| 开发者 | pay4all |
|---|---|
| 更新时间 | 2026年7月10日 22:09 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
.htaccess protected), the customer receives a one-time link valid for 60 days, served by the plugin's download endpoint/wp-content/plugins/pay4all-form/ or install via Plugins › Add New.No. Pay4All Shop is standalone. It does not depend on WooCommerce in any way.
The free version supports manual payments only (pickup, on delivery, bank transfer, TWINT instructions). Automated TWINT payments are available via Pay4All Pro.
Yes. Customer data is included in WordPress's Tools › Export / Erase Personal Data workflow.
No, unless you explicitly enable Réglages › Données › Supprimer les données lors de la désinstallation.
When you create a product of type Virtual, you upload one file per product. The file is stored in wp-content/uploads/p4all-virtual/, protected by an automatically generated .htaccess (deny from all). After purchase, the customer's e-mail contains a one-time download link served by the plugin endpoint (?p4all_dl={token}). The link is valid for 60 days.
Tick the Rupture de stock checkbox on a product. The product stays visible in the form so the customer still sees what you usually offer, but the quantity field is greyed and disabled. A red badge labels the product as out of stock. Server-side validation rejects any tampered submission that tries to order an out-of-stock item.
Tick Manage stock on a product and enter the quantity available. From that point on:
— when stock management is off), highlighted in orange below the threshold and red when out of stock.p4all_product_cat) — including per-language names and per-category quantity rules (min / max / multiple / exact).p4all_product_brand) — same shape as categories./p4all-ticket/… validation URL.wp_p4all_tickets and wp_p4all_abandoned_carts tables, deletes every term in p4all_product_cat / p4all_product_brand, deletes every ticket post, and un-schedules the hourly p4all_abandoned_cart_tick cron event. Idempotent, guarded by an option so re-installs skip it.Domain\Language helper replaces Domain\Category::current_language() at every call site.edit_posts + a nonce.phpcs:disable / phpcs:enable block around the $_FILES sanitisation in MetaBoxes::store_virtual_upload() (nonce is verified upstream in save()); documented ignores for WPML's public wpml_switch_language hook (must be invoked verbatim to trigger their language switcher) and for the intentional suppress_filters on the media query used by the picker (language-agnostic search is the product decision).esc_url_raw() (http / https / mailto / tel only, javascript: rejected).?p4all_dl=). The customer-facing streamer now rejects any filename containing directory separators, .., or NULL bytes, and enforces a realpath() boundary check that guarantees the resolved path lives inside the private uploads folder. Protects against manipulated _p4all_virtual_downloads meta on stores with a compromised admin account or a SQL injection introduced by a third-party plugin.[pay4all_form] shortcode. Default: SAMEORIGIN — blocks brand impersonation via cross-origin iframes and closes the per-domain-licence bypass some agencies used by iframing a licensed shop on many client sites. Configurable via a new Réglages › Général option (sameorigin / deny / off).pdf, mp3, mp4, m4a, epub, zip, jpg, jpeg, png, gif, svg, doc(x), xls(x), ppt(x), txt, csv, html). Blocks executable uploads (.php, .phtml, .exe, .htaccess…) BEFORE wp_handle_upload() runs. Set the option to an empty value to restore the legacy behaviour of allowing anything. The private uploads folder is now also guarded by a web.config deny rule for IIS hosts, in addition to the existing .htaccess.#d63638) and compact sizing as WordPress core's update available pill, and stays visible on every admin screen (previously the CSS only loaded on Pay4All Form pages, so the badge disappeared on the Dashboard).▾ chevron, language pill), and the accordions honour the languages selected in Réglages › Langue (so a DE-only shop only shows the DE accordion here).sanitize_text_field( wp_unslash() ) on remaining $_POST reads, esc_url() on the licence page form action, wp_delete_file() in the KYC storage purge, and Plugin Check ignore blocks documented for WPML hooks (wpml_element_trid, wpml_get_element_translations) that intentionally do not carry the plugin prefix.%s for the amount) and live validation on the product step: the Suivant button is blocked and a red alert appears as soon as the subtotal drops below the floor. Existing global setting is honoured as fallback for forms that haven't set their own.wp-content/uploads/p4all-secure/kyc.key (outside the database backup). Ciphertexts live in a private folder guarded by .htaccess + index.php + web.config.timezone_string option.get_date_from_gmt() for accurate conversion of UTC-stored timestamps to the site's configured timezone.$cart_id output in the abandoned-cart view dialog, and added WordPress.DB.PreparedSQL.InterpolatedNotPrepared + PluginCheck.Security.DirectDB.UnescapedDBParameter ignores on the wp_p4all_abandoned_carts custom-table queries (table name built from $wpdb->prefix + literal suffix).{site_name}, {customer_firstname}, {customer_email} and {recover_url} placeholders.p4all_abandoned_cart_tick sends due recovery e-mails and purges old rows.— when stock management is off, the current quantity otherwise (orange if at or below threshold, red 0 Out of stock when empty)..htaccess).