Use wp_ajax prefix for Add Payment Method page action (#4500)

* Use wp_ajax prefix for Add Payment Method page action

* Add readme and changelog entries

* Remove unnecessary whitespace change to unrelated file

Author: annemirasol

changelog.txt

@@ -26,6 +26,7 @@
 * Update - Add the number of pending webhooks to the Account status section
 * Fix - Prevent "Undefined array key charges_enabled" PHP warning when determining live‑mode status
 * Update - Deprecate `wc_gateway_stripe_process_payment`, `wc_gateway_stripe_process_redirect_payment` and `wc_gateway_stripe_process_webhook_payment` actions in favour of `wc_gateway_stripe_process_payment_charge`
+* Tweak - Use wp_ajax prefix for its built-in security for Add Payment Method action
 
 = 9.6.0 - 2025-07-07 =
 * Fix - Register Express Checkout script before use to restore buttons on “order-pay” pages

client/api/index.js

@@ -178,16 +178,13 @@ export default class WCStripeAPI {
 	 * @return {Promise} Promise containing the setup intent.
 	 */
 	setupIntent( paymentMethod, additionalData = {} ) {
-		return this.request(
-			this.getAjaxUrl( 'create_and_confirm_setup_intent' ),
-			{
-				...additionalData,
-				action: 'create_and_confirm_setup_intent',
-				'wc-stripe-payment-method': paymentMethod.id,
-				'wc-stripe-payment-type': paymentMethod.type,
-				_ajax_nonce: this.options?.createAndConfirmSetupIntentNonce,
-			}
-		).then( ( response ) => {
+		return this.request( this.options?.wp_ajax_url, {
+			...additionalData,
+			action: 'wc_stripe_create_and_confirm_setup_intent',
+			'wc-stripe-payment-method': paymentMethod.id,
+			'wc-stripe-payment-type': paymentMethod.type,
+			_ajax_nonce: this.options?.createAndConfirmSetupIntentNonce,
+		} ).then( ( response ) => {
 			if ( ! response.success ) {
 				throw response.data.error;
 			}

includes/class-wc-stripe-intent-controller.php

@@ -29,7 +29,8 @@ public function init_hooks() {
 		add_action( 'wc_ajax_wc_stripe_verify_intent', [ $this, 'verify_intent' ] );
 		add_action( 'wc_ajax_wc_stripe_create_setup_intent', [ $this, 'create_setup_intent' ] );
 
-		add_action( 'wc_ajax_wc_stripe_create_and_confirm_setup_intent', [ $this, 'create_and_confirm_setup_intent_ajax' ] );
+		// Use wp_ajax instead of wc_ajax to ensure only logged in users can fire this action.
+		add_action( 'wp_ajax_wc_stripe_create_and_confirm_setup_intent', [ $this, 'create_and_confirm_setup_intent_ajax' ] );
 
 		add_action( 'wc_ajax_wc_stripe_create_payment_intent', [ $this, 'create_payment_intent_ajax' ] );
 		add_action( 'wc_ajax_wc_stripe_update_payment_intent', [ $this, 'update_payment_intent_ajax' ] );

includes/payment-methods/class-wc-stripe-upe-payment-gateway.php

@@ -505,6 +505,7 @@ public function javascript_params() {
 		$stripe_params['isCheckout']                        = ( is_checkout() || has_block( 'woocommerce/checkout' ) ) && empty( $_GET['pay_for_order'] ); // wpcs: csrf ok.
 		$stripe_params['return_url']                        = $this->get_stripe_return_url();
 		$stripe_params['ajax_url']                          = WC_AJAX::get_endpoint( '%%endpoint%%' );
+		$stripe_params['wp_ajax_url']                       = admin_url( 'admin-ajax.php' );
 		$stripe_params['theme_name']                        = get_option( 'stylesheet' );
 		$stripe_params['testMode']                          = $this->testmode;
 		$stripe_params['createPaymentIntentNonce']          = wp_create_nonce( 'wc_stripe_create_payment_intent_nonce' );

readme.txt

@@ -136,5 +136,6 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 * Update - Add the number of pending webhooks to the Account status section
 * Fix - Prevent "Undefined array key charges_enabled" PHP warning when determining live‑mode status
 * Update - Deprecate `wc_gateway_stripe_process_payment`, `wc_gateway_stripe_process_redirect_payment` and `wc_gateway_stripe_process_webhook_payment` actions in favour of `wc_gateway_stripe_process_payment_charge`
+* Tweak - Use wp_ajax prefix for its built-in security for Add Payment Method action
 
 [See changelog for full details across versions](https://raw.githubusercontent.com/woocommerce/woocommerce-gateway-stripe/trunk/changelog.txt).