WWU Right of Withdrawal for Popular Ecommerce Platforms

Changelog

1.3.2

• Fix — evidence-log chain on upgrade. The 1.3.0 prefix rename accidentally changed the genesis seed of the tamper-evident log’s hash chain, so a site upgrading from a pre-1.3 version failed chain verification (the stored rows were genuinely intact — only the verification seed had drifted). The seed is restored to its original, frozen value, so existing logs verify again. No effect on a clean install; the per-site secret and all verifiable receipt links were unaffected.

1.3.1

• New — a consolidated «Right of withdrawal» information notice. A single notice is assembled live from your settings and the Art. 59 exceptions you selected, delivered three ways: the [webwakeupwdb_policy] shortcode, an auto-created page (one click to recreate if you delete it), and a downloadable PDF. Manage it under Compliance → «Informativa sul diritto di recesso» — preview it, create/open the page, freeze it to static HTML, or download the PDF. It complements — it does not replace — your Terms; a disclaimer says so on every surface.
• New — add the withdrawal clauses to your Complianz documents (opt-in). Two toggles under Settings → Complianz documents append the clauses to your Complianz Privacy Policy (always) and Terms & Conditions (with Complianz’s free Terms & Conditions add-on). Off by default, EU only, with a live «what will be added» preview; turning a toggle off removes them again on the next regeneration. They complement, not replace your own legal texts.
• Translations. All five shipped locales — Italian, German, Spanish, French and Swedish — now cover the new strings (~99–100%; Swedish awaits a final native review).
• WordPress.org compliance — unique plugin prefix. Every internal identifier was renamed from the short wwu prefix to the distinct webwakeupwdb prefix (constants, options, hooks & filters, shortcodes, the PHP namespace, the REST namespace, classes and the JS data object), as requested by the Plugins Team review. Existing installs migrate automatically on upgrade — settings, exemption-consent evidence, the immutable log/timestamp tables and the auto-created pages are all preserved — and a clean install is unaffected. Developers: custom code using the old names (wwu_wb_* hooks/filters, the [wwu_wb_*] shortcodes) must switch to the new webwakeupwdb_* names.

1.2.13

• Partial withdrawal: choose a quantity per item. When you withdraw from only some products and you bought more than one of an item, you can now enter how many to withdraw (e.g. 1 of 3) — an optional number field next to each line, no JavaScript required; leave it blank to withdraw the whole line. The chosen quantity appears on the durable-medium receipt (email + PDF), in the Requests dashboard and in the read-only REST API. Informational only (you still process the refund). Fully back-compatible: the existing products data is unchanged — a new additive product_quantities field carries the amounts. Requested in issue #47.

1.2.12

• Now requires PHP 8.1 (was 7.4). This build bundles the latest stable PDF engine, Dompdf 3.1.5, whose dependencies need PHP 8.1. Sites still on PHP 7.4–8.0 are not offered this update and stay on 1.2.11; a PHP 7.4-compatible build of the same features is published on GitHub.
• Custom CSS field removed. To restyle the withdrawal flow, use WordPress core’s Appearance → Customize → Additional CSS, targeting the plugin’s documented CSS variables and classes (a full reference is shown in Settings → Appearance). The plugin no longer processes arbitrary user CSS.
• No external calls by default. Trusted timestamping (OpenTimestamps / RFC 3161) is now opt-in and off by default — the plugin makes no outbound connection unless you enable a provider in Settings → Receipt & evidence. The append-only, hash-chained evidence log works fully offline. (WordPress.org review compliance: opt-in consent + no arbitrary code insertion.)
• Updated the bundled Dompdf PDF library from 2.0.8 to the latest stable 3.1.5.

1.2.11

• Consent Records page is now cross-platform (fixes #41). The admin Consent Records screen and its CSV export only read WooCommerce orders, so on an Easy Digital Downloads or FluentCart store they showed the «WooCommerce not active» notice even though consent was being captured. The page now sources its records from the tamper-evident, cross-platform evidence log (every platform’s checkout-consent capture already writes there), so WooCommerce, EDD and FluentCart consents all appear; the full per-entry evidence (including the IP) is read back from the order when it still exists, and survives as a PII-free record if the order was later deleted. A new «Platform» column is shown. This is strictly a read-only change — the append-only, hash-chained evidence log is never altered.

1.2.10

• WordPress.org compliance pass (no behaviour change). Added wp_unslash() to the inputs read by the settings-save handler — the values were already sanitised (custom sanitisers, integer casts, sanitize_* / esc_url_raw), this just adds the WordPress-canonical unslash step the Plugin Check tool expects. Silenced a false-positive «query not prepared» error on the integrity-check read (it has no user input: the table name comes from $wpdb->prefix and the row limit is an integer cast, so there is nothing to prepare). Trimmed three over-long upgrade notices to the 300-character limit. No change to the withdrawal flow, your data or the evidence log.

1.2.9

• Type-aware withdrawal window (informational). The 14-day countdown shown to the customer is now calculated by product type: all-digital orders (every item virtual/downloadable) start from the order date — the conclusion of the contract, per Art. 9 of Directive 2011/83/EU and Art. 52 of the Italian Codice del Consumo — while any order containing a physical item is unchanged (the completed/delivery date, falling back to the order date). The window stays informational: the button is never hidden on this value, and you decide the validity of late requests. No breaking changes.

1.2.8

• Guest withdrawal link fixed on every surface. Completes the 1.2.7 fix. The [webwakeupwdb_button] / [webwakeupwdb_form] shortcodes and the WooCommerce order-actions link now also route guests (customers without an account) to the public withdrawal page instead of the login-gated account area — a shared helper builds the URL the same way everywhere, so a guest is never sent to the login screen regardless of which surface shows the link (some themes render the order-actions on the order-received page). Logged-in customers are unaffected; no change to the flow, your data or the evidence log.

1.2.7

• Guest withdrawal button no longer asks for login. The withdrawal button shown in the order recap / thank-you page sent guest (no-account) customers to the login screen, because it pointed at the My Account area. Guests are now routed to the public withdrawal page, carrying the order reference + order key (the same pre-authenticated link the order e-mail already uses), so they can withdraw without an account. Logged-in customers are unaffected.

1.2.6

• Translations completed for all bundled locales. Several admin strings added in recent releases — the «Legal clauses» editor, the «Notification email(s)» field, the legal-texts reminders on the Compliance page and the FluentCart e-mail helper — were showing in English because they had not been translated yet. All five bundled language files (Italian, German, French, Spanish, Swedish) are now complete for these strings, so those screens display in your language. (The Swedish strings were machine-assisted and are pending a native review.)

1.2.5

• PHP 7.4 compatibility fixed (PDF library). The bundled PDF engine (Dompdf) had been updated to a 3.x release that requires PHP 8.1, which contradicted the plugin’s «Requires PHP 7.4» and produced a Composer «platform» error near the PDF option on PHP 7.4 sites. Dompdf is now pinned to the 7.4-compatible 2.x line (PHP 7.1+), so the plugin runs on PHP 7.4 again with no change to the PDF receipts. (Thanks to the reporter of issue #31.)
• Notification e-mail now accepts multiple recipients. Settings → «Notification email(s)» accepts several addresses separated by commas, so the «new withdrawal request» alert can reach more than one person. The first address is also shown to the customer as the shop contact. A single address keeps working exactly as before.
• FluentCart coexistence is now automatic. FluentCart shipped its own free «Customer Rights» add-on. With the FluentCart handling left on Auto (the default), the plugin now detects that add-on automatically and steps aside on FluentCart, so customers never see two withdrawal flows. WooCommerce and EDD are unaffected; you can still force the behaviour from Settings → FluentCart.

1.2.4

• Housekeeping + WordPress.org compliance hardening. Display name refined to «WWU Right of Withdrawal» (the plugin slug is unchanged, so nothing breaks on update). Additional input sanitisation on the rate-limiter, URL escaping tightened in the plain-text e-mails, explicit REST permission callbacks declared on the public withdrawal endpoints, and the now-unneeded textdomain loader removed (WordPress loads translations automatically since 4.6). No change to the withdrawal flow, your data or the evidence log.

1.2.3

• Acknowledgement e-mail failures now report the exact reason, not a generic message. Building on the 1.2.2 fix: when the acknowledgement e-mail cannot be sent, the plugin now captures the specific reason from the mail transport — the SMTP plugin’s own error (for example «Could not authenticate» or «Could not connect to host») or the thrown exception’s message — and shows it in the admin «e-mail failed» notice and records it in the tamper-evident log, instead of a generic «email failed». Diagnosing an SMTP misconfiguration (WP Mail SMTP, FluentSMTP, a provider mailer) is now immediate, without digging through the PHP error log. The withdrawal is still always recorded and the consumer always reaches their confirmation page.

1.2.2

• Critical fix: no more «critical error» when sending the acknowledgement e-mail. When a consumer confirmed a withdrawal (and when an admin clicked «Resend e-mail»), an exception raised inside WordPress’s wp_mail() by an SMTP plugin (for example WP Mail SMTP or FluentSMTP), or a PDF/Dompdf error on PHP 8, could escape and crash the whole request with a fatal «critical error» even though the withdrawal itself was already recorded. The e-mail path is now exception-safe on both delivery routes (the standalone mailer and the WooCommerce e-mail) and for the optional PDF: a send failure degrades gracefully (it is logged, the admin gets a «resend» notice, the consumer still sees their confirmation page) instead of taking down the page. After updating, check your SMTP plugin’s settings or log for the underlying cause.
• FluentCart now has its own native withdrawal add-on — clearer guidance. As of FluentCart 1.4.2 (June 2026), FluentCart ships a first-party EU «right of withdrawal» feature («customer rights»). If you enable it and keep this plugin handling FluentCart, customers could see two withdrawal flows. Settings → FluentCart now states this clearly and tells you what to do: set the FluentCart handling to Off (or have a developer return true from the webwakeupwdb_fluentcart_native_active filter) so only one flow shows. Automatic detection of FluentCart’s add-on will arrive in a later update. Your WooCommerce and EDD handling is unaffected.

1.2.1

• Fix — the «Right of withdrawal» account tab no longer returns a 404 on a fresh install. On WooCommerce the withdrawal tab is a rewrite endpoint; its rewrite rule was not being persisted during activation, so clicking the tab in My Account led to a 404 until you re-saved Permalinks. The plugin now performs a one-time rewrite-rules flush on the first page load after activation, so the tab resolves immediately. (If you already hit this: Settings → Permalinks → Save Changes also fixes it — no page needs to be created, the slug is a WooCommerce endpoint, not a page.)
• Edit the legal clauses from the admin — no code needed. A new Settings → Legal clauses section lets you replace the built-in pre-contractual / terms / privacy / exemption-consent clauses with your own wording. Your text then appears on the Compliance page and wherever the [webwakeupwdb_info] shortcode is used (and the «sample text» note is dropped). Leave a field empty to keep the built-in template; a «Show the built-in default» toggle lets you copy the original as a starting point. Developers can also override programmatically with the new webwakeupwdb_clause_text filter. The built-in clauses are sample templates — adapt them to your business and have your counsel review them.

1.2.0

• Reminder to update your legal texts — the button is not a substitute. Installing the withdrawal button does not change your shop’s own documents, and EU law (Art. 6 of the Consumer Rights Directive) requires your Terms & Conditions of sale and your pre-contractual information to describe how the consumer withdraws — which now includes the new online «withdrawal button». The plugin now states this prominently on the Dashboard and the Compliance page, opens the two clauses you must paste (pre-contractual information + general terms) by default, and the ready-to-paste «How to withdraw» and pre-contractual clauses now name the button explicitly. This release also rewrites the plugin description to explain, in plain steps, how the withdrawal flow works and to showcase the full feature set (customer help, merchant cockpit, smart legal handling, automations, privacy tooling). No change to the withdrawal flow itself.

1.1.1

• wordpress.org Plugin Check polish. Removes the unused UI-kit clipboard.js from the package entirely (its filename collided with a WordPress-core library; it was never loaded — only the accordion, badge and utilities components are), and moves the documentation link out of the short-description block. No functional change.

1.1.0

• Evidence-log hardening (security-audit follow-up). The tamper-evident log is now stronger against a database-level/insider attacker and cleaner under GDPR: each row hash is HMAC-keyed with the site secret (so a DB-write attacker without the secret can no longer recompute a forged chain); the hash commits to the anonymised IP while the full IP is stored separately and erased after the retention horizon; RFC 3161 timestamps now require HTTPS and are bound to the exact submitted digest (a TSA/MITM cannot return a token for a different hash); failed initial timestamps are retried automatically, with any not-yet-anchored records surfaced in the admin. Existing logs keep verifying (each row records its chain version). No change to the withdrawal flow.

1.0.1

• wordpress.org readiness + security hardening. Resolves the Plugin Check items for the directory submission: the unused clipboard.js UI-kit asset is no longer shipped, composer.json is now included alongside the bundled library, the SSRF smoke-test no longer uses a literal localhost host, and «Tested up to» is current. Plus minor hardening from a full security audit: the OpenTimestamps calls now pass through the same SSRF guard as the webhook / RFC 3161 callers (and never follow redirects), and two admin credential fields gain wp_unslash(). No functional change to the withdrawal flow.

1.0.0

• First stable release, for the EU withdrawal-button mandate that applies from 19 June 2026. Consolidates the full feature set: the statutory two-step withdrawal flow with per-language wording (IT, EN, DE, FR, ES, SV), a durable-medium acknowledgement (email + PDF + verifiable link + OpenTimestamps), a tamper-evident hash-chained log, the Art. 59 exemptions with checkout consent capture and a consumer «why exempt» note, optional partial withdrawal, WooCommerce (HPOS + legacy) / FluentCart / Easy Digital Downloads adapters, the withdrawal link in order e-mails, a read-only REST API + signed webhook for automations, and the Annex I-B model form + ready legal clauses. All six locales fully translated (545/545). No functional change from 1.0.0-alpha.45 — the External services disclosure was clarified and translations finalised for release.

1.0.0-alpha.45

• Withdrawal link in your order e-mails — across all platforms. The withdrawal link is added automatically to WooCommerce customer order e-mails and to the Easy Digital Downloads purchase-receipt e-mail (so customers can reach the withdrawal straight from the e-mail, as the law’s Recital 37 suggests). FluentCart doesn’t allow plugins to add content to its e-mails automatically, so Settings → FluentCart now shows a short, optional one-time guide to drop the {{wwu.recesso_url}} shortcode into your FluentCart receipt template (copy-ready, 3 steps). Nothing invasive, nothing required — the withdrawal is always reachable from the account/portal and the public page regardless.

1.0.0-alpha.44

• Connect your withdrawal requests to other tools (automations). A new Settings → Integrations section adds two optional, developer-friendly ways to plug withdrawal requests into Zapier, Make, n8n, a CRM or a helpdesk. (1) A read-only REST API to list requests and check an order’s withdrawal status, authenticated with a standard WordPress Application Password. (2) An optional webhook that sends a signed notification to your endpoint the moment a withdrawal is confirmed. Privacy-first: the consumer’s IP address is never exposed — only a verification hash. There is intentionally no way to create a withdrawal via the API (a withdrawal is the consumer’s own legal act). Passed a dedicated security audit before release. No change to the withdrawal flow itself.

1.0.0-alpha.43

• Consumers now see WHY the withdrawal button is absent on exempt orders. When an order is exempt from the right of withdrawal under Art. 59 (e.g. digital content with immediate access, or a service fully performed — both with the consumer’s consent at checkout), the button is hidden. The plugin now shows a short, accurate note explaining the specific statutory exception and its legal reference, instead of just silence. Shown on the withdrawal form, the WooCommerce/EDD account pages and the FluentCart portal. The text is editable (Settings → Consumer guidance). It only appears on genuinely exempt orders — never on ordinary ones; button visibility is unchanged.

1.0.0-alpha.42

• You can now withdraw from only some products of an order. EU law allows partial withdrawal (it’s not all-or-nothing), so step 1 of the withdrawal form gains an optional checklist of the order’s products — tick the ones you’re withdrawing from, or leave it empty to withdraw from the whole order (the default). The choice appears on the confirmation e-mail/PDF and in the admin Requests dashboard. It’s informational: you still process the refund (full or partial) yourself. No change for anyone who withdraws from the whole order.

1.0.0-alpha.41

• FluentCart handling is now configurable. FluentCart is building its own withdrawal add-on, so a new Settings → FluentCart control lets you choose how this plugin behaves on FluentCart orders: Auto (recommended — show our button, but step aside automatically if FluentCart’s own add-on is installed, so customers never see two buttons), Always (keep ours regardless), or Off (never handle FluentCart). Only our consumer-facing FluentCart surfaces are affected — the admin Requests dashboard and any in-flight confirmation keep working. No change for WooCommerce or EDD.

1.0.0-alpha.40

• Admin UI styling restored + Swedish added. The bundled WWU UI Kit is now shipped with the plugin (it was referenced but never packaged), so the Settings → Exemptions section (accordions, badges, notices) renders styled instead of plain. Added Swedish (sv_SE): the statutory withdrawal-button label («ångra avtalet här») and confirmation («bekräfta frånträde») per the official EUR-Lex Art. 11a wording (Distansavtalslagen 2005:59), plus a complete UI translation (all 495 strings; the legal term «varaktigt medium» corrected) — pending a native Swedish review by Daniel before it’s marked final.

1.0.0-alpha.39

• Critical fix — the Settings page no longer fatals. A merchant reported «Class WWU\WithdrawalButton\Admin\Settings not found», which crashed the whole settings screen. A missing use import made an unqualified Settings::main() resolve to the wrong namespace. Fixed, and a scan of all 91 source files confirmed there were no other cases. This release also carries a small mail-safety fix (the HTML mailer now always removes its wp_mail_content_type filter, so a third-party email error can’t turn other plugins’ plain-text emails into HTML) and a WooCommerce-surface + plugin-conflict audit (0 critical / 0 high). Recommended for all installs.

1.0.0-alpha.38

• Subscriptions handled correctly (WooCommerce Subscriptions, FluentCart, EDD Recurring). EU law gives one 14-day right of withdrawal per contract, at conclusion — a renewal does not restart it. The button now appears on the initial order only and is suppressed on renewal orders (single gate covering every surface). Two opt-in settings under Settings → Subscriptions: «also show on renewals» (off by default) and «auto-cancel the subscription on withdrawal» (off by default — the refund and any pro-rata always stay manual). The Requests dashboard flags subscription orders with a reminder. Renewal detection is guarded and fail-open (an undetermined state keeps the button visible). Needs a live test with a subscription plugin active.

1.0.0-alpha.37

• FluentCart e-mail merge-tag {{wwu.recesso_url}} — you can now drop the per-order withdrawal link into FluentCart’s own transactional e-mails (the FluentCart team confirmed the value-resolver hook + its data context on 2026-06-15). It’s registered in the FluentCart e-mail-editor picker and resolves safely (renders empty when there’s no order in context). Needs a live FluentCart test. Note: FluentCart has told us they are shipping a native EU withdrawal feature soon, which may overlap this.

1.0.0-alpha.36

• Security hardening from a full-plugin security audit (0 critical, 0 high). Fixes: an SSRF guard for the merchant-configured RFC 3161 timestamp endpoint (blocks internal / cloud-metadata / IPv6-loopback / CGNAT targets); per-IP rate limiting on the withdrawal statement/confirm endpoints (REST + no-JS); length caps on the name/reason fields; tighter debug secret-masking; and a cron cleanup on uninstall. No change to the consumer-facing flow. Full report in docs/audits/.

1.0.0-alpha.35

• EDD integration completed — the withdrawal button now appears on the EDD customer’s own pages. Easy Digital Downloads customers see the statutory withdrawal button on the purchase receipt and in purchase history, and the withdrawal link is added to the EDD purchase-receipt e-mail — reaching full parity with WooCommerce and FluentCart (previously EDD relied only on the standalone public page). Built on EDD 3.x hooks verified against the official EDD source. Fail-safe as everywhere: the button only shows on eligible orders and links to your withdrawal page pre-authenticated. Needs a live EDD test.

1.0.0-alpha.34

• FluentCart improvements, verified against a direct FluentCart-team reply: the consent checkbox now renders on before_payment_methods (covers the standard, modal and block checkout), FluentCart exemptions are now category-aware (via the product-categories taxonomy, matching WooCommerce and EDD), and withdrawal/refund notes appear in the FluentCart order activity timeline (fluent_cart_add_log). Also adds 3 shareable live-test checklists (WooCommerce block, FluentCart, EDD) under docs/testing/. No change to the consumer-facing button.

1.0.0-alpha.33

• Added Easy Digital Downloads (EDD 3.0+) as a third supported platform: the withdrawal button, evidence flow and exemption consent capture now work on EDD stores (with category-aware exemptions). Needs a live EDD test. Consent capture now spans WooCommerce (classic + block), FluentCart and EDD.

1.0.0-alpha.32

• Exemption consent capture now also works on the WooCommerce block-based Checkout (via the official Additional Checkout Fields API, WooCommerce 9.9+), reaching full parity with the classic checkout and FluentCart. Pure PHP, no build step. Also adds the design SPEC for a future Easy Digital Downloads (EDD) integration. Needs a live block-checkout test; fail-safe until verified.

1.0.0-alpha.31

• Exemptions settings redesigned: the reasons are grouped (conditional / unconditional / seal-based) with tooltips, examples, a «What do you sell?» guided helper, a preview of what the consumer sees (checkbox + confirmation e-mail), and a status panel — all using the WWU UI Kit. Completed the Italian (and FR/ES/DE) translations, including the exemption labels that previously showed in English. The withdrawal button itself is unchanged.

1.0.0-alpha.30

• Exemptions consent capture now works on FluentCart too (checkout acknowledgement + durable-medium confirmation), reaching parity with WooCommerce. Built on FluentCart hooks re-verified against the official docs. FluentCart exemptions match by product ID. The «Open order» admin link now uses FluentCart’s own order URL. Needs a live FluentCart test; fail-safe until verified.

1.0.0-alpha.29

• Exemptions (Art. 59) — durable-medium confirmation + evidence, retention, GDPR. For the conditional exemptions the plugin now e-mails the consumer a durable-medium confirmation reproducing the agreed consent wording (constitutive for digital content, Art. 59(1)(o)) and logs the dispatch separately. Stored consents have a configurable retention (default 10 years) with a daily routine that anonymises the IP afterwards; the IP is configurable and never written to the immutable log. Adds a ready-to-paste GDPR privacy clause (legitimate interest) and a «Consent records» admin page with CSV export. Clearer wording everywhere: physical products never need consent; the button is hidden only after consent is captured (fail-safe).

1.0.0-alpha.28

• Exemptions (Art. 59) — checkout consent capture. For the two conditional exemptions (digital content with immediate access; service fully performed), WooCommerce checkout now shows a required acknowledgement tick-box and stores the agreed wording (with a SHA-256 hash, timestamp and IP) on the order as evidence — so the button is hidden for those items only once the consumer has lawfully consented. Statutory wording is filterable via webwakeupwdb_consent_text. Classic WooCommerce checkout; the block Checkout and FluentCart capture are tracked follow-ups.

1.0.0-alpha.27

• Exemptions (Art. 59) — per-reason product/category tagging. Mark products or categories as exempt by a specific statutory reason (custom-made, perishable, sealed hygiene, dated services, digital immediate, service performed, …), each with its legal reference and plain-language guidance. The right of withdrawal stays the default — including digital products — and conditional reasons keep the button until consent is captured.

1.0.0-alpha.19

• FluentCart customer portal: the «Right of withdrawal» account page, the sidebar entry, the per-order button and the dashboard banner now work. Every FluentCart hook was corrected to the official FluentCart developer contract (verified against dev.fluentcart.com), and the order chooser reads each order’s data through the correct customer/address relations. Fixes the blank page and missing button seen in live testing.

1.0.0-alpha.18

• FluentCart: first cut of the customer-portal withdrawal surfaces, and a platform-agnostic order chooser that merges WooCommerce and FluentCart orders.

1.0.0-alpha.17

• Withdrawal flow (WooCommerce HPOS + FluentCart), statutory labels (IT/EN/DE/FR/ES), two-step + no-JS fallback, durable-medium acknowledgement (email + PDF + verifiable link), tamper-evident hash-chained log + OpenTimestamps, Annex I-B model form + legal clauses, shortcodes, admin dashboard + compliance page, Complianz/cache compatibility. Security audit: 0 findings.

1.0.0-alpha.1

• Foundation: bootstrap, schema (immutable log + timestamp tables), debug stack, REST diagnostics.