding drift on stores with non-standard decimal configurations or multi-currency setups.
• Fixed: wc_create_refund() failure during chargeback webhook processing now returns a negative handler result so the webhook pipeline signals an unresolved delivery (allowing provider retry) instead of silently drifting into an unreconciled state.
• Fixed: plugin settings (API keys, webhook secrets, environment config) are no longer deleted on plugin deactivation — they are now only removed when the merchant explicitly deletes the plugin, preventing config loss during plugin updates.
• Added: uninstall.php — cleans up all plugin options when the merchant deletes the plugin via the WordPress admin.

1.0.11

• Added: GivePayments logo icon is now displayed next to GP-originated order notes in the WooCommerce order admin screen. Notes written directly by the plugin (payment, refund, void, renewals, webhooks) and side-effect notes generated by WooCommerce core during those operations (status transitions, payment-complete confirmation) are automatically tagged. Legacy notes containing “GivePayments” in their text are tagged as a fallback.

1.0.10

• Fixed: duplicate charge prevention — a cross-order dedup sentinel now blocks repeat submissions when a payment API timeout leaves the charge state ambiguous (cURL error 28 / WP_Error).
• Fixed: WooCommerce Blocks draft-order session pointer is now cleared on API timeout and on synchronous declines so the next checkout attempt creates a clean order instead of reusing the stale pending one.
• Fixed: orders marked with _givepayments_pending_timeout are now excluded from the WooCommerce auto-cancel unpaid orders cron, preventing the “sale went through then failed” email sequence.
• Fixed: $0 order guard — order totals are recalculated before the payment request and, if a prior transaction exists, the confirmed amount is recovered from the API before blocking the submission.
• Fixed: per-order checkout mutex prevents concurrent payment submissions for the same order from duplicate Blocks events or browser back-navigation.
• Fixed: card brand is now detected from the IIN/BIN and included in the dedup key, preventing false-positive blocks when two cards share the same last-4 digits but differ in network (e.g. Visa vs Mastercard).
• Fixed: encryption key generation uses an atomic add_option() call instead of a read-then-write pattern, eliminating a race condition that could overwrite the key under concurrent plugin activations.
• Fixed: synchronous payment declines (2xx with terminal processingState) now clear the Blocks session pointer, matching the behaviour already applied to HTTP 4xx declines.
• Fixed: checkout payment errors now follow Stripe-style handling by returning checkout failure with a shopper-visible notice and clearing stale checkout order pointers before retry.
• Fixed: HTTP 422 Invalid Input payment failures now surface provider field-level validation details when present, instead of only showing a generic invalid input message.
• Fixed: failed payment order notes now include the backend/provider error message or explicitly state when no provider message was returned.
• Fixed: invalid billing phone numbers are now blocked during checkout when provided, while optional empty phone values remain allowed.
• Added: givepayments_api_timeout filter allowing merchants and developers to override the HTTP timeout per endpoint and method without patching plugin code.
• Improved: POST /payments timeout raised to 45 s to reduce false-timeout errors on slower acquiring-network responses.
• Improved: dedup sentinel TTL reduced to 5 minutes (was 10) to shorten the customer retry window when a genuine server error occurs with no charge.
• Improved: payment error messages are now normalised through a dedicated GIVEPAYMENTS_Api_Response::parse_error() pipeline — field-validation errors (invalid_input) are surfaced to customers with human-readable field labels; all other provider error codes and messages are written to order notes only to prevent leakage of fraud scores or internal rule names.
• Improved: codebase refactored into focused domain classes (Payment, Refund, Webhook, Checkout, Http, Crypto, Subscription) for improved maintainability and testability.

1.0.9

• Changed: successful in-flight POST /payments responses (created, authorized, captured, processing, processing_issue) now move orders to WooCommerce processing immediately while webhooks remain authoritative for final reconciliation.
• Changed: refund.created and refund.pending webhooks now mark orders refunded in WooCommerce per merchant policy and mirror WooCommerce refund accounting for custom captured / processing_issue void actions.
• Changed: refund webhooks that confirm plugin-originated Void actions now use payment reversal wording in order notes.
• Fixed: captured webhooks now add a visible captured order note even when the order was already processing.
• Changed: admin actions now show Void for authorized, captured, and processing_issue payments; native WooCommerce Refund is reserved for settled payments.
• Fixed: duplicate pending refund notes and duplicate refunded status-transition notes from closely timed or repeated refund webhooks are suppressed.
• Fixed: native WooCommerce Refund button no longer briefly flashes before being hidden on GivePayments order screens where it is not available.

1.0.8

• Tested up to WordPress 6.9.
• Changed: payment.created and payment.authorized webhook events now move orders into WooCommerce processing immediately instead of pending, while still allowing later payment.failed / payment.declined events to transition the order to failed.
• Fixed: shipping addresses for countries without state/subdivision fields (e.g., Czech Republic, Netherlands) no longer cause GivePayments API validation errors at checkout.
• Fixed: WooCommerce Blocks checkout now surfaces the actual GivePayments error message (e.g., fraud blocks, declines) instead of the generic “Something went wrong” message.
• Fixed: race condition that could display a stale void amount of 0.
• Improved: payment description is now sourced from gateway settings with a safe empty-string fallback.
• Improved: production API URL handling and admin UI cleanup.

1.0.7

• Maintenance release with internal fixes and version alignment.

1.0.6

• Added: subscription adapter registry with MVP adapters for WooCommerce Subscriptions, WP Swings SFW, YITH, and Flexible Subscriptions by WP Desk — enabling card tokenization and renewal payment routing for supported subscription plugins.
• Fixed: duplicate void/refund handling and several race conditions when refunds or voids were initiated from WooCommerce.
• Fixed: refunds created through the GivePayments API are now correctly marked as refunded immediately, and voided transactions display a 0 amount.
• Fixed: declined transactions now correctly transition the order to failed.
• Fixed: native WooCommerce refund button is hidden when only a void action is allowed, preventing conflicting actions.
• Fixed: re-register webhook button label and checkout failure edge cases.

1.0.5

• Added: recurring payments phase 1 groundwork.
• Added: re-register webhook button in the gateway settings.
• Added: void action for authorized transactions.
• Improved: webhook signature verification, registration handling, and logging for stale entries.
• Improved: status lifecycle now relies on the raw provider processing state, with refund/chargeback events no longer overwriting the underlying payment state.
• Improved: security hardening, additional sanitization, and redaction of CVV / card number values from logs.
• Fixed: webhook transaction ID resolution for voids and refunds, including fallback matching.
• Fixed: declined transaction status mapping and refund UI visibility for failed transactions.
• Fixed: production and sandbox API base URLs.

1.0.4

• Internal release rolled up into 1.0.5.

1.0.3

• Fixed API key save/toggle behavior when switching between Sandbox and Production environments.
• Improved admin key handling to prevent invalid re-encryption and intermittent 400 payment errors.

1.0.2

• Added direct card payment flow improvements for checkout and checkout blocks.
• Added native WooCommerce refund integration with GivePayments API.
• Improved payment/refund error handling and logging for easier troubleshooting.
• Hardened legacy return handling checks for safer order updates.

1.0.1

• Patch release

1.0.0

• Initial release of GivePayments for WooCommerce.
• Seamless integration of the GivePayments payment gateway.
• Implementation of user-friendly configuration and enhanced security features.