Urgent: google pay and LINK Payment wallet UI auto-opening on madeinatlas.com

Hello Woodmart / Xtemos Support team,

My name is Khalid and I’m the owner of madeinatlas.com. I believe the Woodmart theme on my site may be involved in a critical issue: when a user adds any product to the cart, the page immediately jumps and blocks interaction because Stripe wallet UI appears without any user click. I have already opened a ticket with my host (Cloudways) — please coordinate with them as needed — and please do not change or patch any server or site files without my explicit permission.

Symptoms

Immediately after clicking Add to cart the page jumps/loses focus and one or both of these overlays appear:

Google Pay dialog: “Complete your payment in the open Google Pay window, or close Google Pay to continue paying another way.”

Stripe Link modal: “Fast, secure checkout — Pay faster everywhere Link is accepted. Log in Email …”

The overlays block all user interaction (high severity).

Issue reproduced across 3 browsers on 2 laptops.

Important context

Site: https://madeinatlas.com

Stripe settings: Google Pay and Stripe Link are enabled on product, add-to-cart, and checkout pages (I can change these, but I want you to investigate theme behavior first).

I have already raised a Cloudways ticket to check server-side injection; I’m requesting the theme team investigate possible client-side initialization/injection.

What I need you to check (client-side / theme code)

Please review the theme’s frontend code and config for anything that could initialize or mount Stripe/Payment Request / Link code on non-checkout pages. In particular:

Templates / Enqueued scripts

header.php, footer.php, functions.php (look for wp_enqueue_script with third-party payment scripts).

Theme JS assets: e.g. assets/js/, dist/, or any frontend bundles that are loaded site-wide.

Single product and cart templates (any code that runs on add-to-cart actions or mounts express checkout buttons).

AJAX add-to-cart handlers / event hooks

Any code that runs after add-to-cart (AJAX success handlers) that might programmatically mount or call payment UI.

Theme options / quick checkout / express checkout features

Any built-in “Fast checkout”, “Express checkout”, or “Quick buy” setting that may auto-initialize wallets (Google Pay/Apple Pay) or Link site-wide.

Specific search strings to grep

paymentRequest, paymentRequest.show, PaymentRequestButtonElement, stripe.link, stripe.link, Link, google-pay, googlePay, payment-request, show(), open()

Please also search for any Stripe / wallet-related snippets or third-party scripts that might be bundled with the theme.

Third-party scripts

Check if theme ships or injects any third-party payment, analytics, or “conversion” script that could trigger wallet behavior.

What I need from you

A short report listing:

Files or theme modules you inspected and the results.

Any code you find that initializes/mounts Stripe Payment Request / Link or performs paymentRequest.show() (paste the exact lines).

If nothing is found, confirm that the theme does not auto-enqueue wallet/payment-request scripts on non-checkout pages.

Do NOT apply changes, hotfixes, or patches until I explicitly approve them. If you believe an immediate temporary change is required to stop site breakage, describe the exact change you propose and wait for my approval.

Reproduction steps (for your QA)

Visit: https://madeinatlas.com (desktop browser).

Add any product to the cart.

Observe the page jump and the instant appearance of the Google Pay or Stripe Link overlay which blocks interaction.

If you need screenshots, short screencasts, exact timestamps of my tests, or temporary read-only access/SSH commands to inspect the build, I can provide them.
N.B: this is not a cache issue i already verified that many time.
Please acknowledge receipt and let me know what you find. If you determine the issue is not theme-related, please say so clearly so I can continue coordinating with Cloudways.

Thank you,
Khalid

Attachments:

You must be logged in to view attached files.

Hello,

We just tested the add to cart functionality on your website, but don’t see the problem you mentioned. Here is a video https://gyazo.com/aa8b224a5dfd2bb50275aa8a20d5cd38
Could you please clarify how we can reproduce it?

Kind Regards

Alright, to see the issue, you need to follow these steps:

First if you’re not in USA/ UK/EU you need to use a VPN if you prefer an extension VPN is easy like urbanVPN
Secondly you have to select a product and add it to cart, then go to cart
Thirdly you should change shipping country in cart to any country like USA/ UK/EU
then you will see the issue

To better assist you, could you kindly test the functionality with default WordPress themes such as TwentyTwenty or WooCommerce Storefront? This will help us determine whether the issue stems from our theme or elsewhere.

Regards

Alright, i have tried the TwentyTwenty but i can’t see the issue, i think it’s related to woodmart theme, i have also disactivated some plugins

Even after changing the country to United Kingdom we still don’t see the problem on your website https://gyazo.com/b8aa99d0e3dca0141ccb4437628f3e50

I think you didn’t understand my last message ! you should use a VPN if your current location is not in USA/UK/EU !! did you do that? you need to change your location to USA/UK/EU and access cart then the issue happen, so even if you just change the country it will not appear

Yes, I’m accessing the website from EU (Poland).

alright, that’s very weird! i’m in vpn Poland now i see the issue! is there any other way to check it maybe a using developer tools console method?!

I see a lot of errors in console could be the cause?!

Attachments:

You must be logged in to view attached files.

i also see this error

Attachments:

You must be logged in to view attached files.

Hi — I have a reproducible issue: when adding a product to cart the page blocks and Google Pay / Stripe Link UI appears unexpectedly. I reproduced in Incognito so it’s not a browser extension issue.

Console logs show these errors:

Unable to download payment manifest “https://www.google.com/pay”

Uncaught (in promise) FetchError: Error fetching https://r.stripe.com/… Failed to fetch

Uncaught (in promise) challenge-closed and POST https://api.hcaptcha.com/authenticate 401 (Unauthorized)

Please investigate:

Which script/file (initiator) requests payment_method_manifest.json? (Check Network/initiator in Chrome DevTools.)

Are outgoing requests to pay.google.com or r.stripe.com being blocked by a server/CDN/CSP or firewall?

Are there server-side injections or theme scripts that initialize Stripe/PaymentRequest on non-checkout pages?

Do not change files without my permission. If you need to disable any service temporarily, describe the exact change first.

Thank you — Khalid / madeinatlas.com

Hello Woodmart / Xtemos team — follow-up & urgent request

Thanks for testing. But i still waiting for your response! I understand you couldn’t reproduce the issue on your side — but this is a real, customer-facing problem and users are experiencing it in production. Even if you can’t reproduce locally, I need your team to investigate thoroughly and confirm whether the theme is responsible (and where). Please do not change, patch or remove any files or server settings without my explicit permission.

Why this needs attention even if you can’t reproduce

Multiple real customers (and I) can reproduce it in the live store. Customers will complain and conversions are blocked while this continues.

The issue appears consistently for some IP locations / shipping-country combinations, so it may be geo-conditional or dependent on how the theme integrates express-checkout/payment widgets site-wide. That can make it non-trivial to reproduce from a single dev workstation.

Reproduction steps that reliably show the problem (do these exactly)

(Optional) Use a VPN if your IP is outside the geographic testing range — I originally reproduced using a German VPN. Any EU/UK/US exit IPs are appropriate.

Open a desktop browser (Incognito is fine) and go to: https://madeinatlas.com.

Select any product and Add to cart.

Open the Cart page.

On the cart page change the shipping country to any country like USA / UK / EU (this step is important).

Observe: the page jumps/loses focus and one or both overlays appear without any user click:

Google Pay dialog: “Complete your payment in the open Google Pay window…”

Stripe Link modal: “Fast, secure checkout — Log in Email …”

The overlays block user interaction and prevent normal checkout flow.

I can provide exact timestamps, short screencasts and console screenshots on request.

Console / Network errors I observed (please investigate these exact lines)

When reproducing, the browser console & Network tab show multiple related errors. Please investigate each:

Unable to download payment manifest “https://www.google.com/pay”

Uncaught (in promise) FetchError: Error fetching https://r.stripe.com/… Failed to fetch (Stripe resource fetch failures)

Uncaught (in promise) challenge-closed (from an hCaptcha bundle)

POST https://api.hcaptcha.com/authenticate 401 (Unauthorized) (hCaptcha returning 401)

WebSocket/other connection failures to local/inspection endpoints (these may indicate network/security devices in the path)

These persist in Incognito (so browser extensions are unlikely to be the root cause).

Likely causes (from experience and community reports)

Theme or plugin initializes Stripe Payment Request / Link / express-checkout code site-wide (product, cart), causing the browser to surface wallets automatically.

Network / hosting / CDN / WAF / CSP or proxy blocks or modifies requests to pay.google.com, r.stripe.com, or api.hcaptcha.com, causing fetch failures and unhandled promise rejections. These errors can leave the UI in a half-open/stuck state.

An hCaptcha integration with invalid keys (401) producing promise rejections that break subsequent scripts.

Edge/CDN or theme-injected scripts altering or auto-mounting payment UI on add-to-cart / cart AJAX events.

Exact checks I need Woodmart / Xtemos to run (non-invasive diagnostics — do NOT change anything)

Please run these checks in the theme/plugin code and on a staging/dev copy if needed. Return the findings with file paths and snippets.

1) Search theme & plugin files for wallet / hCaptcha code

From the site root run:

grep -RIn “paymentRequest” .
grep -RIn “paymentRequest.show” .
grep -RIn “paymentRequestButton” .
grep -RIn “PaymentRequestButtonElement” .
grep -RIn “stripe.link” .
grep -RIn “stripe.paymentRequest” .
grep -RIn “r.stripe.com” .
grep -RIn “pay.google” .
grep -RIn “payment_method_manifest” .
grep -RIn “hcaptcha” .
grep -RIn “h-captcha” .
grep -RIn “api.hcaptcha” .

If any matches appear, return the exact file path and a 5–10 line snippet around the match.

2) Inspect theme templates & enqueues

Check header.php, footer.php, functions.php and any site-wide JS bundles (assets/js/, dist/, build/) for Stripe / Payment Request initializations.

Check single-product.php, cart.php, AJAX add-to-cart handlers, or mini-cart scripts for any code that mounts or calls payment UI after add-to-cart.

3) Review theme options / quick-buy features

Confirm whether Woodmart quick-buy / express-checkout / “fast checkout” modules exist and whether they auto-enable any wallet buttons. If so, list the option names and where they are set.

4) DevTools/Network initiator trace

Using Chrome DevTools reproduce and in the Network tab filter for payment_method_manifest.json and r.stripe.com requests — identify the Initiator column to see which script/file requested the manifest. Provide that initiator filename/URL or stack trace.

5) Check for inline script injection

Search database and theme options for inline scripts (Appearance → Customize → Additional Scripts) and in WP options table for strings like paymentRequest, stripe, hcaptcha. Use:

curl -s ‘https://madeinatlas.com’ | egrep -i “paymentRequest|r.stripe|pay.google|hcaptcha|h-captcha”

If you find inline script tags referencing these services, paste the full script HTML.

6) If you cannot find code, try reproducing with the theme’s default JS disabled

On a staging or debug copy, disable Woodmart’s custom frontend JS bundle temporarily (rename or dequeue it) and retest reproduction to confirm whether the theme JS is involved. Do this only on staging, not on production, and only with my approval.

What I expect you to return in your reply

Results of the grep searches above (file paths + 5–10 line snippets).

The Network initiator for the payment_method_manifest.json and r.stripe.com requests (DevTools screenshot or the script filename).

Confirmation whether any theme options/quick-checkout features are enabled that could mount wallets site-wide (and exact option names).

Any inline scripts found in header/footer or in DB options that reference Stripe, Google Pay or hCaptcha.

If nothing found in theme, confirm that and say so explicitly — I will continue coordinating with Cloudways to inspect CDN/WAF/edge injection.

If you think a temporary mitigation is needed

Do not apply anything until I approve. If you recommend a mitigation, describe it exactly (one-line command or code snippet) so I can review and approve before you run it. Example safe mitigations I may approve:

A temporary JS patch that disables PaymentRequest on non-checkout pages (I can provide that snippet).

Purging caches only after we confirm which JS file should be invalidated.

Coordination with Cloudways

I have opened a ticket with Cloudways to check network/CSP/WAF/edge behavior. Please coordinate with them — we need both the theme-side and host-side checks to find the root cause. If you need me to provide timestamps and screencasts for when I reproduced the issue, I’ll attach them.

Thanks — please acknowledge receipt and provide the grep + network-initiator results. If the theme team can’t find anything, say so explicitly and I will escalate the host-side checks (Cloudways). Customers are being blocked by this bug so I really need a definitive answer: either theme is mounting wallet UI site-wide, or something upstream (edge/CDN) is injecting/altering scripts.

Best,
Khalid / madeinatlas.com

Hello,

We attempted to reproduce this issue on your website once more, but unfortunately, we still haven’t seen the popup you’re referring to. Consequently, we’re unable to thoroughly test and diagnose the problem. Here is a video https://gyazo.com/a943e8f7bad7a7612116f07057b6f8cf

Kind Regards

[Author]

Posts