diff --git a/includes/abstracts/abstract-wc-order.php b/includes/abstracts/abstract-wc-order.php index c218a9fa0b5..4eb73b9869f 100644 --- a/includes/abstracts/abstract-wc-order.php +++ b/includes/abstracts/abstract-wc-order.php @@ -2121,19 +2121,18 @@ abstract class WC_Abstract_Order { // Get cancel endpoint $cancel_endpoint = $this->get_cancel_endpoint(); - return apply_filters( 'woocommerce_get_cancel_order_url', wp_nonce_url( add_query_arg( array( + return apply_filters( 'woocommerce_get_cancel_order_url', esc_url( add_query_arg( array( 'cancel_order' => 'true', 'order' => $this->order_key, 'order_id' => $this->id, - 'redirect' => $redirect - ), $cancel_endpoint ), 'woocommerce-cancel_order' ) ); + 'redirect' => $redirect, + ), $cancel_endpoint ) ) ); } /** * Generates a raw (unescaped) cancel-order URL for use by payment gateways. * * @param string $redirect - * * @return string The unescaped cancel-order URL. */ public function get_cancel_order_url_raw( $redirect = '' ) { @@ -2146,7 +2145,6 @@ abstract class WC_Abstract_Order { 'order' => $this->order_key, 'order_id' => $this->id, 'redirect' => $redirect, - '_wpnonce' => wp_create_nonce( 'woocommerce-cancel_order' ) ), $cancel_endpoint ) ); } diff --git a/includes/class-wc-form-handler.php b/includes/class-wc-form-handler.php index a2d75c5a129..aa27c274ab2 100644 --- a/includes/class-wc-form-handler.php +++ b/includes/class-wc-form-handler.php @@ -566,7 +566,7 @@ class WC_Form_Handler { if ( $order->has_status( 'cancelled' ) ) { // Already cancelled - take no action - } elseif ( $user_can_cancel && $order_can_cancel && $order->id == $order_id && $order->order_key == $order_key && isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'woocommerce-cancel_order' ) ) { + } elseif ( $user_can_cancel && $order_can_cancel && $order->id === $order_id && $order->order_key === $order_key ) { // Cancel the order + restore stock $order->cancel_order( __('Order cancelled by customer.', 'woocommerce' ) );