Linux 软件免费装

在这里免费安装WordPress以及其他软件

Banner图

Punchr Lite – PunchOut cXML Bridge for WooCommerce

开发者 punchr
更新时间 2026年1月11日 00:16
PHP版本: 8.1 及以上
WordPress版本: 6.9
版权: GPLv2 or later
版权网址: 版权信息

标签

woocommerce b2b punchout cxml procurement

下载

1.3.0

详情介绍:

Punchr Lite lets you connect an external procurement system (PunchOut / cXML) to a WooCommerce store. Punchr Lite is intended for evaluation and validation of the PunchOut flow. It is not intended for production use. Production usage requires Punchr Pro. It implements the essential PunchOut flow:
  1. The procurement system sends a PunchOutSetupRequest (cXML) to your WooCommerce site.
  2. Punchr Lite authenticates the request using HTTP Basic Authentication (Token / Secret).
  3. Punchr Lite creates a short-lived PunchOut session and returns a PunchOutSetupResponse with a StartPage URL.
  4. The user is redirected to your WooCommerce shop in PunchOut mode (checkout is blocked).
  5. When the user clicks “Return to Procurement”, Punchr Lite sends a PunchOutOrderMessage (cXML) back to the procurement system.
This plugin is designed for B2B merchants who need a simple, ERP-friendly PunchOut bridge with minimal configuration. Main endpoints

安装:

  1. Upload the plugin folder to /wp-content/plugins/ (or install via the Plugins screen).
  2. Activate the plugin through the “Plugins” screen in WordPress.
  3. Ensure WooCommerce is installed and active.
  4. Go to Punchr Lite in the WordPress admin menu.
  5. Copy the Token.
  6. Click Regenerate secret to generate a new Secret (shown once — copy it immediately).
  7. Configure your procurement system:
  8. Setup URL: https://YOUR-SITE/wp-json/punchr/v1/setup
  9. Authentication: HTTP Basic Authentication
  10. Username: Token
  11. Password: Secret
  12. Run a test PunchOut session from your procurement system.

屏幕截图:

  • Punchr Lite logs page

升级注意事项:

1.3.0 Public release of Punchr Lite.

常见问题:

Does Punchr Lite require WooCommerce?

Yes. This plugin requires WooCommerce to be installed and active.

How does authentication work for /setup?

The /setup endpoint uses HTTP Basic Authentication, which is widely supported by ERP and procurement systems.

  • Username: Buyer Token
  • Password: Buyer Secret
Both values are generated and managed from the Punchr Lite admin screen. If authentication fails, the request is rejected with HTTP 401.

Is it protected against replay attacks?

Yes. A transient-based nonce is stored briefly. Reusing the same (token, nonce) within the retention window is rejected.

How is SSRF prevented when posting back the PunchOutOrderMessage?

The return_url extracted from the cXML request is validated:

  • Only http and https schemes are accepted
  • Local hosts are blocked (e.g. localhost)
  • Direct IP addresses are blocked
  • Common internal TLDs are blocked (.local, .internal, .lan)
  • Non-standard ports are blocked (only 80 and 443 allowed) Outgoing requests are sent using wp_remote_post() with reject_unsafe_urls enabled.

Does the plugin store sensitive payloads in logs?

No. Punchr Lite stores only a SHA-256 hash of payloads by default. Payload content is not stored.

Why is checkout blocked?

PunchOut workflows require users to build a cart and return it to the procurement system. Checkout inside WooCommerce is therefore disabled in PunchOut mode.

What happens if the session expires?

PunchOut sessions are short-lived. If a session expires, the start endpoint and return flow will return an error.

Is Punchr Lite free?

Yes. Punchr Lite is free for evaluation purposes.

What happens when the evaluation expires?

When the evaluation period ends, PunchOut setup requests are blocked. The /setup endpoint returns a cXML Status 401 with an explicit message to upgrade. Your configuration is not deleted and no data is lost.

更新日志:

1.3.0 Public release of Punchr Lite.