WooCommerce RedSys Gateway v30.4.0

WooCommerce RedSys Gateway v30.4.0

• Subscriptions section in Redsys Advanced settings to configure credentials and behavior for subscription renewal payments.
• [High]: Added missing cryptographic signature verification in successful_request() for 9 payment gateways: Apple Pay, Bizum Checkout, Bizum Redirect, Google Pay Checkout, Google Pay Redirect, Direct Debit, MasterPass, PayGold, and Bank Transfer. Without this check, payment notifications could be forged to complete orders without actual payment.
• SUMO Subscriptions renewal orders failed because sumo_save_subscription_payment_info() was called with 'payment_method' => 'insite' instead of 'redsys' in the redirect gateway callback. This caused SUMO to set the wrong payment method on renewal orders, triggering the wrong gateway filter and using incorrect credentials.
• YITH WooCommerce Subscriptions were being cancelled prematurely on failed renewals for the Redsys Redirect, InSite, Apple Pay Checkout and Google Pay Checkout gateways. The "no token / expired card" path in doing_scheduled_subscription_payment() (class-wc-gateway-redsys.php and class-wc-gateway-insite-redsys.php) called ywsbs_register_failed_payment() and then returned false, causing the YITH wrapper renew_yith_subscription() to call it again. The double increment of failed_attempts cancelled subscriptions after 1–2 real failures instead of the configured 3 retries. Apple Pay and Google Pay Checkout are also fixed since they delegate to the main Redsys handler.
• version 30.3.1
• [Medium]: Fixed an authenticated account takeover vulnerability that could allow an attacker to assume any user account, including administrators.
• [Low]: Fixed unauthenticated access to order status and user data.
• PayGold link generated from admin order metabox was never saved correctly due to an impossible response code condition in send_paygold_link(). The function now uses the same validation logic as the checkout flow (response code 9998).
• Fixed undefined $description variable in paygold_metabox_save() when sending a PayGold link from the order edit screen.
• Custom notification domain (redsys_url_notify) was broken by check_url() prepending home_url() to URLs that already had a different domain. check_url() now detects absolute URLs and preserves them as-is.
• get_notify_home_url() now automatically adds https:// when the custom notification domain is saved without a scheme.
• PHP 8.3+ compatibility — Fixed deprecated warnings for passing null/false to string functions (trim, strlen) from get_option() calls in get_txnid(), get_token_type(), and connect_standard_imap().
• PHP 8.3+ compatibility — Fixed add_submenu_page(null,...) in setup guide causing strpos()/str_replace() deprecation warnings

WooCommerce RedSys Gateway v30.3.1
Version 30.3.1Released on 2026.03.20

• [Medium]: Fixed an authenticated account takeover vulnerability that could allow an attacker to assume any user account, including administrators.
• [Low]: Fixed unauthenticated access to order status and user data.
• PayGold link generated from admin order metabox was never saved correctly due to an impossible response code condition in send_paygold_link(). The function now uses the same validation logic as the checkout flow (response code 9998).
• Fixed undefined $description variable in paygold_metabox_save() when sending a PayGold link from the order edit screen.
• Custom notification domain (redsys_url_notify) was broken by check_url() prepending home_url() to URLs that already had a different domain. check_url() now detects absolute URLs and preserves them as-is.
• get_notify_home_url() now automatically adds https:// when the custom notification domain is saved without a scheme.
• PHP 8.3+ compatibility — Fixed deprecated warnings for passing null/false to string functions (trim, strlen) from get_option() calls in get_txnid(), get_token_type(), and connect_standard_imap().
• PHP 8.3+ compatibility — Fixed add_submenu_page(null,...) in setup guide causing strpos()/str_replace() deprecation warnings.

WooCommerce RedSys Gateway v30.3.0
Version 30.3.0Released on 2026.03.07

• Virtual / Downloadable Products order status override in Advanced Settings. When all products in an order are virtual or downloadable, the order status can be automatically set to Completed instead of Processing.
• Redsys response code 0115 (card cancelled or account closed) now automatically deletes the stored card token, notifies the customer with instructions to add a new payment method (My account > Payment Methods), and notifies the admin.
• Admin email notification when a customer's credit card is automatically removed due to Redsys hard-decline response codes (0115, 0172, 0173).
• Improved customer email when a card is removed — now includes the last 4 digits of the card, the error code, and a direct link to add a new payment method.
• COF_INI (Credential on File initial) flag is now saved to order meta (_redsys_cof_ini) for all COF transaction types (R and C), preventing duplicate token creation when COF_INI=N.
• Conditional Rules test mode now correctly applies to the Redsys gateway URL. Previously, orders with conditional rules overriding test mode still used the default gateway URL.
• Fixed duplicate token creation when customer already has a saved card and COF_INI=N is sent to Redsys.
• Fixed undefined array key warnings in save_field_update_order_meta() when conditional rules data is incomplete.
• Fixed $redsys->debug reference using wrong variable in preauthorization logging (now uses $this->debug).
• Fixed sanitize_text_field applied before substr for HTTP_ACCEPT_LANGUAGE in Google Pay and Apple Pay Checkout, ensuring correct sanitization order.
• Google Pay Checkout now ensures WooCommerce transactional emails are initialized before calling payment_complete() in payment callbacks.

WooCommerce RedSys Gateway v30.2.1
Version 30.2.1Released on 2026.02.27

• Google Pay Express Checkout now triggers WooCommerce transactional emails after successful payment (customer and admin).

WooCommerce RedSys Gateway v30.1.0
Version 30.1.0Released on 2026.02.16

• Conditional Rules — visual rule builder to override payment parameters (terminal, merchant code, SHA256, transaction type, test mode, etc.) based on order conditions (category, tag, amount, currency, language, user role).
• Added preauthorization support for Google Pay and Apple Pay.
• Google Pay and Apple Pay now save merchant code to order meta for preauthorization operations.
• Refactored InSite payment form error handling with AJAX-based refresh instead of full page reload.
• Added post_payment_complete hooks for Bank Transfer, IMAP email processing and Inespay gateways.
• Fixed InSite COF_TYPE detection that caused incorrect credential-on-file type in REST payments.
• Fixed Ds_Card_PSD2 using wrong variable in REST payment path.
• Fixed InSite orders being marked as paid without Redsys authorization when a third-party plugin filters woocommerce_cart_needs_payment.
• Improved InSite checkout routing using REST_REQUEST instead of checkout_use_block() for reliable shortcode/block detection.
• Masked secret SHA256 key in debug logs.

WooCommerce RedSys Gateway v29.1.2
Version 29.1.2 = Released on 2026.01.20

• Google Pay Redirection now uses strict equality check to prevent it from appearing in checkout block when disabled.
• Fixed YITH Subscriptions renewal payments not processing - added missing return false when customer has no saved token (Redsys and InSite gateways).
• Fixed YITH Subscriptions renewal payments staying on-hold - added missing return false when Redsys returns an error response (Redsys and InSite gateways).
• Added ywsbs_register_failed_payment() call when token is missing to properly notify YITH Subscriptions of the failure.

WooCommerce RedSys Gateway v29.0.0
Version 29.0.0Released on 2025.12.21

• Added Google Pay Express Checkout for the Checkout Block.
• Added Apple Pay and Google Pay Express Checkout for the Cart Block.
• Apple Pay Express Checkout orders are now correctly marked as Apple Pay (instead of Redsys).
• Apple Pay Express Checkout now triggers WooCommerce transactional emails after successful payment (customer and admin).
• Agentic Commerce flow aligned with WooCommerce core (wc/agentic/v1 routes, bearer auth registry, provider/payment-method metadata for supported Redsys gateways).

WooCommerce RedSys Payment Gateway v28.0.1
2025.12.15 - version 28.0.1

* FIX: Load Redsys IMAP support before scheduling the email checker cron, avoiding “no callbacks registered” warnings for `redsys_check_emails_cron`.
* FIX: Hid the development-only “App & Push” settings section so it no longer appears in production admin menus.

WooCommerce RedSys Gateway v28.0.0
2025.12.10 - version 28.0.0

* NEW: Added Inespay (Transferencia Online) gateway with sandbox/production toggle, callbacks, refunds API, and direct redirect/modal flow.
* NEW: Inespay now supports subscription flows with two-step (single + periodic mandate) handling and customer redirection.
* NEW: Inespay refunds implemented via official REST endpoint with callbacks for success/error.
* NEW: Redsys and Inespay notifications are now WooCommerce email classes that can be configured in WooCommerce > Emails (payment error alerts, missing tokenization data, unpaid thank-you warning, card reminder/request, card expiry/removal, Inespay transfer review, and periodic mandate failure).
* NEW: The Inespay transfer review email includes a direct link to the management screen (`redsys-inespay-subscriptions&tab=review`) and allows choosing the recipient from WooCommerce > Emails.
* FIX: PayGold link generation and storage corrected so admin actions send the proper URL.

WooCommerce RedSys Gateway v27.1.4
Version 27.1.4Released on 2025.12.01

• Only register/schedule the Redsys email IMAP cron when the Redsys_Imap_Connection class is available, preventing missing-callback warnings on sites without Gmail/IMAP support (e.g., PHP < 8.1).
• Token C COF/renewal REST flows no longer send `DS_MERCHANT_DIRECTPAYMENT`; it is still sent for token R.
• Block checkout now procesa tokens C directamente (REST) respetando 3DS, en vez de redirigir a Redsys para pedir una tarjeta nueva.
• Persist 3DS transients/context for token C so CRes callbacks finish en sitio sin caer en la pantalla “There is nothing to see here”.
• InSite uses SOAP again while the newly introduced REST flow issues are fixed.
• One-click product button now disables after click and shows a processing spinner to prevent duplicate submissions.