Looking for a WooCommerce Redsys Gateway Coupon Code for WooCommerce Redsys Gateway, Version 31.0.3?
Click to get this plugin for only $25 (massive discount): WooCommerce Redsys Gateway, Version 31.0.3
No coupon code needed to save.
Some things have changed in WooCommerce Redsys Gateway Version 31.0.3. You may want to upgrade to this new version if these impact your installations.
* SECURITY: Removed a notification signature-bypass that could let an anonymous request mark an order as paid when the SHA-256 secret was left empty/misconfigured. The Redsys IPN listener (public wc-api endpoint) had a legacy fallback that, when no secret was configured, accepted a notification solely because the posted Ds_MerchantCode matched the merchant FUC - a public, non-secret value an attacker can supply. That merchant-code-only acceptance has been removed from every gateway (Redirection, Bizum, Bizum InSite, Google Pay checkout and redirection, Apple Pay, PayGold, Direct Debit, MasterPass and Bank Transfer): when there is no secret to verify the HMAC, the request now fails closed (HTTP rejection) instead of being trusted. In addition, the shared verification routine (WooRedsysAPI::verify_signature_notif) now returns false whenever the merchant key or the received signature is empty, so neither check_ipn_request_is_valid() nor successful_request() can complete a payment on an attacker-computable empty-key HMAC. InSite already required a valid signature (no merchant-code fallback) and Inespay is unaffected (it matches orders by its own payin id). Real stores are unaffected because a configured secret is mandatory to take payments in the first place.
* NEW: "Apps and Plugins" section under Redsys Advanced -> Redsys Advanced Settings. A read-only landing page that showcases the native macOS management app (with download, requirements and "coming soon" platforms) and lists the rest of the free and premium plugins, websites and portals, Claude skills and developer profiles by José Conti, each grouped by type with a link. Every list is filterable (redsys_apps_plugins_mac_app, redsys_apps_plugins_free, redsys_apps_plugins_premium, redsys_apps_plugins_webs, redsys_apps_plugins_skills, redsys_apps_plugins_profiles).
* FIX: Bizum notifications were rejected with a signature verification error, leaving the order unpaid even though the payment had been authorized at Redsys. The merchant key and the order number were correct (the request signature matched perfectly), but the notification signature is an HMAC computed over the Ds_MerchantParameters string exactly as received, and Bizum notifications arrive with the trailing base64 "=" padding stripped while Redsys signs over the canonically padded value, so the locally computed HMAC never matched. The shared notification routine (create_merchant_signature_notif in WooRedsysAPI) now re-pads the payload to a multiple of four before hashing, and the verification (verify_signature_notif) now compares both signatures ignoring the trailing "=" padding (which carries no entropy, so the comparison stays constant-time). Card payloads are already canonical and are left untouched, so every other gateway keeps working unchanged. This routine is shared by all notification handlers (Redirection, Bizum, InSite, PayGold, Google Pay, Apple Pay, Direct Debit, Bank Transfer and the REST/A2A clients).
* FIX: Card and wallet notifications could be rejected with a "signature mismatch", so the customer returning to the thank-you page (and the server-to-server IPN) failed to mark the order as paid until a later IPN retry happened to succeed; refunds and PayGold links paid later could stay unconfirmed. Two padding issues are involved: besides the Bizum payload padding above, Redsys delivers the notification signature (Ds_Signature) in URL-safe base64 with the trailing "=" stripped, while the locally computed signature keeps it - so a strict comparison fails for ordinary card payments too. The padding-tolerant comparison lives in verify_signature_notif(), but most handlers were still comparing the signature inline with a strict hash_equals()/!== that re-introduced the sensitivity. Every handler now delegates to verify_signature_notif(), so the fix reaches all of them: card Redirection (both IPN validators and the capture/refund REST-SOAP response checks), Bizum, Bizum InSite, InSite (IPN, successful_request and the two REST-response validators), PayGold, Google Pay (checkout and redirection), Apple Pay, Direct Debit, Bank Transfer, MasterPass and the InSite REST client. Regression introduced when the per-gateway signature checks were unified onto verify_signature_notif() with a strict, padding-sensitive comparison.
* FIX: Bizum notifications on multi-currency / dual-terminal stores (those routing each order to a different terminal through the bizum_modify_data_to_send filter or a conditional rule) now resolve the real per-order signing key before verifying the signature (the customer-adjusted settings key, the transient saved when the payment form was generated, or the _redsys_secretsha256 order meta), and an unverifiable notification is rejected with HTTP 400.
* FIX: InSite card payments that required a 3DS challenge showed a blank verification screen in Safari (iPhone/Mac), so the customer could not enter the SMS code/PIN and the payment failed (the same flow worked in Chrome). The challenge itself was already a full-page, top-level navigation, but before it the plugin redirected the browser to the issuer's 3DS Method URL (threeDSMethodURL) to fingerprint the browser, and Safari's Intelligent Tracking Prevention blocks the third-party cookies that step needs, leaving a blank ACS page (symptom: the ACS URL arrives with ";jsessionidpa=" because the cookies are not flowing). The 3DS Method browser step is optional, so the plugin no longer redirects the browser to threeDSMethodURL: it always sends threeDSCompInd = 'N' and continues straight to authentication. Applied to every InSite flow - new card and saved card (one-click/token), on both block and classic (shortcode) checkouts - and to the Redirection gateway's REST/token flows (pay_with_token_c, receipt_page and successful_request), since the same blank screen could appear when charging a saved-card token.
* FIX: When an InSite card payment failed because a required checkout field was missing or its data did not match (for example an empty surname produced a "signature mismatch"), the error message blamed the card ("...enter your card details again"), so customers thought their card had been rejected and abandoned the order. The message is now neutral and points to the checkout fields first: it asks the customer to check that all the checkout fields (name, surname, address, etc.) and the card details are filled in correctly before trying again. Applied to both the classic and block (Blocks) checkouts.
* FIX: Refunds and delayed payments of orders with large order IDs (the "1 billion bug" already fixed for instant checkout) were recorded against the wrong order, or not recorded at all. The Redsys notification (IPN) recovers the WooCommerce order ID from the order number through clean_order_number(), which first looks up a transient saved when the order number was generated and otherwise fell back to a substr/ltrim heuristic that drops the high-order digits of IDs with 10 or more digits. That transient has a 1h TTL, so the fallback was hit whenever the notification arrives more than an hour after the order number was generated: every refund (processed days or weeks later) and PayGold payment links (paid by the customer later), among others. Three changes make this robust for every payment method: (1) the shared refund routine (ask_for_refund) now re-saves the order-number to real-order-ID mapping at refund time with a 24h TTL; (2) clean_order_number() now, when the transient is gone, reverse-looks up the order by the persisted order-number meta (_payment_order_number_redsys / _redsys_transaction_id2) before ever using the lossy heuristic; and (3) PayGold now persists the order number to meta when the link is created, so a link paid much later still resolves to the exact order. Applies to every gateway (Redirection, InSite, Bizum, Bizum InSite, Google Pay, Apple Pay, PayGold and Direct Debit). Inespay is unaffected (it matches orders by its own payin id).
* DEV: Removed the noisy debug console.log output from the production (minified) frontend scripts (Apple Pay, Google Pay, capture-order-id and the express-checkout modals). The Apple Pay express script in particular logged on every DOM change (it watches the whole document for its button), which flooded the browser console on the Blocks checkout. The minified files now strip console.log/console.warn/console.info/console.debug while keeping console.error; the un-minified sources are unchanged for development.
* FIX: InSite card payments on the block-based (Blocks) checkout failed the FIRST time with "msg18" (the customer saw "check that the checkout/card fields are filled in") and only worked on the second attempt. The Redsys InSite SDK requires the page to send a "domain" message to the card iframe so Redsys can validate the merchant; the SDK does this through an inline onload="setMerchantDomain(0)" on the iframe. The block script overwrote that handler with its own iframe.onload (used to size the iframe) right after the first render, so the merchant domain was never sent and Redsys rejected the tokenisation with msg18 ("incorrect validation by the commerce"). On the automatic form refresh the overwrite did not run, so the second attempt worked. The plugin now calls setMerchantDomain explicitly after building the form (as the SDK's own pay-button integration does) and no longer overwrites the iframe onload, so the first attempt works.
* FIX/DEV: InSite Blocks checkout - made the Redsys postMessage handling more robust and added end-to-end diagnostics. The handler now accepts messages from any Redsys subdomain (sis.redsys.es, sis-t.redsys.es, sis-d.redsys.es) instead of requiring an exact host/port match (Redsys posts from more than one host), removes any listener left by a previous render so a single token cannot trigger multiple submissions, and clears the token/error fields after reading them so a stale re-fire cannot resend. When InSite debug logging is enabled, the whole client-side tokenisation step (order number, Redsys postMessage, token/error code, save and place-order) is mirrored into the "insite" WooCommerce log, so first-attempt failures that never reach PHP can be diagnosed.
* FIX: InSite card payments on the block-based (Blocks) checkout were rejected by Redsys with SIS0574 ("EMV3DS authentication operation rejected, browserUserAgent not indicated"): the 3DS browser fingerprint (user agent, screen size, language, colour depth, timezone) never reached the order, because the hook that normally copies it onto the order (woocommerce_checkout_create_order) does not run on the Store API (Blocks) checkout. The InSite Blocks form now collects the fingerprint and sends it together with the operation token, and it is written onto the real order (next to the token) before process_payment runs, so the EMV3DS authentication has the data it needs.
* FIX: InSite card payments on the block-based (Blocks) checkout were rejected with an "error code without token" (shown to the customer as "check that the checkout/card fields are filled in"), so the card could not even be tokenised after a few attempts. Because the order does not exist yet on the Blocks checkout (order id 0), the prepared Redsys order number was generated from id 0, which produced an almost constant value - only ~999 possible numbers, all ending in nine zeros - and Redsys rejects a reused order number ("pedido repetido", SIS0051). When the draft order id is not yet available, the InSite Blocks form now uses the same temporary order number as the InSite shortcode checkout (create_checkout_insite_number: always starts with 1, globally unique through a shared incremental counter), so it never collides; when the draft order id is available, the Redsys number is built from it. The number is re-linked to the real order id when the order is placed.
* FIX: InSite card payments on the block-based (Blocks) checkout failed: the customer saw a misleading "check that the checkout/card fields are filled in" error and the order was never paid (the browser console showed a 404 on the save_order_data request). The cause is that current WooCommerce no longer creates the order until the customer presses "Place order" - during card entry the Blocks checkout store returns order id 0 - so the InSite operation token (idOper) and the prepared Redsys order number could not be persisted: the previous flow posted them to a REST route (save_order_data) that tried to attach them to order 0 and returned "Invalid order" (404), and the generated order number was mapped to order 0 (so even a later notification could not find the order). Now, when the card is tokenised, the token and the prepared order number are stored in the WooCommerce session via admin-ajax (the WC session is not available on custom REST routes, which is why the prior REST approach could not use it), and they are moved onto the real order while WooCommerce is creating it from the checkout request (woocommerce_store_api_checkout_update_order_from_request), before process_payment runs, so process_payment_block() finds _insite_token and _payment_order_number_redsys as it does on the classic checkout. The order-number transient is also re-mapped to the real order id so the notification (IPN) resolves the order. The browser-fingerprint (3DS) data already used this same session route. The classic/shortcode checkout is unaffected.
What does it include? WooCommerce Redsys Gateway, Version 31.0.3 includes…
- 12 months of free updates
- Use on unlimited sites (no ‘license by seat’ limits)
What doesn’t it include?
It does NOT include support or automatic updates. However, includes access to 12 months of updates, which can be applied manually.
(No Ratings Yet)
Loading...