{"id":272916,"date":"2026-01-10T15:57:29","date_gmt":"2026-01-10T15:57:29","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/punchr-lite-punchout-cxml-bridge-for-woocommerce\/"},"modified":"2026-01-10T15:57:31","modified_gmt":"2026-01-10T15:57:31","slug":"punchr-lite","status":"publish","type":"plugin","link":"https:\/\/test.wordpress.org\/plugins\/punchr-lite\/","author":23433075,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.3.0","stable_tag":"1.3.0","tested":"6.9.4","requires":"6.2","requires_php":"8.1","requires_plugins":null,"header_name":"Punchr Lite \u2013 PunchOut cXML Bridge for WooCommerce","header_author":"punchr","header_description":"PunchOut (cXML) bridge for WooCommerce (Lite).","assets_banners_color":"5f3176","last_updated":"2026-01-10 15:57:31","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":112,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.3.0":{"tag":"1.3.0","author":"punchr","date":"2026-01-10 15:57:31"}},"upgrade_notice":{"1.3.0":"

Public release of Punchr Lite.<\/p>"},"ratings":[],"assets_icons":{"icon-256x256.png":{"filename":"icon-256x256.png","revision":3436699,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3436699,"resolution":"1544x500","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.3.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3436715,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3436699,"resolution":"2","location":"assets","locale":""}},"screenshots":{"1":"Punchr Lite settings page (Token and Secret management)","2":"Punchr Lite logs page"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[10553,208607,253714,190596,286],"plugin_category":[45],"plugin_contributors":[253715],"plugin_business_model":[],"class_list":["post-272916","plugin","type-plugin","status-publish","hentry","plugin_tags-b2b","plugin_tags-cxml","plugin_tags-procurement","plugin_tags-punchout","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_contributors-punchr","plugin_committers-punchr"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/punchr-lite\/assets\/icon-256x256.png?rev=3436699","icon_2x":"https:\/\/ps.w.org\/punchr-lite\/assets\/icon-256x256.png?rev=3436699","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/punchr-lite\/assets\/screenshot-1.png?rev=3436715","caption":"Punchr Lite settings page (Token and Secret management)"},{"src":"https:\/\/ps.w.org\/punchr-lite\/assets\/screenshot-2.png?rev=3436699","caption":"Punchr Lite logs page"}],"raw_content":"\n

Punchr Lite lets you connect an external procurement system (PunchOut \/ cXML) to a WooCommerce store.<\/p>\n\n

Punchr Lite is intended for evaluation and validation of the PunchOut flow.\nIt is not intended for production use. Production usage requires Punchr Pro.<\/p>\n\n

It implements the essential PunchOut flow:<\/p>\n\n

    \n
  1. The procurement system sends a PunchOutSetupRequest (cXML) to your WooCommerce site.<\/li>\n
  2. Punchr Lite authenticates the request using HTTP Basic Authentication (Token \/ Secret).<\/li>\n
  3. Punchr Lite creates a short-lived PunchOut session and returns a PunchOutSetupResponse with a StartPage URL.<\/li>\n
  4. The user is redirected to your WooCommerce shop in PunchOut mode (checkout is blocked).<\/li>\n
  5. When the user clicks \u201cReturn to Procurement\u201d, Punchr Lite sends a PunchOutOrderMessage (cXML) back to the procurement system.<\/li>\n<\/ol>\n\n

    This plugin is designed for B2B merchants who need a simple, ERP-friendly PunchOut bridge with minimal configuration.<\/p>\n\n

    Main endpoints\n- POST \/wp-json\/punchr\/v1\/setup
    \n Receives a cXML PunchOutSetupRequest and returns a PunchOutSetupResponse (StartPage URL).\n- GET \/wp-json\/punchr\/v1\/start?sid=...&st=...
    \n Activates the PunchOut session and redirects the user to the WooCommerce shop..\n- Front return handler
    \n Adds a \u201cReturn to Procurement\u201d button in the cart and posts the PunchOutOrderMessage to the validated return URL.<\/p>\n\n

    Admin\n- Punchr Lite > Settings: single Buyer credentials (Token and Secret regeneration)\n- Punchr Lite > Logs: last 200 events\n- Punchr Lite > Upgrade to Pro<\/p>\n\n

    Documentation and technical details are available at:\nhttps:\/\/punchr.net<\/p>\n\n

    Upgrade to Punchr Pro<\/h3>\n\n

    Punchr Lite is designed for a single Buyer and a basic PunchOut flow.<\/p>\n\n

    The Pro version adds advanced features for production and enterprise environments, including:\n- Multiple Buyers\n- Buyer-specific credentials and policies\n- Advanced catalog and pricing rules\n- Extended logs and diagnostics\n- Priority support<\/p>\n\n

    Punchr Lite is free for evaluation purposes only.\nProduction usage requires Punchr Pro.<\/p>\n\n

    Privacy<\/h3>\n\n

    Punchr Lite stores limited diagnostic data to help troubleshoot PunchOut sessions.<\/p>\n\n

    What we collect\n- IP address and User-Agent of requests recorded in plugin logs\n- Technical event information (event name, timestamp, HTTP status, message)\n- A SHA-256 hash of some XML payloads (payload content is not stored)<\/p>\n\n

    Where the data is stored\n- Data is stored locally in your WordPress database in custom tables created by the plugin (e.g. wp_wcpob_logs)<\/p>\n\n

    Data sharing\n- No log data is sent to the plugin author or any third party\n- The plugin sends a PunchOutOrderMessage (cXML) only to the return URL provided by your procurement system<\/p>\n\n

    How to remove data\n- All plugin data (including logs and credentials) is permanently removed when the plugin is uninstalled<\/p>\n\n

    Support & Bug Reports<\/h3>\n\n

    If you encounter a bug or an unexpected behavior while using Punchr Lite, please contact us:<\/p>\n\n

    \ud83d\udce7 bugs@punchr.net<\/strong><\/p>\n\n

    When reporting a bug, please include:\n- Your WordPress version\n- Your WooCommerce version\n- Punchr Lite version\n- A short description of the issue\n- Relevant log entries (Punchr Lite > Logs)<\/p>\n\n

    We do our best to respond and fix issues quickly.<\/p>\n\n\n

      \n
    1. Upload the plugin folder to \/wp-content\/plugins\/<\/code> (or install via the Plugins screen).<\/li>\n
    2. Activate the plugin through the \u201cPlugins\u201d screen in WordPress.<\/li>\n
    3. Ensure WooCommerce is installed and active.<\/li>\n
    4. Go to Punchr Lite<\/strong> in the WordPress admin menu.<\/li>\n
    5. Copy the Token<\/strong>.<\/li>\n
    6. Click Regenerate secret<\/strong> to generate a new Secret (shown once \u2014 copy it immediately).<\/li>\n
    7. Configure your procurement system:\n\n
        \n
      • Setup URL: https:\/\/YOUR-SITE\/wp-json\/punchr\/v1\/setup<\/code><\/li>\n
      • Authentication: HTTP Basic Authentication<\/strong>\n\n
          \n
        • Username: Token<\/strong><\/li>\n
        • Password: Secret<\/strong><\/li>\n<\/ul><\/li>\n<\/ul><\/li>\n
        • Run a test PunchOut session from your procurement system.<\/li>\n<\/ol>\n\n\n
          \n

          Does Punchr Lite require WooCommerce?<\/h3><\/dt>\n

          Yes. This plugin requires WooCommerce to be installed and active.<\/p><\/dd>\n

          How does authentication work for \/setup?<\/h3><\/dt>\n

          The \/setup<\/code> endpoint uses HTTP Basic Authentication<\/strong>, which is widely supported by ERP and procurement systems.<\/p>\n\n

            \n
          • Username: Buyer Token<\/li>\n
          • Password: Buyer Secret<\/li>\n<\/ul>\n\n

            Both values are generated and managed from the Punchr Lite admin screen.\nIf authentication fails, the request is rejected with HTTP 401.<\/p><\/dd>\n

            Is it protected against replay attacks?<\/h3><\/dt>\n

            Yes. A transient-based nonce is stored briefly. Reusing the same (token, nonce) within the retention window is rejected.<\/p><\/dd>\n

            How is SSRF prevented when posting back the PunchOutOrderMessage?<\/h3><\/dt>\n

            The return_url extracted from the cXML request is validated:\n- Only http and https schemes are accepted\n- Local hosts are blocked (e.g. localhost)\n- Direct IP addresses are blocked\n- Common internal TLDs are blocked (.local, .internal, .lan)\n- Non-standard ports are blocked (only 80 and 443 allowed)<\/p>\n\n

            Outgoing requests are sent using wp_remote_post() with reject_unsafe_urls enabled.<\/p><\/dd>\n

            Does the plugin store sensitive payloads in logs?<\/h3><\/dt>\n

            No. Punchr Lite stores only a SHA-256 hash of payloads by default. Payload content is not stored.<\/p><\/dd>\n

            Why is checkout blocked?<\/h3><\/dt>\n

            PunchOut workflows require users to build a cart and return it to the procurement system. Checkout inside WooCommerce is therefore disabled in PunchOut mode.<\/p><\/dd>\n

            What happens if the session expires?<\/h3><\/dt>\n

            PunchOut sessions are short-lived. If a session expires, the start endpoint and return flow will return an error.<\/p><\/dd>\n

            Is Punchr Lite free?<\/h3><\/dt>\n

            Yes. Punchr Lite is free for evaluation purposes.<\/p><\/dd>\n

            What happens when the evaluation expires?<\/h3><\/dt>\n

            When the evaluation period ends, PunchOut setup requests are blocked.\nThe \/setup endpoint returns a cXML Status 401 with an explicit message to upgrade.\nYour configuration is not deleted and no data is lost.<\/p><\/dd>\n\n<\/dl>\n\n\n

            1.3.0<\/h4>\n\n

            Public release of Punchr Lite.<\/p>","raw_excerpt":"PunchOut (cXML) bridge for WooCommerce: receive PunchOutSetupRequest, start a session, and return a PunchOutOrderMessage.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/272916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=272916"}],"author":[{"embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/punchr"}],"wp:attachment":[{"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=272916"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=272916"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=272916"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=272916"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=272916"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=272916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}