wp_verify_nonce failing on 3DS callback

I just wanted to add that I tried a completely fresh WordPress and Woocommerce installation with no additional plugins or themes. Sadly the WorldPay plugin exhibits the same behaviour, the nonce check fails if the customer was registered during the checkout process.

@1stwebdesigns,

Thanks for the info. Will take a look and get back to you.

Kind Regards,

Hi @1stwebdesigns,

Just released version 2.0.5 which resolves this error. The nonce check was failing for guests that also create an account on the checkout page. That is why it works for returning customers as you pointed out.

Kind Regards,

Thanks for addressing this!

It looks as though the nonce was passed to WorldPay, then returned by WorldPay and checked. However I’m guessing if the customer’s account was created inbetween, their nonce was reset/invalidated.

Out of interest, why was this not an issue until recently? Did something change in the WordPress / Woocommerce core?

@1stwebdesigns I think in past versions of the plug-in we didn’t check a nonce so it was a non-issue.

Yes that’s pretty much the cause. When the customer account is created the cookie isn’t in the users browser yet so the nonce value is different. But by the time the redirect happens the cookie for the users login session is in the browser and that changes the nonce.