WC Moneris Payment Gateway Pro

2026.05.23 – version 4.9.14

• Add – “3D Secure Eligible Cards” setting under the 3D Secure toggle that restricts 3DS to selected card brands (Visa / MasterCard / American Express). Cards of other brands are processed as a standard Purchase.
• Fix – American Express cards no longer fail with “Service unavailable” (Code 900) at 3DS Card Lookup on merchant accounts without Amex OFI. Amex is unchecked by default in the new setting and bypasses 3DS unless explicitly enabled.

2026.05.14 – version 4.9.13

• Fix – Duplicate charges prevented when customers double-click Place Order or refresh checkout while payment is still processing (atomic per-order in-flight lock)
• Fix – Duplicate payment detection now reads directly from order meta tables (HPOS-aware), avoiding stale in-memory caches that allowed concurrent attempts to slip through
• Enhancement – Per-order and per-IP attempt counters are incremented only after a confirmed Moneris-side failure, so legitimate retries blocked by the in-flight guard no longer consume the customer’s attempt budget

2026.04.25 – version 4.9.12

• Fix – 3DS session data now cleared immediately on CAVV purchase failure, preventing stale authentication data from leaking into subsequent orders
• Fix – Moneris “null” string response code and duplicate order ID responses no longer treated as approved transactions
• Fix – Orders now correctly set to Failed (instead of remaining in Pending Payment) when CAVV purchase is declined after 3DS challenge
• Fix – Customer redirected to checkout with error message on CAVV decline instead of the now-failed order pay page
• “Save to account” checkbox no longer shown to guest users (checkbox was visible but silently ignored server-side)

2026.04.11 – version 4.9.11

• Fix – 3DS CAVV Lookup no longer corrupts standard base64 CRes from production bank ACS; replaces sanitize_text_field() with a whitelist-only sanitizer preserving valid base64/base64url characters
• Fix – Empty CAVV after CAVV Lookup now redirects to payment page with an error notice instead of silently looping the 3DS challenge
• Add – Raw CAVV Lookup response data logged at debug level for easier diagnosis of future 3DS failures

2026.03.27 – version 4.9.10

• Fix – Daily license sync now correctly loads license data in cron context, preventing the payment gateway from being incorrectly disabled overnight due to a false “no API key” failure

2026.03.24 – version 4.9.9

• Fix – License activation notice now links to correct admin page
• Fix – PHP notice _load_textdomain_just_in_time no longer appears in debug log
• Add – Daily license sync: gateway is automatically disabled when subscription expires
• Add – Silent re-activation: license re-activates automatically after subscription renewal
• Add – Plugin icon and banners now display in WordPress Updates and plugin info popup

2026.03.18 – version 4.9.8

• Enhancement – Added “Authorize Order Status” setting to allow merchants to choose between “Processing” or “On Hold” when a payment is authorized in Authorize mode
• Fix – License activation notice now redirects to correct admin page (admin.php instead of options-general.php)

2026.02.25 – version 4.9.7

• Fix – Auto-capture now works correctly for AUTHORIZE orders flagged as on-hold by AVS/CVD fraud detection when merchant manually approves the order

2026.02.21 – version 4.9.6

• Enhancement – AUTHORIZE mode orders now set to “processing” immediately (instead of “on-hold”), enabling third-party fulfillment integrations
• Add – Auto-capture: authorized payments are automatically captured when order status changes to “completed”
• Add – 3DS e-fraud validation support for both purchase and authorize mode transactions
• Fix – Browser fingerprint data (user agent, screen dimensions, language, timezone) now correctly passed to 3DS in WooCommerce blocks checkout
• Fix – browser_java_enabled boolean value now correctly normalized to “true”/”false” string for Moneris API in blocks checkout

2026.01.27 – version 4.9.5

• Fix – Critical: Prevent duplicate charges when AVS/CVD rejects after Moneris approval
• Fix – Save transaction identifiers before AVS/CVD evaluation to prevent empty refund attempts
• Fix – Replace automatic refund/reversal logic with manual review workflow for safer fraud handling
• Fix – Add duplicate payment prevention check at payment processing entry point
• Fix – Implement transaction-type-specific identifier handling for AUTHORIZE vs CHARGE types
• Fix – Save capture metadata early for CHARGE type to enable merchant refunds
• Enhancement – Add clear fraud alerts in order notes with specific AVS/CVD failure reasons
• Enhancement – Set proper order status for AUTHORIZE transactions based on fraud check results
• Enhancement – Orders no longer marked as “failed” after Moneris approval, preventing customer retries

2025.12.01 – version 4.9.4

• Enhancement – Updated dynamic_descriptor field validation to 20 character maximum limit
• Enhancement – Added client-side and server-side validation for dynamic_descriptor field with maxlength attribute
• Enhancement – Improved character filtering for dynamic_descriptor to remove forbidden special characters: < > $ % = ? ^ { } \ [ ] /
• Fix – Fixed undefined array key “fax” warning in mpgClasses.php with proper isset() checks
• Fix – Fixed TypeError in secure_log() method by properly handling mpgResponse objects as array context
• Fix – Improved error handling for WooCommerce order item methods with proper null checks and type validation
• Fix – Enhanced billing_details conditional inclusion following shipping_details pattern for better data structure efficiency

2025.11.02 – version 4.9.3

• Enhancement – Major code quality and security improvements implemented
• Add – Configurable maximum payment attempts setting (0-10, default: 3)
• Add – IP-based rate limiting with enable/disable toggle (10 attempts per hour per IP)
• Add – Enhanced input validation with Luhn algorithm for credit card verification
• Enhancement – Improved error handling and logging with request tracking
• Enhancement – Enhanced secure logging with masked sensitive data and context information
• Enhancement – Added type declarations to key methods for better code quality
• Enhancement – Modernized PHP patterns using null coalescing operators
• Fix – Removed unused code and imports for cleaner codebase
• Fix – Fixed method compatibility issues and diagnostic errors
• Fix – Enhanced method documentation with comprehensive security explanations
• Security – Multi-layer rate limiting (IP + order-based) to prevent abuse
• Security – Enhanced input sanitization to prevent XSS attacks
• Security – Improved client IP detection with proxy support
• Misc – Code refactored following modern PHP best practices

2025.07.31 – version 4.9.2

• Fix – Fixed AVS & CVD data passing issue even when it is disabled
• Misc – Added support for WooCommerce 10.0.4

2025.07.29 – version 4.9.1

• Fix – Fixed critical SQL injection vulnerability
• Fix – Added CSRF protection with nonce verification
• Fix – Implemented comprehensive input sanitization
• Fix – Fixed variable variables security issue
• Fix – Added authentication checks
• Fix – Fixed missing text domains
• Fix – Corrected improper use of translation functions
• Fix – Standardized text domain usage
• Fix – Improved WordPress coding standards compliance
• Fix – Enhanced error handling and user feedback

2025.06.11 – version 4.9

• Fix – Duplicate order id issue fix improved for production environment.
• Fix – Moneris checkout preauth refund issue fixed.
• Add – New `wpheka_moneris_order_number` filter added to moneris direct gateway to override order id.
• Add – New `wpheka_moneris_checkout_order_number` filter added to moneris checkout gateway to override order id.
• Misc – Added support for WooCommerce 9.9.3

2025.05.30 – version 4.8

• Add – Moneris Checkout authorization capture and reverse added in order details page actions.
• Add – Moneris Checkout automatically capture authorization order when order status changes to completed.

2025.05.29 – version 4.7

• Enhancement – Moneris Checkout gateway cart empty logic improved.
• Add – Add new `wpheka_virtual_downloadable_order_status` filter to moneris direct gateway to update order status if all items are virtual and downloadable.

2025.05.26 – version 4.6

• Enhancement – Moneris Checkout process improved.
• Enhancement – Moneris classic API gateway process improved.
• Enhancement – Moneris checkout added for WooCommerce block-based checkout.
• Enhancement – AVS fields removed from checkout page.
• Misc – Added support for WooCommerce 9.8.5

2025.05.08 – version 4.5

• Fix – WooCommerce block checkout credit card expiry field mobile keyboard issue fixed.
• Misc – Added support for WooCommerce 9.8.4

2025.05.06 – version 4.4

• Enhancement – Moneris Checkout cron improved.
• Enhancement – Moneris Checkout pay for order improved.
• Misc – Added support for WooCommerce 9.8.3

2025.02.02 – version 4.3

• Enhancement – Moneris Checkout gateway improved.

2025.01.04 – version 4.2

• Fix – CVD & AVS Checkings issues fixed.
• Enhancement – Moneris Checkout user interruptions callbacks improved.
• Misc – Added support for WooCommerce 9.5.1

2024.12.14 – version 4.1

• Enhancement – Moneris API updated to 1.0.31
• Enhancement – CVD & AVS Checkings improved.
• Misc – Added support for WooCommerce 9.4.3

2024.11.30 – version 4.0

• Fix – Checkout page save card issue fixed.

2024.07.18 – version 3.9

• Enhancement – Moneris checkout v2 library added.

2024.06.11 – version 3.8

• Fix – HPOS refund issue fixed.

2024.06.11 – version 3.7

• Enhancement – WooCommerce checkout blocks support added.
• Enhancement – High-Performance Order Storage (HPOS) support added.

2023.12.19 – version 3.6

• Misc – Added support for WooCommerce 8.4.0
• Fix – License settings page layout issue fixed.

2023.12.07 – version 3.5

• Misc – Added support for WooCommerce 8.3.1

2022.11.10 – version 3.4

• Fix – The issue of repeated payments upon entering wrong credit card information has been resolved in the “Authorize” transaction type.

2022.08.23 – version 3.3

• Fix – Admin settings error display issue fixed.
• Enhancement – Moneris MCO checkout payment improved.

2022.06.20 – version 3.2

• Fix – Card tokenization issue fixed.
• Fix – License Api error display issue fixed.
• Enhancement – Moneris MCO checkout refund info added.

2022.02.11 – version 3.1

• Fix – License settings api_key issue fixed.
• Fix – License settings default message issue fixed.
• Fix – License setings product id issue fixed.

2022.02.10 – version 3.0

• Fix – License settings page layout issue fixed.
• Fix – Php warnings on license settings page fixed.
• Enhancement – Moneris API updated to 1.0.22

2021.03.05 – version 2.9

• Dev – Moneris checkout failed message filter `wpheka_moneris_checkout_failed_message` added.
• Fix – MCO php notices fixed.

2021.03.04 – version 2.8

• Enhancement – Moneris Checkout payment method added.

2020.12.11 – version 2.7

• Fix – CVD issue fixed.

2020.12.04 – version 2.6

• Enhancement – Moneris Api updated to 1.0.20

2020.09.30 – version 2.5

• Fix – Default order status issue fixed.

2020.08.06 – version 2.4

• Misc – Add support for WooCommerce 4.1
• Feature – Add multi-currency support to allow USD and CAD transactions to be processed using different Moneris accounts
• Feature – Sequential Order Numbers compatibility added

2020.07.23 – version 2.3

• Fix – Fix transactions failing with trailing slash

2020.07.22 – version 2.2

• Fix – Multiple domain license fix added

2020.07.21 – version 2.1

• Fix – Credit card form fix added

2020.06.20 – version 2.0

• Tweak – Moneris API updated

2020.04.23 – version 1.0

• First Release