search

pronamic / pronamic-pay-with-rabo-smart-pay-for-woocommerce

This WordPress plugin connects your WooCommerce shop to payment provider Rabo Smart Pay via the Pronamic Pay plugin built by Pronamic.
https://wordpress.org/plugins/pronamic-pay-with-rabo-smart-pay-for-woocommerce/
GNU General Public License v2.0
1 stars 0 forks source link

[WordPress Plugin Directory] Review in Progress: Pronamic Pay with Rabo Smart Pay for WooCommerce #4

Closed remcotolsma closed 5 months ago

remcotolsma commented 5 months ago

Hello,

Thanks for uploading your plugin, we can begin with the review. We are a group of volunteers who help you identify common issues so that you can make your plugin more secure, compatible, reliable and compliant with the guidelines.

There are issues with your plugin code preventing it from being approved immediately. We have pended your submission in order to help you correct all issues so that it may be approved and published.

We ask you read this email in its entirety, address all listed issues, and reply to this email after uploading a corrected version of your code. Failure to do so will result in your review being delayed or even rejected.

We know this email can be long, but we kindly ask you to be meticulous in fixing the issues we mention so that we can make the best use of our volunteer time and get your plugin approved as soon as possible.

Remember that in addition to code quality, security and functionality, we require all plugins to adhere to our guidelines. If you have not yet, please read them: https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

Finally, should you at any time wish to alter your permalink (aka the plugin slug), you must explicitly tell us what you want it to be. Just changing the display name is not sufficient, and we require to you clearly state your desired permalink. Remember, permalinks cannot be altered after approval.

Be aware that you will not be able to submit another plugin while this one is being reviewed.

## Not permitted files

A plugin typically consists of files related to the plugin functionality (php, js, css, txt, md) and maybe some multimedia files (png, svg, jpg) and / or data files (json, xml).

We have detected files that are not among of the files normally found in a plugin, are they necessary? If not, then those won't be allowed.

Example(s) from your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/vendor/bin/validate-json
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/images/dist/app.icns
pronamic-pay-with-rabo-smart-pay-for-woocommerce/vendor/justinrainbow/json-schema/bin/validate-json
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/images/dist/wp-pay.icns

## Included Unneeded Folders

This plugin includes folders and files that looks like are not required for the running of your plugin. Some examples are:

  • development tools
  • unneeded vendor folders for production (bower, node, grunt, etc)
  • demos
  • unit tests

If you're trying to include the human-readable version of your own code (in order to comply with our guidelines) that's fine, remember that we also permit you to put links to them in your readme.

You should also keep and/or link configuration files, as for example, the composer.json file in order to allow others to review, study, and yes, fork this code.

https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/#4-code-must-be-mostly-human-readable

But you can, and should, safely remove those other unneeded folders from your plugins.

From your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/vendor/composer/installers/.github

## Out of Date Libraries

At least one of the 3rd party libraries you're using is out of date. Please upgrade to the latest stable version for better support and security. We do not recommend you use beta releases.

From your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/assets/flot/jquery.flot.js:1 🔴  version 0.8.3.
   # ↳ Possible URL: https://github.com/flot/flot
automattic/jetpack-autoloader v3.0.7 ! v3.0.8 Creates a custom autoloader for a plugin or theme.

## Use wp_enqueue commands

Your plugin is not correctly including JS and/or CSS. You should be using the built in functions for this:

When including JavaScript code you can use:

When including CSS you can use:

Note that as of WordPress 5.7, you can pass attributes like async, nonce, and type by using new functions and filters: https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/

If you're trying to enqueue on the admin pages you'll want to use the admin enqueues.

Example(s) from your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay-extensions/woocommerce/views/admin-meta-box-woocommerce-subscription.php:20 <style>
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-gateway-test.php:211 <script type="text/javascript">
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/redirect-via-html.php:40 <script>
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay-extensions/woocommerce/views/admin-meta-box-woocommerce-order.php:20 <style>
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-payment-lines.php:30 <style>
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-payment-info.php:472 <style type="text/css">

## Undocumented use of a 3rd Party or external service

We permit plugins to require the use of 3rd party (i.e. external) services, provided they are properly documented in a clear manner.

We require plugins that reach out to other services to disclose this, in clear and plain language, so users are aware of where data is being sent. This allows them to ensure that any legal issues with data transmissions are covered. This is true even if you are the 3rd party service.

In order to do so, you must update your readme to do the following:

  • Clearly explain that your plugin is relying on a 3rd party as a service and under what circumstances
  • Provide a link to the service .
  • Provide a link to the service terms of use and/or privacy policies.

Remember, this is for your own legal protection. Use of services must be upfront and well documented.

Example(s) from your plugin:

# Domain(s) not mentioned in the readme file.
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay-extensions/woocommerce/src/Gateway.php:703 * <errorresponse xmlns="https://www.sisow.nl/Sisow/REST" version="1.0.0">
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/src/VatNumbers/VatNumberViesValidator.php:35 $client = new \SoapClient( self::API_URL );
# ↳ Found: 'http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl'
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/src/VatNumbers/VatNumberViesValidator.php:24 const API_URL = 'http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl';

# Domain(s) mentioned in the readme file. Links to service terms and/or privacy policy not found.
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay-gateways/omnikassa-2/src/Client.php:28 const URL_PRODUCTION = 'https://betalen.rabobank.nl/omnikassa-api/';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay-gateways/omnikassa-2/src/Client.php:35 const URL_SANDBOX = 'https://betalen.rabobank.nl/omnikassa-api-sandbox/';

## Don't Force Set PHP Limits Globally

While many plugins can need optimal settings for PHP, we ask you please not set them as global defaults.

Having defines like ini_set('memory_limit', '-1'); run globally (like on init or in the __construct() part of your code) means you'll be running that for everything on the site, which may cause your users to fall out of compliance with any limits or restrictions on their host.

If you must use those, you need to limit them specifically to only the exact functions that require them.

Example(s) from your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/pronamic/wp-number/src/Number.php:419 \ini_set($option, $ini_serialize_precision);

## Internationalization: Text domain does not match plugin slug.

In order to make a string translatable in your plugin you are using a set of special functions. These functions collectively are known as "gettext".

These functions have a parameter called "text domain", which is a unique identifier for retrieving translated strings.

This "text domain" must be the same as your plugin slug so that the plugin can be translated by the community using the tools provided by the directory.As for example, if this plugin slug is penfold-macrame the Internationalization functions should look like:

esc_html__('Hello', 'penfold-macrame');

From your plugin, you have set your text domain as follows:

# This plugin is using the domain "pronamic-datetime" for 1 element(s).

However, the current plugin slug is this:

pronamic-pay-with-rabo-smart-pay-for-woocommerce

## Variables and options must be escaped when echo'd

Much related to sanitizing everything, all variables that are echoed need to be escaped when they're echoed, so it can't hijack users or (worse) admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data, as well as some that will allow you to echo HTML safely.

At this time, we ask you escape all $-variables, options, and any sort of generated data when it is being echoed. That means you should not be escaping when you build a variable, but when you output it at the end. We call this 'escaping late.'

Besides protecting yourself from a possible XSS vulnerability, escaping late makes sure that you're keeping the future you safe. While today your code may be only outputted hardcoded content, that may not be true in the future. By taking the time to properly escape when you echo, you prevent a mistake in the future from becoming a critical security issue.

This remains true of options you've saved to the database. Even if you've properly sanitized when you saved, the tools for sanitizing and escaping aren't interchangeable. Sanitizing makes sure it's safe for processing and storing in the database. Escaping makes it safe to output.

Also keep in mind that sometimes a function is echoing when it should really be returning content instead. This is a common mistake when it comes to returning JSON encoded content. Very rarely is that actually something you should be echoing at all. Echoing is because it needs to be on the screen, read by a human. Returning (which is what you would do with an API) can be json encoded, though remember to sanitize when you save to that json object!

There are a number of options to secure all types of content (html, email, etc). Yes, even HTML needs to be properly escaped.

https://developer.wordpress.org/apis/security/escaping/

Remember: You must use the most appropriate functions for the context. There is pretty much an option for everything you could echo. Even echoing HTML safely.

Example(s) from your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/ActionScheduler_AdminView.php:196 _n(
'<strong>Action Scheduler:</strong> %1$d <a href="%2$s">past-due action</a> found; something may be wrong. <a href="https://actionscheduler.org/faq/#my-site-has-past-due-actions-what-can-i-do" target="_blank">Read documentation &raquo;</a>',
'<strong>Action Scheduler:</strong> %1$d <a href="%2$s">past-due actions</a> found; something may be wrong. <a href="https://actionscheduler.org/faq/#my-site-has-past-due-actions-what-can-i-do" target="_blank">Read documentation &raquo;</a>',
$num_pastdue_actions,
'pronamic-pay-with-rabo-smart-pay-for-woocommerce'
),
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Abstract_ListTable.php:726 echo implode( " | \n", $status_list_items ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 -----> echo implode(" | \n", $status_list_items);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Abstract_ListTable.php:748 echo $this->search_box( $this->get_search_box_button_text(), 'plugin' ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

## Generic function/class/define/namespace/option names

All plugins must have unique function names, namespaces, defines, class and option names. This prevents your plugin from conflicting with other plugins or themes. We need you to update your plugin to use more unique and distinct names.

A good way to do this is with a prefix. For example, if your plugin is called "Easy Custom Post Types" then you could use names like these:

  • function ecpt_save_post()
  • class ECPT_Admin{}
  • namespace ECPT;
  • update_option( 'ecpt_settings', $settings );
  • define( 'ECPT_LICENSE', true );
  • global $ecpt_options;

Don't try to use two (2) or three (3) letter prefixes anymore. We host nearly 100-thousand plugins on WordPress.org alone. There are tens of thousands more outside our servers. Believe us, you’re going to run into conflicts.

You also need to avoid the use of _ (double underscores), wp , or _ (single underscore) as a prefix. Those are reserved for WordPress itself. You can use them inside your classes, but not as stand-alone function.

Please remember, if you're using _n() or __() for translation, that's fine. We're only talking about functions you've created for your plugin, not the core functions from WordPress. In fact, those core features are why you need to not use those prefixes in your own plugin! You don't want to break WordPress for your users.

Related to this, using if (!function_exists('NAME')) { around all your functions and classes sounds like a great idea until you realize the fatal flaw. If something else has a function with the same name and their code loads first, your plugin will break. Using if-exists should be reserved for shared libraries only.

Remember: Good prefix names are unique and distinct to your plugin. This will help you and the next person in debugging, as well as prevent conflicts.

Analysis result:

# This plugin is using the prefix "actionscheduler" for 57 element(s).
# This plugin is using the prefix "get_pronamic" for 12 element(s).
# This plugin is using the prefix "pronamic" for 104 element(s).
# This plugin is using the prefix "action" for 92 element(s).
# This plugin is using the prefix "as" for 12 element(s).

# Cannot use "get" as a prefix.
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:29 function get_pronamic_payment
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:52 function get_pronamic_payment_by_meta
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:79 function get_pronamic_payments_by_meta
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:123 function get_pronamic_payment_by_purchase_id
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:134 function get_pronamic_payment_by_transaction_id
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:145 function get_pronamic_payments_by_user_id
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:160 function get_pronamic_payments_by_source
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:193 function get_pronamic_subscription
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:205 function get_pronamic_subscription_by_meta
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:229 function get_pronamic_subscriptions_by_meta
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:272 function get_pronamic_subscriptions_by_user_id
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/includes/functions.php:287 function get_pronamic_subscriptions_by_source
# Cannot use "as" as a prefix.
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:19 function as_enqueue_async_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:68 function as_schedule_single_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:120 function as_schedule_recurring_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:205 function as_schedule_cron_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:262 function as_unschedule_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:307 function as_unschedule_all_actions
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:341 function as_next_scheduled_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:394 function as_has_scheduled_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:437 function as_get_scheduled_actions
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:484 function as_get_datetime_object
# Cannot use "wp" as a prefix.
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/WP_Async_Request.php:22 class WP_Async_Request
# Cannot use "wc" as a prefix.
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/deprecated/functions.php:21 function wc_schedule_single_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/deprecated/functions.php:39 function wc_schedule_recurring_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/deprecated/functions.php:67 function wc_schedule_cron_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/deprecated/functions.php:81 function wc_unschedule_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/deprecated/functions.php:95 function wc_next_scheduled_action
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/deprecated/functions.php:123 function wc_get_scheduled_actions

# Looks like there are elements not using common prefixes.
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-subscription-payments.php:208 do_action('manage_' . $payments_post_type . '_posts_custom_column', 'pronamic_payment_status', $payment_id);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-subscription-payments.php:223 do_action('manage_' . $payments_post_type . '_posts_custom_column', 'pronamic_payment_title', $payment_id);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-subscription-payments.php:226 do_action('manage_' . $payments_post_type . '_posts_custom_column', 'pronamic_payment_transaction', $payment_id);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-subscription-payments.php:229 do_action('manage_' . $payments_post_type . '_posts_custom_column', 'pronamic_payment_amount', $payment_id);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-subscription-payments.php:232 do_action('manage_' . $payments_post_type . '_posts_custom_column', 'pronamic_payment_date', $payment_id);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/meta-box-payment-info.php:148 do_action('manage_' . $payments_post_type . '_posts_custom_column', 'pronamic_payment_transaction', $payment->get_id());
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/page-dashboard.php:82 apply_filters('manage_edit-' . $payments_post_type . '_columns', []);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/page-dashboard.php:146 do_action('manage_' . $payments_post_type . '_posts_custom_column', $custom_column, $payment_id);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/page-dashboard.php:225 apply_filters('manage_edit-' . $subscriptions_post_type . '_columns', []);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/views/page-dashboard.php:289 do_action('manage_' . $subscriptions_post_type . '_posts_custom_column', $custom_column, $subscription_id);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:39 apply_filters('pre_as_enqueue_async_action', null, $hook, $args, $group, $priority);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:89 apply_filters('pre_as_schedule_single_action', null, $timestamp, $hook, $args, $group, $priority);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:161 apply_filters('pre_as_schedule_recurring_action', null, $timestamp, $interval_in_seconds, $hook, $args, $group, $priority);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/functions.php:227 apply_filters('pre_as_schedule_cron_action', null, $timestamp, $schedule, $hook, $args, $group, $priority);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/ActionScheduler_QueueRunner.php:7 WP_CRON_HOOK = 'action_scheduler_run_queue';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/ActionScheduler_QueueRunner.php:9 WP_CRON_SCHEDULE = 'every_minute';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/schema/ActionScheduler_LoggerSchema.php:11 LOG_TABLE = 'actionscheduler_logs';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/schema/ActionScheduler_StoreSchema.php:12 CLAIMS_TABLE = 'actionscheduler_claims';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/schema/ActionScheduler_StoreSchema.php:13 GROUPS_TABLE = 'actionscheduler_groups';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/schema/ActionScheduler_StoreSchema.php:14 DEFAULT_DATE = '0000-00-00 00:00:00';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Abstract_Schema.php:121 update_option($option_name, $value_to_save);
# ↳ Detected name: schema-
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Store.php:8 STATUS_COMPLETE = 'complete';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Store.php:9 STATUS_PENDING = 'pending';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Store.php:10 STATUS_RUNNING = 'in-progress';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Store.php:11 STATUS_FAILED = 'failed';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Store.php:12 STATUS_CANCELED = 'canceled';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Store.php:13 DEFAULT_CLASS = 'ActionScheduler_wpPostStore';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:7 POST_TYPE = 'scheduled-action';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:8 GROUP_TAXONOMY = 'action-group';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:9 SCHEDULE_META_KEY = '_action_manager_schedule';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:10 DEPENDENCIES_MET = 'as-post-store-dependencies-met';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_HybridStore.php:16 DEMARKATION_OPTION = 'action_scheduler_hybrid_store_demarkation';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpCommentLogger.php:7 AGENT = 'ActionScheduler';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpCommentLogger.php:8 TYPE = 'action_log';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/ActionScheduler_DataController.php:18 DATASTORE_CLASS = 'ActionScheduler_DBStore';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/ActionScheduler_DataController.php:21 LOGGER_CLASS = 'ActionScheduler_DBLogger';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/ActionScheduler_DataController.php:24 STATUS_FLAG = 'action_scheduler_migration_status';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/ActionScheduler_DataController.php:27 STATUS_COMPLETE = 'complete';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/ActionScheduler_DataController.php:30 MIN_PHP_VERSION = '5.5';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/WP_Async_Request.php:117 apply_filters($this->identifier . '_query_args', $args);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/WP_Async_Request.php:137 apply_filters($this->identifier . '_query_url', $url);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/WP_Async_Request.php:163 apply_filters($this->identifier . '_post_args', $args);
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_FieldFactory.php:9 class CronExpression_FieldFactory
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_FieldInterface.php:8 interface CronExpression_FieldInterface
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_MinutesField.php:8 class CronExpression_MinutesField
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_YearField.php:8 class CronExpression_YearField
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_DayOfMonthField.php:21 class CronExpression_DayOfMonthField
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression.php:16 class CronExpression
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression.php:18 MINUTE = 0;
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression.php:19 HOUR = 1;
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression.php:20 DAY = 2;
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression.php:21 MONTH = 3;
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression.php:22 WEEKDAY = 4;
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression.php:23 YEAR = 5;
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_DayOfWeekField.php:18 class CronExpression_DayOfWeekField
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_AbstractField.php:8 class CronExpression_AbstractField
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_HoursField.php:8 class CronExpression_HoursField
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/lib/cron-expression/CronExpression_MonthField.php:8 class CronExpression_MonthField
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay-extensions/woocommerce/src/Extension.php:906 \do_action('woocommerce_load_cart_from_session');

## Allowing Direct File Access to plugin files

Direct file access is when someone directly queries your file. This can be done by simply entering the complete path to the file in the URL bar of the browser but can also be done by doing a POST request directly to the file. For files that only contain a PHP class the risk of something funky happening when directly accessed is pretty small. For files that contain procedural code, functions and function calls, the chance of security risks is a lot bigger.

You can avoid this by putting this code at the top of all PHP files that could potentially execute code if accessed directly :

    if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly

Example(s) from your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay-gateways/omnikassa-2/pronamic-pay-with-rabo-smart-pay.php:30

## Unsafe SQL calls

When making database calls, it's highly important to protect your code from SQL injection vulnerabilities. You need to update your code to use wpdb calls and prepare() with your queries to protect them.

Please review the following:

Example(s) from your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:928 $wpdb->prepare(
"SELECT {$column_name} FROM {$wpdb->posts} WHERE ID=%d AND post_type=%s", // phpcs:ignore
$action_id,
self::POST_TYPE
)
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:927 return $wpdb->get_var(
$wpdb->prepare(
"SELECT {$column_name} FROM {$wpdb->posts} WHERE ID=%d AND post_type=%s", // phpcs:ignore
$action_id,
self::POST_TYPE
)
);
# There is a call to a wpdb::prepare() function, that's correct.
# You cannot add variables like "$column_name" directly to the SQL query.
# Using wpdb::prepare($query, $args) you will need to include placeholders for each variable within the query and include the variables in the second parameter.

pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:666 $where    = "WHERE post_type = %s AND post_status = %s AND post_password = ''";
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:684 $where   .= ' AND post_date_gmt <= %s';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:682 $where .= ' AND ID IN (' . join( ',', $ids ) . ')';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:672 $where       .= ' AND post_title IN (' . join( ', ', $placeholders ) . ')';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:658 $update = "UPDATE {$wpdb->posts} SET post_password = %s, post_modified_gmt = %s, post_modified = %s";
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:693 $rows_affected = $wpdb->query( $wpdb->prepare( "{$update} {$where} {$order}", $params ) ); // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare
 -----> $wpdb->query($wpdb->prepare("{$update} {$where} {$order}", $params))
# There is a call to a wpdb::prepare() function, that's correct.
# You cannot add calls like "join(', ', $placeholders)" directly to the SQL query.
# Using wpdb::prepare($query, $args) you will need to include placeholders for each variable within the query and include the variables in the second parameter.
# You cannot add calls like "join(',', $ids)" directly to the SQL query.

... out of a total of 25 incidences.

Note: Passing individual values to wpdb::prepare using placeholders is fairly straightforward, but what if we need to pass an array of values instead?

You'll need to create a placeholder for each item of the array and pass all the corresponding values to those placeholders, this seems tricky, but here is a snippet to do so.

$wordcamp_id_placeholders = implode( ', ', array_fill( 0, count( $wordcamp_ids ), '%d' ) ); 

$prepare_values = array_merge( array( $new_status ), $wordcamp_ids ); 

$wpdb->query( $wpdb->prepare( "
            UPDATE `$table_name`
            SET `post_status` = %s
            WHERE ID IN ( $wordcamp_id_placeholders )",
            $prepare_values
        ) );

There is a core ticket that could make this easier in the future: https://core.trac.wordpress.org/ticket/54042

Example(s) from your plugin:

pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Abstract_ListTable.php:488 $columns = '`' . implode( '`, `', $this->get_table_columns() ) . '`';
pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/woocommerce/action-scheduler/classes/data-stores/ActionScheduler_wpPostStore.php:805 $action_id_string = implode( ',', array_map( 'intval', $action_ids ) );

## Nonces and User Permissions Needed for Security

Please add a nonce to your POST calls to prevent unauthorized access.

Keep in mind, check_admin_referer alone is not bulletproof security. Do not rely on nonces for authorization purposes. Use current_user_can() in order to prevent users without the right permissions from accessing things.

If you use wp_ajax to trigger submission checks, remember they also need a nonce check.

You also must avoid checking for post submission outside of functions. Doing so means the check runs on every single load of the plugin which means every single person who views any page on a site using your plugin will check for a submission. Doing that makes your code slow and unwieldy for users on any high-traffic site, causing instability and crashes.

The following links may assist you in development:

Example(s) from your plugin:

FILE: /pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/src/CustomerHelper.php

---------------------------------
FOUND 4 ERRORS AFFECTING 2 LINES

---------------------------------
LINE 145: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)
LINE 145: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

---------------------------------
143: » //·Gender.
144: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 145: » $gender·=·\array_key_exists(·'pronamic_pay_gender',·$_POST·)·?·\sanitize_text_field(·\wp_unslash(·$_POST['pronamic_pay_gender']·)·)·:·null;
146:
147: » if·(·null·===·$customer->get_gender()·&&·null·!==·$gender·&&·Gender::is_valid(·$gender·)·)·{

---------------------------------
LINE 153: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)
LINE 153: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

---------------------------------
151: » //·Birth·date.
152: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 153: » $birth_date_string·=·\array_key_exists(·'pronamic_pay_birth_date',·$_POST·)·?·\sanitize_text_field(·\wp_unslash(·$_POST['pronamic_pay_birth_date']·)·)·:·null;
154:
155: » if·(·null·===·$customer->get_birth_date()·&&·!·empty(·$birth_date_string·)·)·{

---------------------------------

FILE: ...anner/reports/pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/src/Plugin.php

--------------------------------------------------
FOUND 2 ERRORS AFFECTING 2 LINES

--------------------------------------------------
LINE 1422: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
1420:
1421: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 1422: » if·(·\array_key_exists(·$id,·$_POST·)·)·{
1423: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
1424: » $value·=·\sanitize_text_field(·\wp_unslash(·$_POST[·$id·]·)·);

--------------------------------------------------
LINE 1424: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
1422: » if·(·\array_key_exists(·$id,·$_POST·)·)·{
1423: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 1424: » $value·=·\sanitize_text_field(·\wp_unslash(·$_POST[·$id·]·)·);
1425:
1426: » if·(·''·!==·$field->meta_key·)·{

--------------------------------------------------

FILE: /pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay/core/src/Admin/AdminGatewayPostType.php

--------------------------------------------------
FOUND 6 ERRORS AFFECTING 6 LINES

--------------------------------------------------
LINE 419: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
417: » $callback·=·static·function·(·$name·)·{
418: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 419: » if·(·!·\array_key_exists(·$name,·$_POST·)·)·{
420: » return·'';
421: » }

--------------------------------------------------
LINE 424: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
422:
423: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 424: » return·\sanitize_text_field(·\wp_unslash(·$_POST[·$name·]·)·);
425: » };
426:

--------------------------------------------------
LINE 434: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
432: » $callback·=·static·function·(·$name·)·{
433: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 434: » if·(·!·\array_key_exists(·$name,·$_POST·)·)·{
435: » return·'';
436: » }

--------------------------------------------------
LINE 439: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
437:
438: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 439: » return·\sanitize_textarea_field(·\wp_unslash(·$_POST[·$name·]·)·);
440: » };
441:

--------------------------------------------------
LINE 446: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
444: » $callback·=·static·function·(·$name·)·{
445: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 446: » if·(·!·\array_key_exists(·$name,·$_POST·)·)·{
447: » return·'';
448: » }

--------------------------------------------------
LINE 451: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
449:
450: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 451: » return·'1'·===·\sanitize_text_field(·\wp_unslash(·$_POST[·$name·]·)·);
452: » };
453:

--------------------------------------------------

FILE: ...nt_plugin/pronamic-pay-with-rabo-smart-pay-for-woocommerce/packages/wp-pay-extensions/woocommerce/src/Gateway.php

--------------------------------------------------
FOUND 6 ERRORS AFFECTING 6 LINES

--------------------------------------------------
LINE 609: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
607:
608: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 609: » if·(·\array_key_exists(·$key,·$_POST·)·)·{
610: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
611: » $gender·=·\sanitize_text_field(·\wp_unslash(·$_POST[·$key·]·)·);

--------------------------------------------------
LINE 611: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
609: » if·(·\array_key_exists(·$key,·$_POST·)·)·{
610: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 611: » $gender·=·\sanitize_text_field(·\wp_unslash(·$_POST[·$key·]·)·);
612: » }
613:

--------------------------------------------------
LINE 630: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
628:
629: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 630: » if·(·\array_key_exists(·$key,·$_POST·)·)·{
631: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
632: » $birth_date·=·\sanitize_text_field(·\wp_unslash(·$_POST[·$key·]·)·);

--------------------------------------------------
LINE 632: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
630: » if·(·\array_key_exists(·$key,·$_POST·)·)·{
631: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 632: » $birth_date·=·\sanitize_text_field(·\wp_unslash(·$_POST[·$key·]·)·);
633: » }
634:

--------------------------------------------------
LINE 731: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
729:
730: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 731: » if·(·\array_key_exists(·$key,·$_POST·)·)·{
732: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
733: » $issuer·=·\sanitize_text_field(·\wp_unslash(·$_POST[·$key·]·)·);

--------------------------------------------------
LINE 733: ERROR Processing form data without nonce verification. (WordPress.Security.NonceVerification.Missing)

--------------------------------------------------
731: » if·(·\array_key_exists(·$key,·$_POST·)·)·{
732: » //·phpcs:ignore·WordPress.Security.NonceVerification.Missing
>> 733: » $issuer·=·\sanitize_text_field(·\wp_unslash(·$_POST[·$key·]·)·);
734:
735: » $payment->set_meta(·'issuer',·$issuer·);

--------------------------------------------------

----------------------------------------------

Please note that due to the significant effort this reviews require, we are doing basic reviews the first time we review your plugin. Once the issues we shared above are fixed, we will do a more in-depth review that might surface other issues.

We recommend that you get ahead of us by checking for some common issues that require a more thorough review such as the use of nonces or determining plugin and content directories correctly.

Your next steps are:

  1. Make all the corrections related to the issues we listed.
  2. Review your entire code following best practices and the guidelines to ensure there are no other related issues.
  3. Go to "Add your plugin" and upload an updated version of this plugin. You can update the code there whenever you need to along the review process, we will check the latest version.
  4. Reply to this email telling us that you have updated it and letting us know if there is anything we need to know or have in mind. It is not necessary to list the changes, as we will check the whole plugin again.

To make this process as quick as possible and to avoid burden on the volunteers devoting their time to review this plugin's code, we ask you to thoroughly check all shared issues and fix them before sending the code back to us.

We encourage all plugin authors to use tools like Plugin Check to ensure that most basic issues are fixed first. If you haven't used it yet, give it a try, it will save us both time and speed up the review process. Please note: Automated tools can give false positives, or may miss issues. Plugin Check and other tools cannot guarantee that our reviewers won't find an issue that needs fixing or clarification.

We again remind you that should you wish to alter your permalink (not the display name, the plugin slug), you must explicitly tell us what you want it to be. We require to you clearly state in the body of your email what your desired permalink is. Permalinks cannot be altered after approval, and we generally do not accept requests to rename should you fail to inform us during the review. If you previously asked for a permalink change and got a reply that is has been processed, you’re all good! While these emails will still use the original display name, you don’t need to panic. If you did not get a reply that we processed the permalink, let us know immediately.

While we have tried to make this review as exhaustive as possible we, like you, are humans and may have missed things. As such, we will re-review the entire plugin when you send it back to us. We appreciate your patience and understanding.

If the corrections we requested in this initial review are not completed within 3 months (90 days), we will reject this submission in order to keep our queue manageable.

If you have questions, concerns, or need clarification, please reply to this email and just ask us.

-- WordPress Plugin Review Team | plugins@wordpress.org https://make.wordpress.org/plugins/ https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

remcotolsma commented 5 months ago

Hello WordPress Plugin Review Team,

We have started working on your suggestions. New requirements/guidelines seem to be added every month. Can the tools you used for this first review also be used by plugin developers themselves? That would help enormously to get the first review right immediately. Of course, we already use tools such as PHPCS and PHPStan to force high-quality plugins.

Not permitted files

✅ Solved.

Included Unneeded Folders

✅ Solved.

Out of Date Libraries

✅ Solved.

Use wp_enqueue commands

⚠️ Solved, except for 1 warning, we cannot use the wp_enqueue commands there.

Undocumented use of a 3rd Party or external service

⚠️ You indicate that the use of certain external services is not documented, but the services are listed in the readme.txt: https://github.com/pronamic/pronamic-pay-with-rabo-smart-pay-for-woocommerce/blob/7cd0941df2101e9db5a5d9a82950d5f9a1327510/readme.txt#L32-L42

Don't Force Set PHP Limits Globally

⚠️ The following applies here: "If you must use those, you need to limit them specifically to only the exact functions that require them.". https://github.com/pronamic/wp-number/blob/82b5af7c20391ca654d2c7ab8d03574088b97e79/src/Number.php#L412-L420

How can we prevent a warning about this in a next review?

Internationalization: Text domain does not match plugin slug.

✅ Solved.

Variables and options must be escaped when echo'd

⚠️ These are all warnings from the "Action Scheduler" plugin/library: https://wordpress.org/plugins/action-scheduler/. This plugin/library by Automattic is designed to be used and released in plugins: https://actionscheduler.org/faq/. We informed the developer about these issues in: https://github.com/woocommerce/action-scheduler/issues/1068.

Generic function/class/define/namespace/option names

⚠️ Most warnings are from the "Action Scheduler" plugin/library. We use the prefix 'pronamic' and 'get_pronamic', these are fine.

Allowing Direct File Access to plugin files

✅ Solved.

Unsafe SQL calls

⚠️ These are all warnings from the "Action Scheduler" plugin/library.

Nonces and User Permissions Needed for Security

⚠️ We use nonces where necessary, in the places that your tools warn about this is not necessary and/or possible. The functions where we request $_POST data without nonce checking are all behind the WooCommerce checkout process. Not all WooCommerce add-ons we integrate with work with nonces. That is probably not necessary for security, because WooCommerce plays a major role in this.

Latest version can be downloaded via: https://github.com/pronamic/pronamic-pay-with-rabo-smart-pay-for-woocommerce/releases/tag/v1.0.0-rc.2

I also uploaded a new version via https://wordpress.org/plugins/developers/add/.

If you have questions, concerns, or need clarification, please reply to this email and just ask us.

Remco Tolsma Pronamic