Title: Punchr Lite – PunchOut cXML Bridge for WooCommerce Author: punchr Published: January 10, 2026 Last modified: January 10, 2026 --- Search plugins ![](https://ps.w.org/punchr-lite/assets/icon-256x256.png?rev=3436699) # Punchr Lite – PunchOut cXML Bridge for WooCommerce By [punchr](https://profiles.wordpress.org/punchr/) [Download](https://downloads.wordpress.org/plugin/punchr-lite.1.3.0.zip) * [Details](https://wordpress.org/plugins/punchr-lite/#description) * [Reviews](https://wordpress.org/plugins/punchr-lite/#reviews) * [Installation](https://wordpress.org/plugins/punchr-lite/#installation) * [Development](https://wordpress.org/plugins/punchr-lite/#developers) [Support](https://wordpress.org/support/plugin/punchr-lite/) ## Description Punchr Lite lets you connect an external procurement system (PunchOut / cXML) to a WooCommerce store. Punchr Lite is intended for evaluation and validation of the PunchOut flow. It is not intended for production use. Production usage requires Punchr Pro. It implements the essential PunchOut flow: 1. The procurement system sends a PunchOutSetupRequest (cXML) to your WooCommerce site. 2. Punchr Lite authenticates the request using HTTP Basic Authentication (Token / Secret). 3. Punchr Lite creates a short-lived PunchOut session and returns a PunchOutSetupResponse with a StartPage URL. 4. The user is redirected to your WooCommerce shop in PunchOut mode (checkout is blocked). 5. When the user clicks “Return to Procurement”, Punchr Lite sends a PunchOutOrderMessage( cXML) back to the procurement system. This plugin is designed for B2B merchants who need a simple, ERP-friendly PunchOut bridge with minimal configuration. Main endpoints – POST /wp-json/punchr/v1/setup Receives a cXML PunchOutSetupRequest and returns a PunchOutSetupResponse (StartPage URL). – GET /wp-json/punchr/v1/start? sid=…&st=… Activates the PunchOut session and redirects the user to the WooCommerce shop.. – Front return handler Adds a “Return to Procurement” button in the cart and posts the PunchOutOrderMessage to the validated return URL. Admin – Punchr Lite > Settings: single Buyer credentials (Token and Secret regeneration)– Punchr Lite > Logs: last 200 events – Punchr Lite > Upgrade to Pro Documentation and technical details are available at: https://punchr.net ### Upgrade to Punchr Pro Punchr Lite is designed for a single Buyer and a basic PunchOut flow. The Pro version adds advanced features for production and enterprise environments, including: – Multiple Buyers – Buyer-specific credentials and policies – Advanced catalog and pricing rules – Extended logs and diagnostics – Priority support Punchr Lite is free for evaluation purposes only. Production usage requires Punchr Pro. ### Privacy Punchr Lite stores limited diagnostic data to help troubleshoot PunchOut sessions. What we collect – IP address and User-Agent of requests recorded in plugin logs– Technical event information (event name, timestamp, HTTP status, message) – A SHA- 256 hash of some XML payloads (payload content is not stored) Where the data is stored – Data is stored locally in your WordPress database in custom tables created by the plugin (e.g. wp_wcpob_logs) Data sharing – No log data is sent to the plugin author or any third party – The plugin sends a PunchOutOrderMessage (cXML) only to the return URL provided by your procurement system How to remove data – All plugin data (including logs and credentials) is permanently removed when the plugin is uninstalled ### Support & Bug Reports If you encounter a bug or an unexpected behavior while using Punchr Lite, please contact us: 📧 **bugs@punchr.net** When reporting a bug, please include: – Your WordPress version – Your WooCommerce version – Punchr Lite version – A short description of the issue – Relevant log entries (Punchr Lite > Logs) We do our best to respond and fix issues quickly. ## Screenshots * [[ * Punchr Lite settings page (Token and Secret management) * [[ * Punchr Lite logs page ## Installation 1. Upload the plugin folder to `/wp-content/plugins/` (or install via the Plugins screen). 2. Activate the plugin through the “Plugins” screen in WordPress. 3. Ensure WooCommerce is installed and active. 4. Go to **Punchr Lite** in the WordPress admin menu. 5. Copy the **Token**. 6. Click **Regenerate secret** to generate a new Secret (shown once — copy it immediately). 7. Configure your procurement system: 8. * Setup URL: `https://YOUR-SITE/wp-json/punchr/v1/setup` * Authentication: **HTTP Basic Authentication** - Username: **Token** - Password: **Secret** 9. Run a test PunchOut session from your procurement system. ## FAQ ### Does Punchr Lite require WooCommerce? Yes. This plugin requires WooCommerce to be installed and active. ### How does authentication work for /setup? The `/setup` endpoint uses **HTTP Basic Authentication**, which is widely supported by ERP and procurement systems. * Username: Buyer Token * Password: Buyer Secret Both values are generated and managed from the Punchr Lite admin screen. If authentication fails, the request is rejected with HTTP 401. ### Is it protected against replay attacks? Yes. A transient-based nonce is stored briefly. Reusing the same (token, nonce) within the retention window is rejected. ### How is SSRF prevented when posting back the PunchOutOrderMessage? The return_url extracted from the cXML request is validated: – Only http and https schemes are accepted – Local hosts are blocked (e.g. localhost) – Direct IP addresses are blocked – Common internal TLDs are blocked (.local, .internal, .lan) – Non-standard ports are blocked (only 80 and 443 allowed) Outgoing requests are sent using wp_remote_post() with reject_unsafe_urls enabled. ### Does the plugin store sensitive payloads in logs? No. Punchr Lite stores only a SHA-256 hash of payloads by default. Payload content is not stored. ### Why is checkout blocked? PunchOut workflows require users to build a cart and return it to the procurement system. Checkout inside WooCommerce is therefore disabled in PunchOut mode. ### What happens if the session expires? PunchOut sessions are short-lived. If a session expires, the start endpoint and return flow will return an error. ### Is Punchr Lite free? Yes. Punchr Lite is free for evaluation purposes. ### What happens when the evaluation expires? When the evaluation period ends, PunchOut setup requests are blocked. The /setup endpoint returns a cXML Status 401 with an explicit message to upgrade. Your configuration is not deleted and no data is lost. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Punchr Lite – PunchOut cXML Bridge for WooCommerce” is open source software. The following people have contributed to this plugin. Contributors * [ punchr ](https://profiles.wordpress.org/punchr/) [Translate “Punchr Lite – PunchOut cXML Bridge for WooCommerce” into your language.](https://translate.wordpress.org/projects/wp-plugins/punchr-lite) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/punchr-lite/), check out the [SVN repository](https://plugins.svn.wordpress.org/punchr-lite/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/punchr-lite/) by [RSS](https://plugins.trac.wordpress.org/log/punchr-lite/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.3.0 Public release of Punchr Lite. ## Meta * Version **1.3.0** * Last updated **4 months ago** * Active installations **Fewer than 10** * WordPress version ** 6.2 or higher ** * Tested up to **6.9.4** * PHP version ** 8.1 or higher ** * Tags * [b2b](https://wordpress.org/plugins/tags/b2b/)[cxml](https://wordpress.org/plugins/tags/cxml/) [procurement](https://wordpress.org/plugins/tags/procurement/)[PunchOut](https://wordpress.org/plugins/tags/punchout/) [woocommerce](https://wordpress.org/plugins/tags/woocommerce/) * [Advanced View](https://wordpress.org/plugins/punchr-lite/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/punchr-lite/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/punchr-lite/reviews/) ## Contributors * [ punchr ](https://profiles.wordpress.org/punchr/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/punchr-lite/)