Submission Review Guidelines:

• I have followed the WooCommerce Contributing Guidelines and the WordPress Coding Standards.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have reviewed my code for security best practices.
• Following the above guidelines will result in quick merges and clear and detailed feedback when appropriate.

Changes proposed in this Pull Request:

This PR fixes a bug where email verification for guest checkout orders was case-sensitive, causing verification failures when customers entered their email address in a different case than what was stored in the order.

Problem:
When a guest customer attempts to verify their email address to access the order payment or order received page, the comparison between the submitted email and the order's billing email was performed using strict equality (===), which is case-sensitive. This meant that if an order had a billing email of '[email protected]' and the customer entered '[email protected]', the verification would fail even though these represent the same email address.

Solution:
Changed the email comparison in Users::should_user_verify_order_email() to use strcasecmp() for case-insensitive comparison, consistent with the approach already used in OrderAuthorizationTrait::validate_billing_email_matches_order(). This ensures that email addresses are compared in a case-insensitive manner, which aligns with standard email behavior where the local part (before @) is typically treated as case-insensitive by most email providers.

Changes:

• Modified $session_email_match comparison to use strcasecmp() instead of strict equality
• Modified $supplied_email_match comparison to use strcasecmp() instead of strict equality
• Added empty checks to handle null/empty values safely and prevent PHP warnings

Files changed:

• plugins/woocommerce/src/Internal/Utilities/Users.php (lines 132-133)

Closes #62917

(For Bug Fixes) Bug introduced in PR # .

Screenshots or screen recordings:

N/A - This is a backend fix with no UI changes.

How to test the changes in this Pull Request:

Using the WooCommerce Testing Instructions Guide, include your detailed testing instructions:

1. Create a test order in WooCommerce admin:

   • Go to WooCommerce → Orders → Add New
   • Create an order with a billing email address that has mixed case (e.g., [email protected])
   • Save the order and note the order ID
   • Copy the order payment URL (format: /checkout.html/order-pay/{order_id}?pay_for_order=true&key={order_key})

2. Wait for the grace period to expire:

   • The email verification grace period is 10 minutes by default
   • Either wait 12+ minutes, or use the filter woocommerce_order_email_verification_grace_period to set it to 0 for testing
   • Alternatively, modify the order's creation date in the database to be older than 10 minutes

3. Test case-insensitive email verification:

   • Open the order payment URL in a private/incognito browser window (to ensure you're not logged in)
   • You should see the email verification form
   • Enter the email address in a different case than what's stored in the order (e.g., if order has [email protected], enter [email protected] or [email protected])
   • Submit the form
   • Expected: The email verification should pass and you should be able to proceed to the payment page
   • Previously (bug): The verification would fail with "We were unable to verify the email address you provided. Please try again."

4. Test various case combinations:

   • Test with all lowercase: [email protected]
   • Test with all uppercase: [email protected]
   • Test with mixed case: [email protected]
   • All should successfully verify against the stored email [email protected]

5. Test edge cases:

   • Verify that an incorrect email address still fails (e.g., [email protected])
   • Verify that empty/null email values are handled correctly
   • Test with session-based email matching (if customer has an active session)

Testing that has already taken place:

Environment:

• Local development environment
• WordPress with WooCommerce plugin
• PHP 8.1+
• Standard WooCommerce installation

Testing performed:

• Verified that case-insensitive email comparison works correctly for all case variations
• Confirmed that incorrect email addresses still properly fail verification
• Tested that the fix maintains backward compatibility with existing functionality
• Verified that empty/null email values are handled safely (prevents PHP warnings)
• Confirmed the implementation follows WooCommerce coding standards (Yoda conditions, proper spacing)
• Verified consistency with existing codebase patterns (matches OrderAuthorizationTrait::validate_billing_email_matches_order())
• Code passes PHPCS linting checks

Analysis:

• The fix uses strcasecmp() which is the standard PHP function for case-insensitive string comparison
• This approach is already used elsewhere in WooCommerce for email comparison (Store API)
• The change is minimal and focused, reducing risk of side effects
• Added empty checks ensure null/empty values don't cause PHP warnings while maintaining original behavior

Milestone

• Automatically assign milestone for the next WooCommerce version

Note: Check the box above to have the milestone automatically assigned when merged.
Alternatively (e.g. for point releases), manually assign the appropriate milestone.

Changelog entry

• Automatically create a changelog entry from the details below.