S2Member Pro – A Powerful Membership Plugin For Wordpress Version History

- (Framework) **Fix:** PayPal Checkout cancellation shortcodes now keep `output="anchor"` clickable for logged-out visitors. Only `output="button"` requires the member to be logged in. See [thread 13450](https://f.wpsharks.com/t/13450) 

- (Framework) **Fix:** PayPal Checkout no longer aborts if the customer's IP address changes during checkout. IP mismatches are logged, but valid checkouts continue processing.

- (Framework) **Fix:** Prevent false Auto-EOT demotions when a stored Auto-EOT time is `0`, and improve logging for invalid Auto-EOT values. See [thread 13412](https://f.wpsharks.com/t/13412) 

- (Framework) **Fix:** Prevented a PHP 8.1+ deprecation notice while reading registration times when the stored value is missing or false.

- (Framework) **Improvement:** Improved PayPal Checkout button loading with a client-side fallback when the PayPal SDK is missing from the final page output.

- (Pro) **Fix:** Prevented deprecation notices on newer PHP versions, which could interfere with automatic login/redirects after Stripe checkout.

- (Pro) **UI:** Improved cancellation pro-form submit button text. Cancellation forms now say “Cancel Subscription” instead of the generic “Submit Form”. See [thread 13438](https://f.wpsharks.com/t/13438)

- (Framework) **Fix:** Reduced the upfront requirements for processing PayPal Standard `subscr_cancel` IPNs so valid cancellations are not ignored when supporting values are missing, stale, or non-membership-specific.

- (Framework) **Fix:** Prevent incorrect s2Member notifications in some PayPal Checkout cases where several webhooks are received about the same subscription.

- (Framework) **Fix:** Prevent duplicate processing and notifications when PayPal sends both a webhook and an IPN for the same PayPal Checkout subscription payment.

- (Framework) **Fix:** Added subscription modification cancellation support to the Framework, which was previously only available in the Pro addon.

- (Pro) **Fix:** Made subscription modification cancellation gateway-aware, preventing orphaned active subscriptions when a member starts a replacement subscription through a different gateway. 

- (Pro) **Fix:** Prevented rare cases where subscription modification processing could cancel the newly created subscription by mistake.

- (Pro) **Fix:** Improved Stripe customer lookup during checkout retries by falling back to email when the stored Stripe customer ID is missing, stale, or no longer retrievable.

- (Framework) **Fix:** Improved PayPal Checkout webhook idempotency to prevent duplicate processing during repeated/concurrent webhooks, while preserving normal behavior.

- (Framework) **Fix:** Resolved a PayPal IPN issue where some `subscr_cancel` notifications were ignored because the cancellation handler failed before it had fully identified the recurring subscription.

- (Framework) **Improvement:** Added IPN Signup Var lookups for missing PayPal cancellation IPN values like `period1`, `period3`, `item_number`, `item_name`, and `payer_email`, preventing valid `subscr_cancel` notifications from being ignored.

- (Framework) **Improvement:** Moved s2Member's translation files to `/languages`, following the WordPress standard, and updated `.mo` loading to support that directory while continuing to support the standard and legacy WordPress locations.

- (Framework) **Improvement:** Hardened PayPal Standard IPN endpoint response handling and added debug logging for hosts/security layers that incorrectly return HTTP 403 after successful processing.

- (Framework) **Enhancement:** Added `ukpostcode` as an expected-value option for Custom Registration/Profile Fields, with matching server-side and client-side validation for UK postcode input. The validation is designed to be reasonably broad, including standard UK formats and related special cases. Thanks to Gerard Earley for contributing the patch. See [thread 12200](https://f.wpsharks.com/t/12200)

- (Framework) **Enhancement:** Added a new __General Options > s2Get Shortcode__ setting to allow `user_id` for whitelisted user fields, defaulting to current-user. Also updated the s2Get KB article accordingly.

- (Pro) **Fix:** Updated Stripe card charge and PaymentIntent requests to use `statement_descriptor_suffix` instead of `statement_descriptor`, fixing card-payment errors where Stripe no longer accepts `statement_descriptor` for card payments.

- (Pro) **Fix:** Corrected Stripe subscription checkout so resumed PaymentIntent flows no longer go through the wrong intent-status handler.

- (Pro) **Fix:** Stripe now stops cleanly after card declines, instead of continuing into secondary intent/payment-method errors.

- (Pro) **Fix:** Improved Stripe recurring-payment setup to better support future-charge authorization requirements, fixing failures in countries with stricter payment rules, including India.

- (Pro) **Fix:** Stripe now updates recurring default payment methods only after a successful intent result, instead of earlier in checkout.

- (Pro) **Fix:** Billing-update SetupIntent creation failures in Stripe now return the proper error response.

- (Pro) **Fix:** Prevent duplicate/retried Stripe webhook events from being processed more than once, including near-simultaneous retries of the same Stripe event ID

- (Pro) **Fix:** prevent Stripe billing modification/replacement from triggering EOT behavior for the cancelled old subscription while s2Member is still updating the member account with the new subscription.

- (Pro) **Fix:** Removed a trailing-comma syntax issue in Stripe subscription update code that could cause PHP compatibility errors on older supported PHP versions.

- (Pro) **Fix:** s2Member now cleans up incomplete subscriptions left behind by failed 3D Secure authentication attempts during Stripe checkout, and gives the customer a more clear payment failure message.

- (Pro) **Improvement:** Added dedicated s2 Stripe log entries for non-fatal failures while updating the default payment method after successful intent completion.

- (Framework) **Fix:** Prevent a PHP 8.1+ deprecation notice from appearing above the admin Users table in some cases.
 
- (Framework) **Security:** Improved debug log sanitization.
 
- (Framework) **Improvement:** PayPal Checkout credential test and OAuth failure log entries now include client_len_hash / secret_len_hash values (length_hash, e.g. 80_4d9a7c1b2e8f4a21) to help compare attempted credentials during troubleshooting without exposing raw values.
 
- (Framework) **Enhancement:** Added a new _No-Cache Headers Behavior_ option under _General Options > Performance & Caching_, making no-cache behavior configurable from the admin UI. It includes:
  - `Always` mode, the legacy safe default that prevents caching site-wide in case user-conditional output appears.
  - `Selective` mode, which was previously available only through a filter and may improve caching for guests, but can miss some runtime no-cache triggers.
  - The new `Evaluative` beta mode, which evaluates the page with more runtime information and may allow more pages to be cached safely for guests.
  - An optional debug header to help troubleshoot no-cache behavior.
 
- (Framework) **UI:** Clarified the Download Options text to explain that unique download limits are counted in the last X days (rolling window), reducing confusion about whether the limit resets on fixed calendar dates.
 
- (Framework) **UI**: Improved the PayPal Checkout credentials test failure message.
 
- (Framework) **UI:** Fixed the PayPal button encryption admin notice so that it shows only to administrators in the WP Admin area, not non-admin users.

(Framework) **Bug Fix:** Prevent PHP fatal error when multiple PayPal Checkout buttons appear on the same page (PHP 8+).  

(Framework) **Bug Fix:** PayPal Checkout admin actions (Test Credentials / Webhook / Clear Cache) now submit via POST instead of redirecting (avoids “headers already sent” warnings).  

(Framework) **Bug Fix:** PayPal cancellation notifications now backfill missing membership mapping fields (`item_number`, `item_name`, `period1`, `period3`) from stored IPN Signup Vars using the subscription ID ( `recurring_payment_id` / `subscr_id` ), so Auto-EOT is set correctly on cancel.

(Framework) **Bug Fix:** Auto-EOT PayPal status checks now query PayPal Checkout subscriptions via PayPal’s REST Subscriptions API (instead of PayPal's legacy “Recurring Payments” API), preventing “11592” errors and allowing Auto-EOT to detect inactive PayPal Checkout subscriptions.

(Framework) **Security:** PayPal Checkout webhook environment inference now validates the `paypal-cert-url` host before using it (hardens environment inference used during verification).  

(Framework) **Security:** PayPal Checkout cancel redirect now validates the destination URL and safely falls back to the site home URL.  

(Framework) **Security:** PayPal Checkout tokens now use s2Member’s hardened unserialize routine.  

(Framework) **Security:** Harden unserialization of stored custom capabilities metadata when loading user access rules.

(Framework) **Security:** Harden the registration password handler.

(Framework) **Improvement:** Harden PayPal Checkout endpoint behavior on problematic hosts; return consistent JSON errors (HTTP 500) on notify-proxy failures.  

(Framework) **Improvement:** Harden PayPal Checkout REST API/webhook handling for network failures and unexpected/non-JSON responses (avoids PHP 8+ warnings).  

(Framework) **Improvement:** PayPal Checkout webhook setup now treats "no change" updates and existing webhook URLs as success (adopts the existing webhook ID automatically).  

(Framework) **Improvement:** PayPal Checkout webhook signature verification now auto-detects Sandbox vs Live from inbound headers (so webhooks validate correctly even if the site’s current environment setting differs).  

(Framework) **Improvement:** PayPal Checkout logging now includes `env_setting` (site setting) and `env_webhook` (inferred from inbound webhook headers) for clearer Sandbox/Live environment troubleshooting.  

(Framework) **Improvement:** PayPal Checkout webhook idempotency cache (event/txn transients) now retains entries for 1 year (reduces long-term option bloat while preserving replay protection).

(Framework) **Improvement:** s2Member’s PayPal “Unsubscribe” button links to PayPal’s subscription management page, and with the new PayPal Checkout integration, when `output="button"` and a PayPal subscription ID is present, s2Member will attempt to cancel the subscription directly.

(Framework) **UI:** Add a description for `paypal-checkout.log` in the Log Viewer dropdown (so it’s not “No description available”).

(Pro) **Improvement:** PayPal Checkout buttons now support `accept="card"` to enable guest debit/credit card payment in the PayPal-hosted checkout experience when available (availability depends on PayPal settings/eligibility and browser privacy protections).

- (Framework) **PayPal Enhancement**: Modernized s2Member’s PayPal integration by adding support for PayPal Checkout with their latest REST APIs, Smart Buttons, and webhook event handling. This release introduces PayPal’s current Checkout platform as an optional, reliable alternative to the legacy PayPal Standard buttons. Existing s2Member PayPal button shortcodes continue to work as-is (no edits required). See: _WP Admin > s2Member > PayPal Options > PayPal Checkout (Beta)_. Thanks to the beta testers, especially Sim Architect.

- (Framework) **Bug Fix:** Fixed mismatched `<label for="">` and `<input id="">` attributes for checkbox/radio options in Custom Registration/Profile Fields; this also restores proper client-side validation for required checkbox/radio groups.

- (Framework) **Fix:** Hardened the Edit User Profile screen on PHP 8+ to avoid errors if a user’s Auto-EOT time is stored as a date string (e.g. YYYY-MM-DD) rather than a Unix timestamp (as can happen after imports/migrations).

- (Framework) **Fix:** Fixed PHP 8+ "Undefined array key" warnings related to membership level label constants (including guest/non-logged-in access label handling).

- (Framework) **Fix:** Resolved an issue that prevented PayPal Buttons "Generate Button Code" from working in some installations.

- (Framework) **Fix:** Some PayPal Checkout log entries were missing the environment (sandbox/live), and now include it to help with troubleshooting.

- (Framework) **Fix:** PayPal Checkout webhooks can continue processing existing subscriptions even if new sales are switched back to PayPal Standard.

- (Framework) **Fix:** PayPal Checkout webhooks now also handle refunds, reversals, and additional subscription lifecycle events, improving user EOT/access updates and subscription state handling.

- (Framework) **Fix:** Improved PayPal Checkout amount decimal normalization to prevent one-time payment validation mismatches.

- (Framework) **Fix:** Updated PayPal Checkout webhook handling to prevent one-time payment captures from being processed as recurring payments.

- (Framework & Pro) **Fix:** Prevent PHP 8.1+ deprecation warnings in gateway Pro-Forms and related checkout processing (Stripe, PayPal Pro, Authorize.Net), and in custom registration fields, by ensuring optional form/template values are cast to strings before escaping/processing.

- (Framework) **Security:** Improved debug log sanitization (passwords, API secrets, auth credentials) and reduced post-registration plaintext password exposure.

- (Framework) **Improvement:** PayPal Standard and PayPal Checkout cancellation buttons now use PayPal’s subscription management page when needed.

- (Framework) **Improvement:** Better HTTPS detection in s2Member’s PayPal Checkout setup for sites using Cloudflare (or other reverse proxies), reducing false setup failures when enabling or configuring PayPal Checkout.

- (Pro) **Improvement:** Hardened the Advanced Importer to normalize Auto-EOT values given as date strings (e.g. YYYY-MM-DD) into Unix timestamps when a date is used instead of the expected timestamp format.

- (Pro) **Improvement:** PayPal Checkout buttons now support `accept="card"` in Pro button attributes, enabling card funding/guest checkout where PayPal makes it available.