Partial withdrawal now lets the customer pick a quantity per item (e.g. 1 of 3) \u2014 an optional, no-JS number field; blank = the whole line. Shown on the receipt, dashboard and REST API. Informational and fully back-compatible (additive data). Issue #47.<\/p>","1.2.12":"
Now requires PHP 8.1 (was 7.4); ships Dompdf 3.1.5. Custom CSS field removed \u2014 restyle via WordPress Customizer \u2192 Additional CSS. Timestamping is now opt-in: no external calls by default. PHP 7.4\u20138.0 sites stay on 1.2.11; a compatible build is on GitHub.<\/p>","1.2.11":"
Fixes the Consent Records admin page (and CSV export) showing only WooCommerce consents: it now reads cross-platform from the tamper-evident evidence log, so Easy Digital Downloads and FluentCart consents appear too. Read-only \u2014 the immutable log is never altered. (GitHub #41.)<\/p>","1.2.10":"
WordPress.org compliance pass: wp_unslash() added on the settings-save inputs (already sanitised) and a false-positive prepared-SQL error silenced on the integrity query. Over-long upgrade notices trimmed. No change to the withdrawal flow or your data.<\/p>","1.2.9":"
Type-aware withdrawal window: for all-digital orders the 14-day countdown now starts at the order date (contract conclusion); orders with physical items are unchanged (delivery\/completed date). Informational only \u2014 the button is never hidden on this. No breaking changes.<\/p>","1.2.8":"
Completes the guest fix: the [webwakeupwdb_button] shortcode and the order-actions link now also route guests to the public withdrawal page, not just the automatic button, so a guest is never sent to the login screen. Logged-in customers unaffected.<\/p>","1.2.7":"
Fixes the withdrawal button in the order recap sending guest (no-account) customers to the login screen; guests are now routed to the public withdrawal page. Logged-in customers are unaffected. No breaking changes.<\/p>","1.2.6":"
Completes the bundled translations (Italian, German, French, Spanish, Swedish) for recent admin strings that were still showing in English \u2014 the Legal clauses editor, the Notification email(s) field and the Compliance reminders. (Swedish is machine-assisted, pending native review.)<\/p>","1.2.5":"
Fixes PHP 7.4 compatibility: the bundled PDF library (Dompdf) had been requiring PHP 8.1 and showed a Composer platform error on PHP 7.4 sites; it is now pinned to the 7.4-compatible 2.x line. Also: the notification e-mail field now accepts multiple comma-separated recipients.<\/p>","1.2.4":"
Housekeeping + WordPress.org compliance hardening (input sanitisation, output escaping, explicit REST permission callbacks). The display name is now "WWU Right of Withdrawal"; the slug is unchanged. No change to the withdrawal flow or your data.<\/p>","1.2.3":"
Follow-up to the 1.2.2 e-mail fix: a failed acknowledgement e-mail now shows the exact transport reason (for example the SMTP plugin's "Could not authenticate") in the admin notice and the immutable log, instead of a generic "email failed", so an SMTP misconfiguration is obvious at a glance.<\/p>","1.2.2":"
Critical: fixes a fatal "critical error" when sending the acknowledgement e-mail (on confirmation and admin resend), caused by an SMTP plugin throwing inside wp_mail. The send now fails gracefully instead of crashing. Also: set FluentCart handling to Off if you use its native add-on.<\/p>","1.2.1":"
Fixes the WooCommerce "Right of withdrawal" account tab returning a 404 on a fresh install \u2014 a one-time rewrite flush now runs after activation (re-saving Permalinks also fixes it). You can also edit the legal clauses from Settings \u2192 Legal clauses (no code).<\/p>","1.2.0":"
Reminder: installing the button does not update your shop's legal texts. Your Terms & Conditions and pre-contractual information must describe the new withdrawal-button modality (Art. 6 CRD). The plugin now flags this and gives you the ready-to-paste clauses. No change to the flow.<\/p>","1.0.0-alpha.43":"
Adds a consumer-facing "why exempt" note: on orders exempt under Art. 59, the plugin explains why the withdrawal button is absent (the exception + legal reference) instead of showing nothing. Editable, fail-safe, only on genuinely exempt orders; button visibility unchanged.<\/p>","1.0.0-alpha.42":"
Adds an optional "which products" checklist to the withdrawal form (partial withdrawal), shown on the receipt and the Requests dashboard. Optional and fail-open \u2014 leaving it empty withdraws from the whole order as before. No breaking changes.<\/p>","1.0.0-alpha.41":"
Adds a FluentCart handling mode (Auto\/Always\/Off) so this plugin steps aside automatically when FluentCart's own withdrawal add-on is installed. No breaking changes; WooCommerce and EDD are unaffected.<\/p>","1.0.0-alpha.40":"
Restores the admin UI styling (the UI Kit is now bundled) and adds Swedish (statutory button label + complete UI translation, pending native review). No breaking changes.<\/p>","1.0.0-alpha.39":"
Critical fix: the Settings page no longer crashes with a "Class \u2026 Settings not found" fatal. Update recommended for everyone. Also includes a mail-safety fix and a WooCommerce\/conflict audit.<\/p>","1.0.0-alpha.38":"
Subscriptions are handled correctly: the button shows on the initial order only and is hidden on renewals (one 14-day right per contract). Two opt-in toggles under Settings \u2192 Subscriptions. If you use WooCommerce\/FluentCart\/EDD subscriptions, test on staging.<\/p>","1.0.0-alpha.37":"
FluentCart stores can now use the Security hardening from a full audit (0 critical\/high): SSRF guard on the RFC 3161 endpoint, rate limits on the withdrawal endpoints, input length caps. Recommended for all installs; no behaviour change for consumers.<\/p>","1.0.0-alpha.35":" EDD stores now show the withdrawal button on the purchase receipt + purchase history, and add the withdrawal link to the EDD receipt e-mail (parity with WooCommerce\/FluentCart). Set a public withdrawal page in Settings and re-test the EDD customer flow on staging.<\/p>","1.0.0-alpha.34":" FluentCart: consent now renders on the block\/modal checkout too and is category-aware; order notes appear in the FluentCart timeline. No change for WooCommerce\/EDD stores. FluentCart users: re-test the checkout consent on staging (checklist included).<\/p>","1.0.0-alpha.33":" Adds Easy Digital Downloads (EDD 3.0+) support. No change for WooCommerce\/FluentCart stores. If you run EDD, test the checkout + button on staging.<\/p>","1.0.0-alpha.32":" Adds consent capture on the WooCommerce block Checkout (requires WooCommerce 9.9+ for the conditional field). No change to the classic checkout. Test on staging if you use the block checkout.<\/p>","1.0.0-alpha.31":" Settings\/exemptions UI overhaul + completed Italian\/FR\/ES\/DE translations (the exemption section was partly in English). No change to the withdrawal flow. Safe to update.<\/p>","1.0.0-alpha.30":" Adds FluentCart checkout consent capture for the conditional exemptions (parity with WooCommerce). Test on a staging FluentCart store before production; fail-safe (the button stays) until the field is verified on your setup.<\/p>","1.0.0-alpha.29":" Completes the digital\/service exemptions: durable-medium confirmation e-mail, configurable consent retention with automatic IP anonymisation, a GDPR privacy clause and a Consent records page. Review the new clause + retention setting. Test on staging; not yet stable.<\/p>","1.0.0-alpha.28":" Adds lawful consent capture at checkout for digital-immediate and service-performed exemptions. If you exempt those product types, the button is now hidden only after the consumer ticks the required acknowledgement. Test on staging; not yet a stable release.<\/p>","1.0.0-alpha.19":" Recommended for FluentCart stores: fixes the customer-account withdrawal page (was blank) and the per-order button. Test on staging before production; not yet a stable release.<\/p>","1.0.0-alpha.17":" Feature-complete alpha. Test thoroughly on staging before production; not yet a stable release.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3589609,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3589609,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256},"icon.svg":{"filename":"icon.svg","revision":3589609,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3589609,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3589609,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":{"webwakeupwdb\/withdrawal-form":{"$schema":"https:\/\/schemas.wp.org\/trunk\/block.json","apiVersion":3,"name":"webwakeupwdb\/withdrawal-form","version":"1.0.0","title":"Withdrawal \u2014 self-service","category":"widgets","icon":"undo","description":"Lets a logged-in customer pick an eligible order and withdraw from it, or shows the two-step withdrawal form for a specific order. Server-rendered with the same applicability and ownership checks as the [webwakeupwdb_form] shortcode.","keywords":["withdrawal","recesso","refund","right of withdrawal","woocommerce"],"textdomain":"wwu-withdrawal-button","supports":{"html":false,"align":["wide","full"],"anchor":true},"attributes":{"orderId":{"type":"number","default":0}},"editorScript":"file:.\/index.js"}},"tagged_versions":["1.3.2"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[250438,131785,269342,263226,286],"plugin_category":[45],"plugin_contributors":[269383,269343],"plugin_business_model":[],"class_list":["post-328845","plugin","type-plugin","status-publish","hentry","plugin_tags-fluentcart","plugin_tags-gdpr","plugin_tags-recesso","plugin_tags-right-of-withdrawal","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_contributors-anideaforbusiness","plugin_contributors-mredodos","plugin_committers-mredodos"],"banners":{"banner":"https:\/\/ps.w.org\/wwu-withdrawal-button\/assets\/banner-772x250.png?rev=3589609","banner_2x":"https:\/\/ps.w.org\/wwu-withdrawal-button\/assets\/banner-1544x500.png?rev=3589609","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/wwu-withdrawal-button\/assets\/icon.svg?rev=3589609","icon":"https:\/\/ps.w.org\/wwu-withdrawal-button\/assets\/icon.svg?rev=3589609","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"\n Product page & docs: webwakeup.it\/wwu-withdrawal-button<\/a> | source code, issues & contributions: GitHub<\/a><\/p>\n\n From 19 June 2026, EU law (Directive (EU) 2023\/2673, new Art. 11a of the Consumer Rights Directive; Italy: Art. 54-bis Codice del Consumo) requires online stores to provide a withdrawal function<\/strong> that lets consumers withdraw from a distance contract as easily as they concluded it. WWU Withdrawal Button adds that function \u2014 and everything around it you need to run it and to prove you did it right \u2014 to WooCommerce, FluentCart and Easy Digital Downloads.<\/p>\n\n That is the whole customer experience. Everything below exists to make it correct, easy to run, and defensible.<\/p>\n\n This plugin is a technical aid to compliance and is not legal advice<\/strong>. Have your own counsel review your store's documents.<\/p>\n\n This plugin makes no external calls by default<\/strong>. Every outbound connection listed below is opt-in<\/strong> and stays off<\/strong> until you explicitly enable it in the settings. The tamper-evident log works fully offline \u2014 it is append-only and hash-chained with your site secret \u2014 so timestamping only adds<\/em> an extra, independently-verifiable anchor; it is never required for the plugin to function.<\/p>\n\n OpenTimestamps<\/strong> (opt-in, off by default) \u2014 only if you set the timestamp provider to \"OpenTimestamps\" (Settings \u2192 Receipt & evidence) does the plugin connect to the OpenTimestamps public calendar servers to obtain a free, trusted timestamp (a \"data certa\") for the log.<\/p>\n\n RFC 3161 \/ eIDAS timestamp authority<\/strong> (opt-in, off by default) \u2014 if you instead set the provider to an RFC 3161 authority, the same one-way SHA-256 hash (no personal data) is sent to the authority URL you<\/strong> configure. This is a provider you choose and contract with directly (examples: a free Sectigo endpoint, or a national authority such as Aruba, InfoCert, D-Trust, Universign, FNMT, SwissSign); please review that provider's own terms of service and privacy policy. No such call is made until you enable it.<\/p>\n\n Outbound webhook<\/strong> (opt-in, off by default \u2014 Settings \u2192 Integrations) \u2014 if enabled, the plugin sends a signed POST to the endpoint URL you<\/strong> specify whenever a withdrawal is confirmed. The payload carries a verification hash and contract reference, never the consumer's IP address.<\/p>\n\n No other external services are used. The plugin does not load remote scripts, fonts or trackers on your site.<\/p>\n\n The plugin records withdrawal declarations (name, identified contract, email, IP address, date and time) in an append-only, tamper-evident log on your own server<\/strong>, because Art. 54-bis requires this as legal evidence (GDPR Art. 6(1)(c)\/(f)). It generates a ready-to-paste privacy clause for your policy. Data is retained for a configurable period (10 years by default), and the uninstaller keeps the evidence log by default (legal hold) unless you opt to erase it.<\/p>\n\n For the conditional Art. 59 exemptions, the plugin also stores the consumer's checkout consent + acknowledgement (the agreed wording, a hash, the date\/time and \u2014 unless you turn it off \u2014 the IP) as evidence to prove the exemption is valid. The lawful basis is legitimate interest<\/strong> (GDPR Art. 6(1)(f); defence of legal claims), not<\/strong> GDPR consent. The IP lives only on the order (never in the immutable log) and is automatically anonymised once the retention period lapses. A second ready-to-paste privacy clause is generated for this processing.<\/p>\n\n\n Any trader concluding distance B2C contracts via an online interface with EU\/EEA consumers, regardless of the trader's own country (Rome I Art. 6). Switzerland-resident consumers are out of scope (voluntary mode).<\/p><\/dd>\n No. The button is additional<\/strong> to the Annex I-B model form, which remains mandatory in pre-contractual information. The plugin generates both.<\/p><\/dd>\n Yes. Since 1.3.0 the plugin assembles one consolidated Right-of-withdrawal notice<\/strong> from your live settings and the Art. 59 exceptions you selected. Publish it with the No. The right of withdrawal applies by default, including<\/strong> to digital products. It is removed only for the two conditional Art. 59 exemptions (digital content with immediate access; a service fully performed) and only when the consumer gives prior express consent + acknowledgement at checkout. The plugin captures that on the WooCommerce checkout (a required tick-box), stores it as evidence, and only then hides the button \u2014 otherwise the button stays (fail-safe). Physical products never need consent.<\/strong> For the digital exemption the plugin also e-mails the consumer a durable-medium confirmation, as the law requires.<\/p><\/dd>\n The law does not name a \"register\", but the burden of proof is on you (Art. 6(9) Dir. 2011\/83\/EU; GDPR accountability Art. 5(2)) \u2014 you must be able to prove the consent. The plugin keeps it for you: the agreed wording, a SHA-256 hash, the date\/time and (optionally) the IP are stored on the order and anchored in the tamper-evident log; a Consent records<\/strong> admin screen lists and exports them. The IP is anonymised automatically after the retention period.<\/p><\/dd>\n Yes \u2014 and we recommend you do. A trusted timestamp gives you an independent \"data certa\"<\/strong>: proof of the exact moment a withdrawal was received, which is the fact the statutory 14-day deadline turns on and the hardest thing to prove after the fact. OpenTimestamps<\/strong> is free, needs no account, and provides an independently-verifiable Bitcoin-anchored proof; a pluggable RFC 3161 \/ eIDAS<\/strong> qualified-timestamp provider is available for the strongest \"data certa\". It is off by default<\/strong> (WordPress.org requires external connections to be opt-in) and only an anonymous one-way hash is ever sent \u2014 never personal data \u2014 so turn it on in Settings \u2192 Receipt & evidence<\/strong> (the Dashboard checklist links you straight there).<\/p><\/dd>\n The build in the WordPress.org directory requires PHP 8.1+<\/strong> (it bundles the latest Dompdf 3.x PDF engine, whose dependencies need 8.1). If your host still runs PHP 7.4 or 8.0<\/strong>, the directory simply will not offer you this update \u2014 install the PHP 7.4-compatible build<\/strong> from our GitHub releases instead (identical features, Dompdf pinned to the 2.x line). That legacy build is a courtesy bridge and will not be maintained forever<\/strong>: PHP 7.4 reached end-of-life in November 2022, so please plan to move your store to PHP 8.1+ (it is faster and more secure), after which you get the directory version with automatic updates.<\/p><\/dd>\n\n<\/dl>\n\n\n{{wwu.recesso_url}}<\/code> merge-tag in FluentCart's own e-mails. No change for WooCommerce\/EDD. FluentCart users: add the tag to a template and test on staging (FluentCart's own native withdrawal feature is also coming soon).<\/p>","1.0.0-alpha.36":"How it works (in plain terms)<\/h4>\n\n
\n
For your customers<\/h4>\n\n
\n
For you (the merchant)<\/h4>\n\n
\n
Smart legal handling (so you don't have to think about it)<\/h4>\n\n
\n
Evidence, timestamps & integrity<\/h4>\n\n
\n
Privacy & GDPR<\/h4>\n\n
\n
Documents & compliance<\/h4>\n\n
\n
[webwakeupwdb_policy]<\/code> shortcode<\/strong>, an auto-created page<\/strong> (one click to recreate it if you delete it) or a downloadable PDF<\/strong> \u2014 all managed from Compliance \u2192 \"Informativa sul diritto di recesso\"<\/strong> (preview \/ create \/ open \/ freeze<\/strong> to static HTML \/ download). Optionally, two opt-in toggles append the same clauses to your Complianz<\/strong> Privacy Policy and Terms & Conditions (EU-only, off by default, with a live preview). It complements \u2014 it does not<\/strong> replace \u2014 your own legal texts.<\/li>\n<\/ul>\n\nIntegrations & automation<\/h4>\n\n
\n
Platforms & licence<\/h4>\n\n
\n
External services<\/h3>\n\n
\n
Privacy<\/h3>\n\n
\n
\/wp-content\/plugins\/<\/code> and activate it.<\/li>\n\n
Who must comply?<\/h3><\/dt>\n
Does it replace the model withdrawal form?<\/h3><\/dt>\n
Can it publish a single \"Right of withdrawal\" policy page?<\/h3><\/dt>\n
[webwakeupwdb_policy]<\/code> shortcode, let the plugin auto-create a page<\/strong> for it (one click to recreate if you delete it), or download it as a PDF<\/strong> \u2014 all from Compliance \u2192 \"Informativa sul diritto di recesso\"<\/strong>, where you can also freeze<\/strong> it to static HTML. Optionally, two opt-in toggles add the same clauses to your Complianz<\/strong> Privacy Policy and Terms & Conditions (EU-only, off by default). It complements \u2014 it does not<\/strong> replace \u2014 your own Terms.<\/p><\/dd>\nDo digital products lose the right of withdrawal automatically?<\/h3><\/dt>\n
Do I have to keep a register of these consents?<\/h3><\/dt>\n
Is the timestamp legally valid? Should I enable it?<\/h3><\/dt>\n
Which PHP version do I need? What about PHP 7.4?<\/h3><\/dt>\n
1.3.2<\/h4>\n\n
\n
1.3.1<\/h4>\n\n
\n
[webwakeupwdb_policy]<\/code> shortcode, an auto-created page (one click to recreate if you delete it), and a downloadable PDF<\/strong>. Manage it under Compliance \u2192 \"Informativa sul diritto di recesso\"<\/strong> \u2014 preview it, create\/open the page, freeze<\/strong> it to static HTML, or download the PDF. It complements \u2014 it does not replace<\/strong> \u2014 your Terms; a disclaimer says so on every surface.<\/li>\nwwu<\/code> prefix to the distinct webwakeupwdb<\/code><\/strong> prefix (constants, options, hooks & filters, shortcodes, the PHP namespace, the REST namespace, classes and the JS data object), as requested by the Plugins Team review. Existing installs migrate automatically on upgrade \u2014 settings, exemption-consent evidence, the immutable log\/timestamp tables and the auto-created pages are all preserved \u2014 and a clean install is unaffected. Developers:<\/strong> custom code using the old names (wwu_wb_*<\/code> hooks\/filters, the [wwu_wb_*]<\/code> shortcodes) must switch to the new webwakeupwdb_*<\/code> names.<\/li>\n<\/ul>\n\n1.2.13<\/h4>\n\n
\n
products<\/code> data is unchanged \u2014 a new additive product_quantities<\/code> field carries the amounts. Requested in issue #47.<\/li>\n<\/ul>\n\n1.2.12<\/h4>\n\n
\n
1.2.11<\/h4>\n\n
\n
1.2.10<\/h4>\n\n
\n
wp_unslash()<\/code> to the inputs read by the settings-save handler \u2014 the values were already sanitised (custom sanitisers, integer casts, sanitize_*<\/code> \/