I tried replying to our last ticket (406626) but it would not let me. Please read the prior ticket before going any further, as it will inform you with very important context... -----

Hi EventON Support Team, we are running the latest version (2.5.6) as you asked.

Following up on the express checkout auto-complete issue we reported earlier via prior ticket messages — we believe it is our duty to flag with you that this now needs urgent attention as it can result in unpaid orders being fulfilled.

At this point we would like to stress that we have addressed the issue via a code snippet, so we are not at risk anymore. Our concern is that this could happen to another user…

We had a real incident: a ~$1,700 order placed via Apple Pay (WooPayments) was marked Completed with the note “Order auto-completed for ticket generation (express checkout)”, but no payment was actually captured. Our inventory staff relied on the Completed status and dispatched the item. The customer later confirmed they hadn’t finished checkout; we’ve since (luckily) recovered payment due to our customer being cooperative, but this exposed a very serious risk.

From reviewing your code, the problem is in the Store API / express checkout path:
• Hook: woocommerce_store_api_checkout_order_processed
• Function: create_evo_tickets_for_store_api()
• Behavior: when evotx_autocomplete is enabled, the code calls
$order->update_status('completed', __('Order auto-completed for ticket generation (express checkout)', 'evotx'));
without checking whether the order contains ticket items.

In contrast, the standard checkout path correctly checks for ticket products before completing the order.

MOST IMPORTANT ISSUE: Any order placed via Apple Pay/Google Pay can be set to Completed regardless of contents or payment capture, creating a false “paid” signal and leading to accidental fulfilment of unpaid orders.

Suggested fix (but obviously your devs will know best.)
1. In create_evo_tickets_for_store_api(), apply the same “order contains tickets” validation used in the classic checkout path before any auto-complete.
2. Additionally, do not set orders to Completed unless payment is confirmed/captured (align with WooCommerce’s payment lifecycle).
3. Ensure parity between classic checkout and Store API logic so behaviour is consistent across all gateways.

If you do need specifics, I can provide order IDs, logs, and timestamps from WooPayments/Stripe showing no capture occurred despite the Completed status.

We bring this to your attention so that it may help others. Thank you for your time and consideration,
Thanks,

- Perth Sewing Centre Team