Payment options enabled without consent!

Resolved Tom
(@jeffreeeeey)

1 month, 1 week ago

We have used your plugin for 3+ years.

Following a recent plugin update (I cannot confirm which release, since we are not in the habit of checking which payment methods are displaying on our Checkout every day), we received an order which automatically entered the ON HOLD status.

In the payment log of the order, stock was reduced. The woo payment log said: Awaiting Trustly to confirm the payment. Order status changed from Pending payment to On hold.

We have never enabled Trustly on our website and did not consent to it being enabled.

In PayPal we see no trace of the transaction at all.

At Checkout we confirmed that ‘Trustly’ was showing as a payment option.

On further investigation we found that this had automatically been enabled in the plugin settings, together with other payment methods: Bancontact, Blik, EPS, iDeal, MyBank, Przelewy24, Trustly, and Multibanco.

It is absolutely not acceptable that the payment methods accepted on a retailers website can be dictated by plugin developers.

Not only do we as a retailer not offer any terms for those payment methods, but we also did not perform testing, we were not notified that they had been enabled, and we were not given ample opportunity to apply any required changes for cookie consent — for the simple reason that we did not implement — and did not want to implement those payment methods.

Not only this but given the fact there is a clear issue with this payment method, we are unsure just how many sales this cost us.

This has created a huge trust issue with your plugin (and accepting PayPal on the whole!). You do not have the right to have this level of control over a retailers website, and it must be ensured that such actions never, ever, happen again.

Viewing 13 replies - 1 through 13 (of 13 total)

Plugin Support Krystian Syde
(@inpsydekrystian)

1 month, 1 week ago
Hello @jeffreeeeey

Most likely, they were already enabled, but it wasn’t visible the way it is now. In the legacy UI, alternative payment methods were only effectively disabled if they were explicitly added to the “disabled APM” list, which, in practice, was quite rare, and I saw a lot of sites where users were just not aware of it. We could confirm this by reverting you to legacy UI.

When updating from 2.x or 3.x to 4.x, merchants who previously had APMs (Alternative Payment Methods) enabled (opt-out by default) will have separate APM gateways automatically enabled. This trigger a WooCommerce email like “Payment gateway ‘Przelewy24 (via PayPal)’ enabled“.

This is expected. Legacy APM smart buttons are no longer supported in the new UI and have been converted to individual WooCommerce gateways with dedicated controls. No new payment methods are being activated; only the visibility of previously enabled ones changes. Some users may not have been aware that PayPal Payments enables multiple payment methods beyond PayPal by default. APMs like iDEAL, Bancontact, or Przelewy24 were always part of the default configuration for merchants in supported countries, but their visibility was quite limited.

Legacy behavior
- APMs appeared as additional buttons inside the PayPal button stack
- Visibility was controlled by the buyer’s IP address (e.g. Dutch IP for iDEAL)
- Not always listed as separate gateways in WooCommerce settings
New UI behavior
- APMs are individual WooCommerce payment gateways
- Visibility is determined by the buyer’s billing country
- Shown as separate entries in WooCommerce settings (more visible to merchants and eligible buyers)
If you have any doubts about this please let us know.

Kind regards,
Krystian
dynit
(@dynit)

1 month, 1 week ago

Same problem here: all these new payment options were automatically added a couple of days ago. Had this on multiple websites. Worse even: I cannot delete them from the woocommerce payment options screen. I can press ‘delete’, but they come back automatically again. Even on 4.0.2. Big impact, please provide fix. In the meantime I can only disable PayPal altogether.

Plugin Support Krystian Syde
(@inpsydekrystian)

1 month, 1 week ago

Hello @dynit

Thanks for reporting this, I understand how disruptive this can be.

First, could you please create a dedicated thread for this issue? When multiple reports are grouped together, they may get moderated or overlooked, and having a separate thread helps us track and prioritize your case properly.

Second, we’ll need a full system status report (WooCommerce → Status → Get system report) so we can check your setup in detail.

From what we’ve seen so far, this behavior is very related to caching layers. Please temporarily disable all caching (plugin-level, server-side, CDN if applicable) and test again. In similar cases, this resolved the issue and prevented the payment methods from reappearing automatically.

Kind Regards
Krystian

embercide
(@embercide)

1 month, 1 week ago

excuse my ignorance but how can caching trigger emails to say x payment method has been enabled, and then after disabling via wp-admin panel (where no caching occurs anyway), a few days later another email stating the payment method has been enabled again.

coincidentally it coincides with emails stating the plugin failed to update to 4.x

Plugin Support Krystian Syde
(@inpsydekrystian)

1 month, 1 week ago

Hello @embercide

Caching is only relevant to the UI behavior, meaning cases where disabling a payment method in the React-based settings does not persist properly after saving.

So in your case, caching is not the reason behind those emails. What’s happening instead is tied to the update/migration process. When the plugin attempts to update (especially to 4.x), it may re-run parts of the onboarding or configuration sync. During that process, if APMs were not explicitly disabled in the legacy configuration (as mentioned earlier with the “Disable alternative payment methods” field being empty in legacy UI), they will be treated as enabled, and the system may send out notification emails.

This would also explain why it correlates with emails about payment methods being enabled

Even if the update fails and rolls back, parts of that migration/config sync can still be triggered.

More context on this behavior can be found here: https://wordpress.org/support/topic/payment-gateways-enabled-without-consent/#post-18870989

Kind Regards,
Krystian

wordpress_ian
(@wordpress_ian)

1 month, 1 week ago

I have the exact same problem and have lost hundreds of £ in orders because they are just sitting there with a on hold status. A lot of them were returning customers which has potentially damaged repeat trade.

If I disable these payment methods then I immediately receive emails with them all enabling themselves again..

This needs to be fixed asap.

Plugin Support Krystian Syde
(@inpsydekrystian)

1 month ago

Hello @wordpress_ian

To resolve this problem, start by disabling the caching plugins.

Beyond this, please start a new thread or directly reach out for help. You can get support by opening a ticket with our service desk here: Request Support. Please include this thread’s URL in your ticket for reference.

Kind regards,
Krystian

chockoko
(@chockoko)

1 month ago

I also discovered this fault today. Honestly a bit baffled why these options would be made “visible”.

I had an order today with the payment method of Trustly. No payment received and the order automatically placed on hold. The order is still sat there with the status “Awaiting Trustly to confirm the payment”. There are no matching PayPal payments.

@inpsydekrystian – You said:
“No new payment methods are being activated; only the visibility of previously enabled ones changes”

It is unclear what “visibility” you are referring to. Regardless, these updates have made certain payment methods visible that were not active before and are not wanted.

wordpress_ian
(@wordpress_ian)

1 month ago

@Krystian Syde

This worked ok as far as I am aware. I disabled Litespeed cache, disabled all additional payment methods that were not needed and then re-activated Litespeed cache once again and so far so good.

@chockoko

I have to agree with your above statement there, how has this got to a point where the customer is able to see these payment methods and actually use them when they have not been set up. It’s ok saying they were just not visible before but when a change has been made that costs people a lot of money then I would say this is a serious issue.

I am now having to chase up hundreds of £ of orders and contact each and every customer to find out if any money was taken from their account and if they would still like the order because of this update.

MTC
(@magictrashcan)

1 month ago

I cannot DISABLE these “new” options. They keep coming back. Pls check and update your plugin.
Plugin Support Krystian Syde
(@inpsydekrystian)

1 month ago
Hello @wordpress_ian & @chockoko

In the previous (legacy) UI, alternative payment methods (APMs) were enabled by default. They were part of the PayPal configuration, but they were not exposed as separate WooCommerce payment gateways, which is why many merchants were not aware of them.

They would only be effectively disabled if they were explicitly added to the “disabled APM” list. If that never happened, they remained enabled in the background.

With the new UI (v4.x), these same APMs are now split into individual WooCommerce gateways with their own settings. During this migration, WooCommerce detects them as “newly enabled gateways” and sends email notifications like:

“Payment gateway ‘Przelewy24 (via PayPal)’ enabled”

So even though it looks like something new was activated, in reality:
- Nothing new was enabled by us
- The existing configuration was simply migrated
- The difference is that WooCommerce now treats them as separate gateways and triggers notifications accordingly
Previously, you wouldn’t receive any emails about this because APMs were handled internally within the PayPal integration and not as standalone gateways. So the key point is: this is a visibility and structure change, not a change in what was enabled.

Please refer to this article, which explains in detail the whole problem: https://developer.woocommerce.com/2026/04/06/payment-gateways-have-always-been-enabled-a-debrief/

If you have any doubts about the process, keep in mind that the repository is completely public, and you can verify how things work in the background.

Kind regards,
Krystian
chockoko
(@chockoko)

1 month ago

@inpsydekrystian

FYI, I didn’t receive any “Payment gateway XYZ’ enabled” emails. I only learned of the “new gateway activations” by way of an order being placed on hold.

@wordpress_ian

Hope you manage to recoup the money/orders. A heads up on this would have been wonderful.

RFNM
(@rfnm)

3 weeks, 1 day ago

Similarly a website I manage for a client with WooCommerce had this enabled without our knowledge a few weeks ago. The client handles the relatively low volume of orders from their webshop although I do have sight of emails generated by WooCommerce. The merchant notification emails seem to indicate a successful transaction for Trustly, even if the customer has only clicked the payment button. The customer notifications state that the order is on hold (as does the WooCommerce orders page in the site admin). Problem is that my client is used to just using PayPal as the payment method and relies on the WooCommerce merchant email (yep, I know…). These emails have a sensible success/fail nature. They have now fulfilled several high value orders for items not paid for… To say that we’re not impressed is an understatement.

Yes, I get it that they should at the least be checking PayPal receipts if not the WordPress backend. The PayPal payment method hasn’t been a problem in over 5 years (aside from a spate of obvious spammy bot attempts to purchase items all declined by PayPal, we’ve now successfully closed that off).

Viewing 13 replies - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.