Payment Page | Payment Form for Stripe | Stripe & PayPal Subscriptions

Changelog

1.5.0

• ACH Direct Debit migration to Stripe Financial Connections (Shortcut #7177). Stripe deprecated the legacy ACH stack (Charges API + Tokens API + Plaid Link) on 2026-05-15; ACH attempts on the prior path were failing live for every merchant. Payment Page 1.5.0 replaces it end-to-end with the supported Financial Connections + PaymentIntent + us_bank_account flow. Existing ACH merchants should run Stripe’s Dashboard mandate-backfill tool — see docs.paymentpageplugin.com for the migration runbook. Plaid settings panel removed; no merchant configuration needed.
• Stripe PHP SDK bumped 15.7.0 → 20.1.0, API version pinned to 2026-04-22.dahlia. Required for Financial Connections + new ACH flow; brings ~2 years of upstream bug fixes.
• 10 new bundled form templates — Personal Trainer, Restaurant Catering, Online Course, Membership Site, Photography Booking, Event Tickets, Crowdfunding, Subscription Box, Therapy / Coaching, Digital Product / Ebook. Each ships with full category-themed styling (colors, fonts, button styling, container, payment-method theming) so the form looks polished from the first import — no manual styling required. Templates work offline; the gallery shows them alongside the 12 remote templates from paymentpageplugin.com.
• Reliability: webhook signature catch + idempotency. Stripe webhook now catches SignatureVerificationException explicitly (returns 400, not 500 — Stripe stops retrying instead of filling debug.log with retried events). Duplicate webhook deliveries no longer re-send customer/admin emails or re-fire submit-action HTTP webhooks; 7-day transient dedupe by event id plus belt-and-suspenders is_paid short-circuit. (Audit S1 + S2)
• Reliability: failed-payment + processing events recorded. payment_intent.payment_failed now logged via PP_Model_Log; payment_intent.processing marks payments as pending. Critical for ACH which settles asynchronously over 2-4 business days. (Audit S5)
• Reliability: subscription setup-fee race fixed. Replaced the legacy subscriptions.create → sleep(1) → subscriptions.update dance with Stripe’s canonical add_invoice_items shape — single atomic call, no PHP-FPM worker blocked for 1 second, no race window against Stripe eventual consistency. (Shortcut #7141 / Audit S10 / Perf P7)
• Reliability: PayPal webhook errors now logged instead of silently swallowed. Failed signature verifications, malformed payloads, unrecognized order descriptions, and capture errors all land in PP_Model_Log with explanatory context. Guards undefined array index on malformed PayPal payloads (PHP 8 warning → fatal under failOnWarning PHPUnit). (Audit S14)
• Reliability: money-math hardening. payment_page_format_price_as_non_decimal_int() now trims + uppercases the currency code (whitespace input no longer 100x overcharges zero-decimal currencies like JPY) and uses round(half-up) instead of intval() (IEEE-754 float drift on prices like $0.99 no longer truncates a cent). Locked by Tier-A property-based tests. (Audit M-1, M-2)
• Reliability: rewrite-rules auto-flush on upgrade. Version-gated flush_rewrite_rules() on init ensures the payment-form/{slug}/ permalink works immediately after upgrade — fixes a 404 on freshly-imported forms when the activation hook’s flush was hijacked by Freemius opt-in redirect.
• Security: Stripe Connect callback now requires admin capability and a single-use state token. The previous endpoint was permission_callback = __return_true — an attacker who obtained an encrypted credentials blob could trick an admin into silently overwriting the site’s Stripe account credentials via a drive-by <img src="...">. 1.5.0: callback requires current_user_can( payment_page_settings ) AND a server-stored, single-use, 10-minute state token bound to the admin who started the connect flow. (Shortcut #7142 / Audit F001)
• Security: template import no longer runs PHP unserialize() on remote data. The previous path called maybe_unserialize() on metadata fetched from the company API server — a textbook PHP Object Injection / RCE-class vector if the API server were compromised. 1.5.0: pattern-rejects PHP-serialized strings; scalars and arrays pass through; add_post_meta() handles serialization safely. (Shortcut #7144 / Audit F003)
• Security: hardening bundle. Settings::update() now recursively sanitizes nested arrays via wp_kses_post (was top-level only — admin nested-XSS surface). Payment::sync_details now uses HMAC-SHA-256 + wp_salt('auth') instead of md5(NONCE_SALT.$id); the literal-salt fallback for misconfigured sites is removed (fail-closed). Migration AJAX handler nonce-protected. force-db-table-integrity action nonce-protected (Site Health link emits the matching nonce). data: protocol dropped from admin-notice wp_kses() allow-list. $_GET['page'] reads now sanitize_text_field( wp_unslash() ). Skeleton ORM listWhere/listByIds now use column allow-lists derived from each model’s $fields map. Per-IP rate limit on the unauthenticated /payment/sync-details endpoint (12 req/min). Identity fields (name, email) sanitize-on-write. (Audit F004 + F005 + F006 + F008 + F010 + F011 + F012 + S11 + S12 + S13)
• Performance: conditional frontend enqueue — Payment Page’s CSS+JS+inline localized blob no longer loads on every page of your site. Detection runs at template_redirect; assets enqueue only when a [payment-page-payment-form] shortcode, an Elementor payment-form widget, or a pp_payment_form singular is present. Single biggest LCP/TBT improvement in this release. Use add_filter('payment_page_force_universal_interface', '__return_true') for popup-form mounts that detection can’t reach. (Audit P1)
• Performance: option no longer autoloaded. payment_page_settings is now autoload=no — removes per-request memory cost on every WP request. One-time idempotent migration flips the autoload flag on upgrade. (Audit P3)
• Performance: admin + Elementor function files lazy-loaded. Frontend requests no longer parse admin or Elementor function files unless Elementor is actually active. (Audit P4)
• Performance: jQuery UI base theme bundled locally instead of loaded from code.jquery.com. Removes a render-blocking third-party request from the Elementor editor. (Audit P8)
• Performance: distributed plugin zip slimmed. New .distignore strips dev artifacts (tests/, composer.json/lock, CodeKit project files, source maps, .git, .github, README.md, changelog.txt) from the wp.org and Freemius release zips. (Audit P11)
• Admin UX: WP notices now position above the Payment Page admin chrome. Plugin notices from other plugins (Wordfence, WooCommerce, etc.) no longer sandwich between Payment Page’s nav and form content. Fixes a long-standing layout bug on PP admin pages running alongside multi-plugin stacks.
• Confirmation Email Builder GA v2 (Shortcut #6932). Strategy A read-time fallback ships the GA email builder out of BETA; backcompat for legacy email_from / email_to schema; per-recipient subject editing; HTML body with auto-generated plaintext AltBody; merge tags ({name}, {email}, {amount}, etc.); “Send test emails” button in the form editor.
• Stripe Connect webhook auto-provision v2 (Shortcut #5904). Idempotent webhook endpoint creation on the connected account during Connect OAuth; reconnect dedupe; signing secret persisted automatically. Merchants no longer have to paste webhook secrets manually.
• WP-CLI wp payment-page namespace — verify-integrity (cross-table DB invariant check), retry-stuck-pi --id=N (recover ACH PaymentIntents stuck in processing state), dump-payments (operational JSON dump for support triage). Loaded only under WP-CLI; zero overhead on regular requests. Full output contract documented at docs/wp-cli-contract.md so third-party tooling can depend on stable JSON shapes.
• Hygiene: strict-mode-blocking uninstall. New uninstall.php + 4-guard Uninstaller cleanly drops all 5 PP tables + ~40 wp_options + every CPT post + transients when a merchant deletes the plugin — BUT only if they opt in via Settings → Advanced → Uninstall behavior: destroy. Default is preserve so existing merchants are unaffected. Plus a guard against accidental deletion when payment activity exists in the last 90 days. Fixes the wp.org Plugin Check “Plugin should cleanly uninstall” finding.
• Observability hooks at 5 critical paths via do_action('pts_increment_counter', ...) — webhook idempotency (hit/miss), webhook payment success, ACH FC session creation, money conversion, rate-limit drops. Production: zero listeners → zero overhead. Test environments + monitoring scripts can attach counters without changing source semantics.
• Quality gate: PHPStan level 5 with the szepeviktor/phpstan-wordpress preset now runs in CI on every PR. Baseline freezes existing warnings; gate-fails on any NEW warning matching the 7 known-bug patterns (see docs/wp-cli-contract.md for triage notes).
• Test suite expansion: 230 PHPUnit Tier-A/B/C unit tests (685 assertions, 0.6s runtime) covering money correctness, webhook idempotency, AJAX security matrix, cron lifecycle, DB integrity, uninstall strict-mode, observability emission, WP-CLI contract, conditional-enqueue regression-lock, subscription-lifecycle gap (fixture-driven). Plus payments-grade Playwright suite at qa-harness/playwright/specs/payments-grade/ (mastermind) covering webhook replay, concurrent webhook race, dispute lifecycle, ACH stuck-PI, migration chain, refund semantics, PayPal sig timestamp, rate-limit, performance budgets, visual regression, license-tier gating.
• Compat: Stripe SDK bump (above) requires PHP 7.4+ (already our minimum); WP 7.0 tested.
• Docs: new ACH migration runbook + admin notice pointing merchants to Stripe’s Dashboard mandate-backfill tool. Removes the previous Plaid configuration walkthrough.

1.4.10

• Compat: WP 7.0 readiness — bump Requires PHP to 7.4 (matches WP 7.0’s runtime floor) and Tested up to to 7.0. No functional changes.

1.4.9

• Fix: admin “Connect Stripe” button spun forever for fresh installs; the dashboard JS was reading the payment-gateway map from configuration.payment_gateway (always undefined) instead of data.payment_gateway. Shortcut #6953.
• Fix: “Cookie check failed” no longer blocks the payment form on desktop browsers that restrict third-party cookies (Safari ITP, Firefox Enhanced Tracking Protection, ad-blockers). Stripe.js is now initialized with advancedFraudSignals: false by default; sites that want the full Radar advanced-signals fingerprinting back can opt in via the new payment_page_stripe_advanced_fraud_signals filter. Shortcut #6937.
• Fix: Elementor’s widget editor (including the built-in Form widget) no longer breaks when Payment Page is active. Our Elementor control scripts called the deprecated jQuery(window).load(fn), removed in jQuery 3.0; switched to jQuery(window).on('load', fn) across all six bundled control scripts. Shortcut #3807.
• Fix: “Show Payment Details” toggle now hides the post-payment details template on forms built with the Elementor widget. The previous check only matched 'no' (our custom builder’s off-value) and missed '' (Elementor’s SWITCHER off-value). Shortcut #3993.
• Fix: WP Rocket (and other page-cache plugins) no longer cache pages containing a payment form. The form HTML carries per-request data (uniqid, browser-detected wallet flag, Stripe publishable_key) that was being served stale to subsequent visitors and showing as “This wallet is not compatible in your browser”. The form now sets DONOTCACHEPAGE on render and excludes its inline localized config from WP Rocket’s JS combine / minify / delay passes. Shortcut #3731.

1.4.8

• Bug fixes.
• Payment form layout fixes.

See our full changelog at docs.paymentpageplugin.com/changelog.