Title: Widerrufsbutton
Author: wbwiderrufbutton
Published: <strong>March 31, 2026</strong>
Last modified: April 3, 2026

---

Search plugins

![](https://ps.w.org/widerrufsbutton/assets/banner-772x250.png?rev=3496030)

![](https://ps.w.org/widerrufsbutton/assets/Icon-256x256.png?rev=3496030)

# Widerrufsbutton

 By [wbwiderrufbutton](https://profiles.wordpress.org/wbwiderrufbutton/)

[Download](https://downloads.wordpress.org/plugin/widerrufsbutton.1.3.25.zip)

 * [Details](https://kea.wordpress.org/plugins/widerrufsbutton/#description)
 * [Reviews](https://kea.wordpress.org/plugins/widerrufsbutton/#reviews)
 * [Development](https://kea.wordpress.org/plugins/widerrufsbutton/#developers)

 [Support](https://wordpress.org/support/plugin/widerrufsbutton/)

## Description

Widerrufsbutton provides a structured, two-step electronic withdrawal (right of 
revocation) process for WooCommerce shops — compliant with § 356a BGB and EU Directive
2011/83/EU. All submissions are logged in the WordPress backend for full audit traceability.

**Free version features:**

 * Withdrawal button via shortcode
 * Withdrawal form via shortcode (place it anywhere)
 * Optional modal mode or dedicated form page
 * Two-step process: submission and confirmation
 * WooCommerce order verification (order ID + email + withdrawal period)
 * Email confirmation for customer and merchant
 * Dedicated database table for audit logging
 * Admin overview and detail view of all withdrawals
 * Fully configurable texts, labels, error messages, and email content
 * Theme-neutral base styling

**Pro version add-ons:**

 * Partial withdrawal (select individual items and quantities)
 * Elementor & Gutenberg block widgets
 * PDF proof with integrity hash
 * CSV export (bulk and individual download)
 * HTML email templates
 * Shortcode for WooCommerce email templates (order confirmation etc.)
 * Advanced backend features

**Security & abuse protection:**

 * Honeypot field (bots are silently rejected)
 * Per-IP rate limiting (transients, IP stored as hash only)
 * IP addresses are never stored in plain text
 * Two-step confirmation with time-limited cryptographic token

**Privacy:**

The plugin stores only the data required to process and document a withdrawal: name,
email address, order or contract reference, optional reason and remark, and timestamps.
No data is transmitted to external servers. Emails are sent via the WordPress/WooCommerce
mail system.

**Data retention & uninstall:**

Withdrawal records are retained until the shop operator deletes them. By default,
plugin data is not removed on uninstall. Optionally, all plugin options and the 
withdrawal table can be deleted on uninstall (opt-in setting).

**Legal notice:**

This plugin provides a technical solution and does not replace individual legal 
advice.

### Shortcodes

Widerrufsbutton:
 [widerrufsbutton url=”/widerruf”]

Optional als Modal:
 [widerrufsbutton target=”modal” layout=”multi”]

Widerrufsformular:
 [widerrufsformular]

Layout-Option (mehrstufig):
 [widerrufsformular layout=”multi”]

### Settings

Admin location: Withdrawal Button  Settings

Form tab:

 * withdrawal period in days
 * merchant email (optional)
 * target URL for the withdrawal button
 * optional data deletion on uninstall

Text tab:

 * headings and helper texts
 * form labels
 * button texts
 * validation and error messages
 * email subject lines and email body templates

### Email placeholders

 * {customer_name}
 * {customer_email}
 * {contract_ref}
 * {remark_line}
 * {confirmed_at}
 * {withdrawal_id}
 * {admin_link}
 * {statement}

## Screenshots

 * [[
 * Withdrawal button in the frontend
 * [[
 * Withdrawal form – step 1
 * [[
 * Withdrawal form – step 2
 * [[
 * Success confirmation after submission
 * [[
 * Admin overview of recorded withdrawals
 * [[
 * Admin detail view of a withdrawal
 * [[
 * Settings – form options
 * [[
 * Settings – texts and email content
 * [[
 * Settings – design options
 * [[
 * Plugin overview and status page
 * [[
 * Confirmation emails for customer and merchant

## FAQ

### Does the plugin require WooCommerce?

Yes. The free version validates withdrawal requests against WooCommerce orders.

### Can customers submit a withdrawal without logging in?

Yes.

### Which order number format is supported in the free version?

The free version validates the default WooCommerce order ID (numeric, for example
1234).

### What personal data is stored?

Only the data needed to process and document a withdrawal request. IP addresses 
are not stored in plain text.

### Are data deleted automatically?

No. Withdrawal data are intended for legal documentation. Optional data deletion
on uninstall is available.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Widerrufsbutton” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ wbwiderrufbutton ](https://profiles.wordpress.org/wbwiderrufbutton/)

“Widerrufsbutton” has been translated into 1 locale. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/widerrufsbutton/contributors)
for their contributions.

[Translate “Widerrufsbutton” into your language.](https://translate.wordpress.org/projects/wp-plugins/widerrufsbutton)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/widerrufsbutton/), 
check out the [SVN repository](https://plugins.svn.wordpress.org/widerrufsbutton/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/widerrufsbutton/)
by [RSS](https://plugins.trac.wordpress.org/log/widerrufsbutton/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.3.25

 * Fix: Removed backup file (withdrawal-form.js.bak) inadvertently included in the
   distribution archive.
 * Fix: Wizard step tracking (step_texts_touched, step_design_touched) moved from
   a $_GET[settings-updated] check into pre\_update\_option_ filter hooks. The wizard
   steps are now marked as completed inside the verified settings save flow, removing
   all unverified $_GET access from the settings screen.

#### 1.3.24

 * Improvement: All SQL SELECT queries in class-wbwiderruf-db.php rewritten with
   fully literal column names, ORDER BY direction and column hardcoded per branch—
   no variable interpolation in any SQL template. Eliminates remaining PluginCheck.
   Security.DirectDB.UnescapedDBParameter warnings for $cols/$col/$dir.

#### 1.3.23

 * Fix: Confirmation page (success step) now correctly appears after form submission.
   Root cause: the REST API validate_callback for pending_token had a length limit
   of 128 characters, which is shorter than real-world tokens (which include a full
   SHA-256 HMAC). Requests were silently rejected before reaching the callback.
 * Fix: Database migration (v2) no longer converts freshly-created pending entries
   to submitted. Only entries with a confirmed_at timestamp are migrated. A v3 migration
   corrects any entries affected by the previous behaviour.
 * Fix: JavaScript confirmStep() now uses a locally scoped error element instead
   of referencing the out-of-scope alert variable from the parent closure.
 * Fix: Admin withdrawal list search now works correctly. The wbwiderruf_db_admin_list()
   call in the list table was passing positional arguments; updated to named array.
 * Fix: Spurious status filter tabs (In Prüfung, Fertig, Abgelehnt) removed from
   admin list. These statuses are not used by the Free version and always showed(
   0).
 * Fix: ORDER BY column is now correctly passed through from admin list table to
   the database query.
 * Improvement: All database queries in class-wbwiderruf-db.php rewritten to explicit
   per-branch $wpdb->prepare() calls, eliminating Plugin Check warnings about dynamically-
   constructed SQL strings.
 * Improvement: db-schema.php migration queries use $wpdb->prepare() with %i table-
   name placeholder instead of raw string interpolation.
 * Readme: Short description and main description section rewritten in English per
   wp.org requirements.

#### 1.3.21

 * Review update: unique internal prefixes introduced for WordPress.org compliance.
 * Review update: settings sanitization, request sanitization, nonce handling, and
   script enqueueing improved.
 * Review update: compatibility layer added for migrated option keys and hooks.
 * Review update: readme short description and description are now provided in English.

#### 1.3.11

 * Fix: frontend form uses the correct REST routes again.

#### 1.3.10

 * Removed manual load_plugin_textdomain() call.

#### 1.3.7

 * REST validation consolidated.
 * Fix: safe MySQL datetime conversion to RFC3339.
 * Admin search improved.

#### 1.3.6

 * Improved user-facing validation messages in the withdrawal form.

#### 1.0.0

 * Initial Version released.

## Meta

 *  Version **1.3.25**
 *  Last updated **1 day ago**
 *  Active installations **10+**
 *  WordPress version ** 6.7 or higher **
 *  Tested up to **6.9.4**
 *  PHP version ** 8.0 or higher **
 *  Languages
 * [English (US)](https://wordpress.org/plugins/widerrufsbutton/) and [German](https://de.wordpress.org/plugins/widerrufsbutton/).
 *  [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/widerrufsbutton)
 * Tags
 * [widerruf](https://kea.wordpress.org/plugins/tags/widerruf/)[woocommerce](https://kea.wordpress.org/plugins/tags/woocommerce/)
 *  [Advanced View](https://kea.wordpress.org/plugins/widerrufsbutton/advanced/)

## Ratings

No reviews have been submitted yet.

[Add my review](https://wordpress.org/support/plugin/widerrufsbutton/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/widerrufsbutton/reviews/)

## Contributors

 *   [ wbwiderrufbutton ](https://profiles.wordpress.org/wbwiderrufbutton/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/widerrufsbutton/)