* NEW: Subscriptions section in Redsys Advanced settings to configure credentials and behavior for subscription renewal payments.
* SECURITY [High]: Added missing cryptographic signature verification in successful_request() for 9 payment gateways: Apple Pay, Bizum Checkout, Bizum Redirect, Google Pay Checkout, Google Pay Redirect, Direct Debit, MasterPass, PayGold, and Bank Transfer. Without this check, payment notifications could be forged to complete orders without actual payment.
* FIX: SUMO Subscriptions renewal orders failed because sumo_save_subscription_payment_info() was called with 'payment_method' => 'insite' instead of 'redsys' in the redirect gateway callback. This caused SUMO to set the wrong payment method on renewal orders, triggering the wrong gateway filter and using incorrect credentials.
* FIX: YITH WooCommerce Subscriptions were being cancelled prematurely on failed renewals for the Redsys Redirect, InSite, Apple Pay Checkout and Google Pay Checkout gateways. The "no token / expired card" path in doing_scheduled_subscription_payment() (class-wc-gateway-redsys.php and class-wc-gateway-insite-redsys.php) called ywsbs_register_failed_payment() and then returned false, causing the YITH wrapper renew_yith_subscription() to call it again. The double increment of failed_attempts cancelled subscriptions after 1–2 real failures instead of the configured 3 retries. Apple Pay and Google Pay Checkout are also fixed since they delegate to the main Redsys handler.
* SECURITY [Medium]: Fixed an authenticated account takeover vulnerability that could allow an attacker to assume any user account, including administrators.
* SECURITY [Low]: Fixed unauthenticated access to order status and user data.
* FIX: PayGold link generated from admin order metabox was never saved correctly due to an impossible response code condition in send_paygold_link(). The function now uses the same validation logic as the checkout flow (response code 9998).
* FIX: Fixed undefined $description variable in paygold_metabox_save() when sending a PayGold link from the order edit screen.
* FIX: Custom notification domain (redsys_url_notify) was broken by check_url() prepending home_url() to URLs that already had a different domain. check_url() now detects absolute URLs and preserves them as-is.
* FIX: get_notify_home_url() now automatically adds https:// when the custom notification domain is saved without a scheme.
* FIX: PHP 8.3+ compatibility — Fixed deprecated warnings for passing null/false to string functions (trim, strlen) from get_option() calls in get_txnid(), get_token_type(), and connect_standard_imap().
* FIX: PHP 8.3+ compatibility — Fixed add_submenu_page(null,...) in setup guide causing strpos()/str_replace() deprecation warnings.
* NEW: Virtual / Downloadable Products order status override in Advanced Settings. When all products in an order are virtual or downloadable, the order status can be automatically set to Completed instead of Processing.
* NEW: Redsys response code 0115 (card cancelled or account closed) now automatically deletes the stored card token, notifies the customer with instructions to add a new payment method (My account > Payment Methods), and notifies the admin.
* NEW: Admin email notification when a customer's credit card is automatically removed due to Redsys hard-decline response codes (0115, 0172, 0173).
* NEW: Improved customer email when a card is removed — now includes the last 4 digits of the card, the error code, and a direct link to add a new payment method.
* NEW: COF_INI (Credential on File initial) flag is now saved to order meta (_redsys_cof_ini) for all COF transaction types (R and C), preventing duplicate token creation when COF_INI=N.
* FIX: Conditional Rules test mode now correctly applies to the Redsys gateway URL. Previously, orders with conditional rules overriding test mode still used the default gateway URL.
* FIX: Fixed duplicate token creation when customer already has a saved card and COF_INI=N is sent to Redsys.
* FIX: Fixed undefined array key warnings in save_field_update_order_meta() when conditional rules data is incomplete.
* FIX: Fixed $redsys->debug reference using wrong variable in preauthorization logging (now uses $this->debug).
* FIX: Fixed sanitize_text_field applied before substr for HTTP_ACCEPT_LANGUAGE in Google Pay and Apple Pay Checkout, ensuring correct sanitization order.
* FIX: Google Pay Checkout now ensures WooCommerce transactional emails are initialized before calling payment_complete() in payment callbacks.
* NEW: Conditional Rules — visual rule builder to override payment parameters (terminal, merchant code, SHA256, transaction type, test mode, etc.) based on order conditions (category, tag, amount, currency, language, user role).
* NEW: Added preauthorization support for Google Pay and Apple Pay.
* NEW: Google Pay and Apple Pay now save merchant code to order meta for preauthorization operations.
* UPDATE: Refactored InSite payment form error handling with AJAX-based refresh instead of full page reload.
* NEW: Added post_payment_complete hooks for Bank Transfer, IMAP email processing and Inespay gateways.
* FIX: Fixed InSite COF_TYPE detection that caused incorrect credential-on-file type in REST payments.
* FIX: Fixed Ds_Card_PSD2 using wrong variable in REST payment path.
* FIX: Fixed InSite orders being marked as paid without Redsys authorization when a third-party plugin filters woocommerce_cart_needs_payment.
* FIX: Improved InSite checkout routing using REST_REQUEST instead of checkout_use_block() for reliable shortcode/block detection.
* SECURITY: Masked secret SHA256 key in debug logs.
* FIX: Fixed Express Payment (Google Pay / Apple Pay) not applying IRPF correctly when using Autonomos Premium. Totals now reflect the correct amount including retention.
* FIX: Improved compatibility between Express Payment custom fields and Autonomos Premium surcharge calculation.
* FIX: Fixed EMV 3DS timezone fields not being saved for users in UTC+0 timezone (e.g. Canary Islands), which could cause errors in 3D Secure authentication.
* FIX: Google Pay Redirection now uses strict equality check to prevent it from appearing in checkout block when disabled.
* FIX: Fixed YITH Subscriptions renewal payments not processing - added missing return false when customer has no saved token (Redsys and InSite gateways).
* FIX: Fixed YITH Subscriptions renewal payments staying on-hold - added missing return false when Redsys returns an error response (Redsys and InSite gateways).
* FIX: Added ywsbs_register_failed_payment() call when token is missing to properly notify YITH Subscriptions of the failure.
* FIX: Fixed PHP 8.4 compatibility - nullable parameters are now explicitly declared in REST controller methods.
* FIX: Fixed "$this" usage in static methods for Apple Pay Checkout and Redsys gateway subscription renewal processing.
* FIX: Apple Pay and Google Pay Express Checkout no longer appear as regular payment methods in the checkout block (they only appear in the Express Checkout section as intended).
* NEW: Added Google Pay Express Checkout for the Checkout Block.
* NEW: Added Apple Pay and Google Pay Express Checkout for the Cart Block.
* FIX: Apple Pay Express Checkout orders are now correctly marked as Apple Pay (instead of Redsys).
* FIX: Apple Pay Express Checkout now triggers WooCommerce transactional emails after successful payment (customer and admin).
* UPDATE: Agentic Commerce flow aligned with WooCommerce core (wc/agentic/v1 routes, bearer auth registry, provider/payment-method metadata for supported Redsys gateways).
* FIX: Load Redsys IMAP support before scheduling the email checker cron, avoiding “no callbacks registered” warnings for `redsys_check_emails_cron`.
* FIX: Hid the development-only “App & Push” settings section so it no longer appears in production admin menus.
* NEW: Added Inespay (Transferencia Online) gateway with sandbox/production toggle, callbacks, refunds API, and direct redirect/modal flow.
* NEW: Inespay now supports subscription flows with two-step (single + periodic mandate) handling and customer redirection.
* NEW: Inespay refunds implemented via official REST endpoint with callbacks for success/error.
* NEW: Redsys and Inespay notifications are now WooCommerce email classes that can be configured in WooCommerce > Emails (payment error alerts, missing tokenization data, unpaid thank-you warning, card reminder/request, card expiry/removal, Inespay transfer review, and periodic mandate failure).
* NEW: The Inespay transfer review email includes a direct link to the management screen (`redsys-inespay-subscriptions&tab=review`) and allows choosing the recipient from WooCommerce > Emails.
* FIX: PayGold link generation and storage corrected so admin actions send the proper URL.