* NEW: "Redsys email to customer" toggle in Redsys Advanced Settings → General to control whether DS_MERCHANT_EMAIL_TITULAR is sent to Redsys. When enabled and the Redsys terminal is configured to notify customers, Redsys sends its own purchase confirmation email to the buyer. Disabled by default — WooCommerce already sends its own order email, so existing installations stop forwarding the customer email to Redsys after the update. Applied to both Redsys Redirection and InSite gateways (classic and Blocks checkouts).
* FIX: Apple Pay Express button on the product page failed to open the payment sheet on iOS Safari mobile when the Express custom fields feature was enabled. The pre-payment AJAX call (modal lookup or modal save) ran between the click handler and ApplePaySession.begin(), invalidating the iOS user-activation gesture so Safari silently aborted the session. The button still worked on desktop because desktop Safari is more permissive about gesture propagation.
* NEW: Inline Express custom fields on the product page. When the feature is enabled and there are fields to collect, the form is now rendered above the Apple Pay / Google Pay buttons instead of in a post-click modal, with debounced auto-save to session. The click handler validates locally and starts ApplePaySession.begin() synchronously, preserving the iOS user gesture.
* FIX: Express custom fields modal AJAX no longer fires when there are no fields to collect on the current page. The product page now precomputes whether any classic or Blocks-registered additional fields exist and disables the modal lookup entirely when the field set is empty, avoiding the gesture-breaking AJAX even on pages where the feature is enabled but no fields apply.
* FIX: Inline Express custom fields on the product page now try both Blocks and Classic contexts when reading additional fields, so fields registered through the Blocks API are also rendered on classic product pages.
* NEW: Inespay periodic mandate now sends the recurring amount of the subscription instead of the parent order total. The gateway reads the recurring price from WooCommerce Subscriptions, SUMO Subscriptions, YITH WooCommerce Subscriptions, Subscriptions for WooCommerce (WP Swings) and Advanced Subscriptions for WooCommerce, and falls back to the order total only when no subscription amount can be detected. The order note created on mandate creation now includes the recurring amount that was actually sent to Inespay.
* NEW: Advanced Subscriptions for WooCommerce (ASWC) support in Inespay — the gateway detects the subscription id from order meta (aswc_subscription) and reads frequency, next payment date, end date and recurring amount via aswc_get_meta_data() to build the periodic mandate.
* FIX: Inespay return handler now keeps the intermediate "Creating the mandate…" screen visible for a few seconds even when the periodic mandate link is already known on first load, so customers can read what is happening before being redirected back to Inespay to authorize the recurring mandate.
* FIX: Limited Inespay and Google Pay Redirection gateway icons to the same maximum size as Google Pay (max-width 110px, max-height 40px) in the classic checkout, preventing oversized logos when the bank-supplied image is too large.
* FIX: PHP warnings "Undefined variable $ship_address_usage / $ship_address_usage_ind" in class-wc-gateway-redsys-psd2.php when a guest customer (not logged in and no user id) checked out with a shipping address. Both variables were only initialized inside the logged-in branch but read in the outer block; they now default to first-use today, matching the existing else-branch behavior.
* NEW: Subscriptions section in Redsys Advanced settings to configure credentials and behavior for subscription renewal payments.
* SECURITY [High]: Added missing cryptographic signature verification in successful_request() for 9 payment gateways: Apple Pay, Bizum Checkout, Bizum Redirect, Google Pay Checkout, Google Pay Redirect, Direct Debit, MasterPass, PayGold, and Bank Transfer. Without this check, payment notifications could be forged to complete orders without actual payment.
* FIX: SUMO Subscriptions renewal orders failed because sumo_save_subscription_payment_info() was called with 'payment_method' => 'insite' instead of 'redsys' in the redirect gateway callback. This caused SUMO to set the wrong payment method on renewal orders, triggering the wrong gateway filter and using incorrect credentials.
* FIX: YITH WooCommerce Subscriptions were being cancelled prematurely on failed renewals for the Redsys Redirect, InSite, Apple Pay Checkout and Google Pay Checkout gateways. The "no token / expired card" path in doing_scheduled_subscription_payment() (class-wc-gateway-redsys.php and class-wc-gateway-insite-redsys.php) called ywsbs_register_failed_payment() and then returned false, causing the YITH wrapper renew_yith_subscription() to call it again. The double increment of failed_attempts cancelled subscriptions after 1–2 real failures instead of the configured 3 retries. Apple Pay and Google Pay Checkout are also fixed since they delegate to the main Redsys handler.
* SECURITY [Medium]: Fixed an authenticated account takeover vulnerability that could allow an attacker to assume any user account, including administrators.
* SECURITY [Low]: Fixed unauthenticated access to order status and user data.
* FIX: PayGold link generated from admin order metabox was never saved correctly due to an impossible response code condition in send_paygold_link(). The function now uses the same validation logic as the checkout flow (response code 9998).
* FIX: Fixed undefined $description variable in paygold_metabox_save() when sending a PayGold link from the order edit screen.
* FIX: Custom notification domain (redsys_url_notify) was broken by check_url() prepending home_url() to URLs that already had a different domain. check_url() now detects absolute URLs and preserves them as-is.
* FIX: get_notify_home_url() now automatically adds https:// when the custom notification domain is saved without a scheme.
* FIX: PHP 8.3+ compatibility — Fixed deprecated warnings for passing null/false to string functions (trim, strlen) from get_option() calls in get_txnid(), get_token_type(), and connect_standard_imap().
* FIX: PHP 8.3+ compatibility — Fixed add_submenu_page(null,...) in setup guide causing strpos()/str_replace() deprecation warnings.
* NEW: Virtual / Downloadable Products order status override in Advanced Settings. When all products in an order are virtual or downloadable, the order status can be automatically set to Completed instead of Processing.
* NEW: Redsys response code 0115 (card cancelled or account closed) now automatically deletes the stored card token, notifies the customer with instructions to add a new payment method (My account > Payment Methods), and notifies the admin.
* NEW: Admin email notification when a customer's credit card is automatically removed due to Redsys hard-decline response codes (0115, 0172, 0173).
* NEW: Improved customer email when a card is removed — now includes the last 4 digits of the card, the error code, and a direct link to add a new payment method.
* NEW: COF_INI (Credential on File initial) flag is now saved to order meta (_redsys_cof_ini) for all COF transaction types (R and C), preventing duplicate token creation when COF_INI=N.
* FIX: Conditional Rules test mode now correctly applies to the Redsys gateway URL. Previously, orders with conditional rules overriding test mode still used the default gateway URL.
* FIX: Fixed duplicate token creation when customer already has a saved card and COF_INI=N is sent to Redsys.
* FIX: Fixed undefined array key warnings in save_field_update_order_meta() when conditional rules data is incomplete.
* FIX: Fixed $redsys->debug reference using wrong variable in preauthorization logging (now uses $this->debug).
* FIX: Fixed sanitize_text_field applied before substr for HTTP_ACCEPT_LANGUAGE in Google Pay and Apple Pay Checkout, ensuring correct sanitization order.
* FIX: Google Pay Checkout now ensures WooCommerce transactional emails are initialized before calling payment_complete() in payment callbacks.
* NEW: Conditional Rules — visual rule builder to override payment parameters (terminal, merchant code, SHA256, transaction type, test mode, etc.) based on order conditions (category, tag, amount, currency, language, user role).
* NEW: Added preauthorization support for Google Pay and Apple Pay.
* NEW: Google Pay and Apple Pay now save merchant code to order meta for preauthorization operations.
* UPDATE: Refactored InSite payment form error handling with AJAX-based refresh instead of full page reload.
* NEW: Added post_payment_complete hooks for Bank Transfer, IMAP email processing and Inespay gateways.
* FIX: Fixed InSite COF_TYPE detection that caused incorrect credential-on-file type in REST payments.
* FIX: Fixed Ds_Card_PSD2 using wrong variable in REST payment path.
* FIX: Fixed InSite orders being marked as paid without Redsys authorization when a third-party plugin filters woocommerce_cart_needs_payment.
* FIX: Improved InSite checkout routing using REST_REQUEST instead of checkout_use_block() for reliable shortcode/block detection.
* SECURITY: Masked secret SHA256 key in debug logs.
* FIX: Fixed Express Payment (Google Pay / Apple Pay) not applying IRPF correctly when using Autonomos Premium. Totals now reflect the correct amount including retention.
* FIX: Improved compatibility between Express Payment custom fields and Autonomos Premium surcharge calculation.
* FIX: Fixed EMV 3DS timezone fields not being saved for users in UTC+0 timezone (e.g. Canary Islands), which could cause errors in 3D Secure authentication.
* FIX: Google Pay Redirection now uses strict equality check to prevent it from appearing in checkout block when disabled.
* FIX: Fixed YITH Subscriptions renewal payments not processing - added missing return false when customer has no saved token (Redsys and InSite gateways).
* FIX: Fixed YITH Subscriptions renewal payments staying on-hold - added missing return false when Redsys returns an error response (Redsys and InSite gateways).
* FIX: Added ywsbs_register_failed_payment() call when token is missing to properly notify YITH Subscriptions of the failure.
* FIX: Fixed PHP 8.4 compatibility - nullable parameters are now explicitly declared in REST controller methods.
* FIX: Fixed "$this" usage in static methods for Apple Pay Checkout and Redsys gateway subscription renewal processing.
* FIX: Apple Pay and Google Pay Express Checkout no longer appear as regular payment methods in the checkout block (they only appear in the Express Checkout section as intended).
* NEW: Added Google Pay Express Checkout for the Checkout Block.
* NEW: Added Apple Pay and Google Pay Express Checkout for the Cart Block.
* FIX: Apple Pay Express Checkout orders are now correctly marked as Apple Pay (instead of Redsys).
* FIX: Apple Pay Express Checkout now triggers WooCommerce transactional emails after successful payment (customer and admin).
* UPDATE: Agentic Commerce flow aligned with WooCommerce core (wc/agentic/v1 routes, bearer auth registry, provider/payment-method metadata for supported Redsys gateways).
* FIX: Load Redsys IMAP support before scheduling the email checker cron, avoiding “no callbacks registered” warnings for `redsys_check_emails_cron`.
* FIX: Hid the development-only “App & Push” settings section so it no longer appears in production admin menus.