v1.2.6 — Complete the bundled translations (IT/DE/FR/ES/SV)

Translations-only release (no code change). A user reported the Legal clauses Settings section and other recent admin strings showing in English on an Italian site, because the .pot had not been regenerated since the 1.2.1 editable-clauses work.

What changed

• Regenerated languages/wwu-withdrawal-button.pot (110 files, 562 unique strings).
• Translated the newly-surfaced merchant-facing strings across IT / DE / FR / ES / SV and recompiled the .mo files. Per-locale: it 554/8, de 544/5, es 546/3, fr 546/3, sv 543/6 (the few remaining are intentional English: proper nouns + dev-tool labels).

Swedish is machine-assisted, pending a native review.

Full notes: docs/changelog/wwu-wb-CHANGELOG.md.

v1.2.5 — PHP 7.4 fix (Dompdf 2.x) + multi-recipient alerts + FluentCart auto-detect

Highlights

PHP 7.4 compatibility restored. The bundled PDF library (Dompdf) had been updated to a 3.x release that requires PHP 8.1, which produced a Composer "platform" error near the PDF option on PHP 7.4 sites (reported in #31). Dompdf is pinned back to the 7.4-compatible 2.x line — the error is gone and the PDF receipts are unchanged. Verified by a full audit (real receipt-template render on Dompdf 2.x).

Notification e-mail accepts multiple recipients. Settings → Notification email(s) now takes several comma-separated addresses, so the "new withdrawal request" alert can reach more than one person. The first address is also shown to the customer as the shop contact. A single address keeps working as before.

FluentCart coexistence is now automatic. With FluentCart handling on Auto (the default), the plugin detects FluentCart's own free "Customer Rights" add-on (team-confirmed signal) and steps aside automatically, so customers never see two withdrawal flows. WooCommerce and EDD unaffected.

No database or schema change.

Install

Download wwu-withdrawal-button.zip and upload via Plugins → Add New → Upload Plugin, or update in place.

v1.2.4 — WordPress.org compliance hardening + display-name refinement

Housekeeping release that addresses the WordPress.org plugin-directory pre-review. No functional change to the withdrawal flow, your data or the evidence log. The plugin slug is unchanged (wwu-withdrawal-button), so updating in place is seamless and translations are untouched.

Changes

• Display name refined to "WWU Right of Withdrawal for WooCommerce, FluentCart, EDD & more" (the slug stays the same). "WWU" is WebWakeUp's own brand.
• Hardening: extra input sanitisation on the rate-limiter, tightened URL escaping in the plain-text e-mails, explicit REST permission_callback on the public withdrawal endpoints, removed the now-unneeded textdomain loader (WordPress loads translations automatically since 4.6), and an expanded "External services" section in the readme for the optional RFC 3161 / eIDAS timestamp authority.

Install

Download wwu-withdrawal-button.zip below and upload via Plugins → Add New → Upload Plugin, or update in place.

v1.2.3 — Failed acknowledgement e-mails now report the exact reason

Follow-up to v1.2.2 (the e-mail-send crash fix). 1.2.2 stopped the crash; the failure itself was still reported generically (a fixed "could not be sent" admin notice, wp_mail_returned_false in the log). This release surfaces the specific reason, so an SMTP misconfiguration is diagnosable at a glance.

What changed

• The mailer now captures the real failure reason and shows it:
  • When wp_mail() returns false, it reads the message WordPress reports via wp_mail_failed (the SMTP transport's own message, e.g. "Could not authenticate" or "Could not connect to host smtp.…").
  • When wp_mail() throws (the 1.2.2 case), it records the exception message.
• The admin "e-mail failed" notice now appends "Reported reason: …", and the same reason is written into the tamper-evident log.
• The reason is length-capped so it never bloats the log or the notice.

Why it matters

Turns "the acknowledgement e-mail failed" into "the SMTP host rejected authentication" — actionable without opening the PHP error log. The legal guarantee is unchanged: the withdrawal is always recorded, the consumer always reaches their confirmation page, and the failure is always logged and resendable.

No database or schema change; back-compatible. WooCommerce + FluentCart + EDD.

Install

Download wwu-withdrawal-button.zip below and upload via Plugins → Add New → Upload Plugin, or update in place.

v1.2.2 — Critical: e-mail send no longer crashes the withdrawal (WP Mail SMTP)

Critical fix

A merchant running WP Mail SMTP (free) reported a fatal "critical error" when a consumer confirmed a withdrawal, and when clicking admin Resend e-mail, across several WooCommerce sites.

An exception raised inside wp_mail() by an SMTP plugin (WP Mail SMTP, FluentSMTP, a provider mailer), or a \Error from Dompdf on PHP 8, escaped and crashed the request. WordPress's own wp_mail() only catches \PHPMailer\PHPMailer\Exception; any other \Throwable propagated up and produced a white-screen fatal even though the withdrawal had already been recorded.

The whole e-mail path is now exception-safe (standalone mailer + WooCommerce e-mail + the optional PDF). A send failure degrades to the existing "resend" flow instead of a fatal; the consumer always reaches their confirmation page. After updating, the underlying SMTP cause is visible in your PHP error log + the admin "e-mail failed" notice.

Update strongly recommended for any site that sends the acknowledgement through an SMTP plugin.

Also in this release

• FluentCart 1.4.2 shipped a native EU withdrawal add-on. Settings → FluentCart now warns about running two flows at once and how to coexist (set FluentCart handling to Off, or use the wwu_wb_fluentcart_native_active filter). WooCommerce + EDD are unaffected.
• Smoke-test fix (test fixture used order_id instead of order_ref; no plugin-code change).

Install

Download wwu-withdrawal-button.zip below and upload via Plugins → Add New → Upload Plugin, or update in place.

v1.2.1 — Fix My Account tab 404 + editable legal clauses

Two fixes from a developer's support feedback (Antonio Costa). No DB schema change; PHP lint clean.

Fix — the WooCommerce "Right of withdrawal" My Account tab no longer 404s on a fresh install

The tab is a WooCommerce rewrite endpoint (/my-account/<slug>, default wwu-withdrawal), not a page. Its rewrite rule wasn't being persisted on activation (the flush ran before the endpoint was registered), so the tab returned a 404 until Permalinks were re-saved. The plugin now does a one-time rewrite flush on the first load after activation, so the tab works immediately.
If you already hit this: Settings → Permalinks → Save Changes also fixes it. No page needs to be created — the slug is an endpoint.

New — edit the legal clauses from the admin (no code)

A new Settings → Legal clauses section lets you replace the built-in pre-contractual / terms / privacy / exemption-consent clauses with your own wording (per language, with a "show the built-in default" toggle). Your text then appears on the Compliance page and wherever the [wwu_wb_info] shortcode is used, and the "sample text" note is dropped. Leave a field empty to keep the built-in template. Developers can also override programmatically with the new wwu_wb_clause_text filter.

Also

• Compliance page shows a "customised" badge on overridden clauses + a pointer to the new section.
• Hooks reference updated (33 → 34).

WordPress.org: the directory listing is still in manual review on the 1.1.x build; the latest version will follow via SVN once approved.

Full changelog: docs/changelog/wwu-wb-CHANGELOG.md

v1.2.0 — Update-your-legal-texts reminder + clearer docs

1.2.0 — "the button is not enough: update your legal texts too"

Prompted by EU consumer lawyer Alessandro Vercellotti: installing the withdrawal button is mandatory, but your Terms & Conditions of sale and pre-contractual information must also be amended in the withdrawal article to describe the new button modality (Art. 6 of the Consumer Rights Directive — the consumer must be told how to withdraw, which now includes the online button). The plugin generates the clauses; this release makes the obligation impossible to miss and hands you the exact text.

What's new

• Dashboard reminder card + Compliance page callout: "Installing the button is not enough — update your legal texts too", linking to the ready-to-paste clauses (the pre-contractual + general-terms clauses now open by default).
• The generated "How to withdraw" / pre-contractual clauses now name the button explicitly ("Recedere dal contratto qui" / "Withdraw from contract here"). IT + EN.
• Clearer documentation everywhere — the readme/README now lead with a plain "How it works (in 4 steps)" walkthrough and a complete, grouped feature list (customer help, merchant cockpit, smart legal handling, evidence & timestamps, privacy/GDPR, automations, platforms).
• Italian translations for the new admin strings.

No change to the withdrawal flow, storage or evidence. PHP lint clean.

WordPress.org: the directory listing is still in manual review on the 1.1.x build; 1.2.0 will follow via SVN once approved.

Full changelog: docs/changelog/wwu-wb-CHANGELOG.md

v1.1.1 — wordpress.org Plugin Check polish

WWU Withdrawal Button 1.1.1 — wordpress.org Plugin Check polish. No functional change. This is the version submitted to the WordPress.org plugin directory (automated scan: Pass).

• Removes the unused UI-kit clipboard.js from the package (its filename collided with a WordPress-core library; it was never loaded — only the accordion, badge and utilities components are).
• Moves the documentation link out of the readme short-description block (it was being counted toward the 150-character limit).
• Build script (bin/build.ps1) now honours nested-path .distignore entries.

On top of 1.1.0 (full evidence-log hardening from the security audit — HMAC-keyed hash chain, GDPR IP horizon, timestamp verification + retry) and 1.0.1 (Plugin Check fixes). Full history in the changelog.

Install

Download wwu-withdrawal-button.zip below → WordPress admin → Plugins → Add New → Upload Plugin.

This plugin is a technical aid to compliance and is not legal advice.

v1.1.0 — wp.org readiness + evidence-log hardening

WWU Withdrawal Button 1.1.0 — the wordpress.org-submission release: Plugin Check fixes + the full security-audit follow-up (evidence-log hardening).

Stable for the EU withdrawal-button mandate (in force since 19 June 2026), for WooCommerce, FluentCart & Easy Digital Downloads — free, GPLv3. No change to the withdrawal flow; existing logs keep verifying.

Evidence-log hardening (security-audit follow-up)

• Keyed hash chain — each row hash is HMAC-SHA256 keyed with the site secret (LogChain v2), so a DB-write attacker without the secret can't forge the chain. Per-row chain version; legacy rows still verify (schema 2→3, automatic migration).
• GDPR IP horizon — the hash commits to the anonymised IP; the full IP is kept in a separate column and erased after the retention window (with the customer e-mail).
• Timestamp verification + retry — RFC 3161 requires HTTPS and binds the token to the exact submitted digest + nonce; failed OpenTimestamps / initial stamps are retried automatically, and the admin surfaces any records not yet externally anchored.

wordpress.org readiness (1.0.1 + 1.1.0)

Plugin Check fixes (unused UI-kit asset excluded, composer.json shipped with the bundled library, Tested up to 7.0, translators-comment + direct-access-guard tidy-ups) + low-risk audit fixes (OpenTimestamps SSRF-guard parity, input wp_unslash, defensive returns).

Install

Download wwu-withdrawal-button.zip below → WordPress admin → Plugins → Add New → Upload Plugin.

This plugin is a technical aid to compliance and is not legal advice.

v1.0.0 — first stable release

WWU Withdrawal Button 1.0.0 — first stable release, for the EU withdrawal-button mandate that applies from 19 June 2026.

The statutory online right-of-withdrawal function (Art. 11a Dir. 2011/83/EU as amended by Dir. (EU) 2023/2673; Italy: Art. 54-bis Codice del Consumo) for WooCommerce, FluentCart & Easy Digital Downloads — free and open-source (GPLv3).

What's inside

• Statutory two-step withdrawal flow with per-language wording (IT, EN, DE, FR, ES, SV)
• Durable-medium acknowledgement: email + PDF + verifiable link + OpenTimestamps
• Tamper-evident, hash-chained immutable log
• Art. 59 exemptions done right — checkout consent capture + a consumer "why exempt" note
• Optional partial withdrawal
• Withdrawal link in order e-mails (WooCommerce + EDD automatic; FluentCart merge-tag helper)
• Read-only REST API + signed webhook for automations (Zapier / Make / n8n / CRM)
• Annex I-B model form + ready legal clauses
• All six locales fully translated (545/545)

Install

Download wwu-withdrawal-button.zip below → WordPress admin → Plugins → Add New → Upload Plugin.

No functional change from 1.0.0-alpha.45: this promotes the alpha series to stable, clarifies the External-services disclosure, and finalises translations.

This plugin is a technical aid to compliance and is not legal advice. Have your own counsel review your store's documents.