FAIR

Federated and Independent Repositories

Freefactu – Toolkit para Verifactu

Plugin Banner

Freefactu – Toolkit para Verifactu

by Aleix Pellicer

Download
Description

Freefactu is a free, open-source helper plugin for WooCommerce that provides technical tools to assist with invoicing workflows related to Spain’s AEAT VeriFactu framework.

The plugin offers functionality to generate digitally signed electronic invoice data, manage invoice records, and interact with AEAT environments based on publicly available technical specifications.

Freefactu is not certified, not approved, and not endorsed by the Agencia Tributaria (AEAT). The use of this plugin does not guarantee compliance with any legal, tax, or regulatory obligations. Users are solely responsible for ensuring that their invoicing practices comply with applicable laws and regulations.

This plugin does not constitute legal, tax, or accounting advice.

Key Features

  • Technical tools to generate electronic invoice data based on VeriFactu specifications
  • Digital signature support using user-provided PKCS#12 certificates (.p12 / .pfx)
  • QR code generation derived from invoice data for verification purposes
  • Hash chaining mechanisms between invoice records
  • Configurable invoice numbering series
  • Support for corrective (rectificativa) invoice data structures (R1–R5)
  • Generation of draft “Declaración Responsable” documents and SIF archives
  • Test and production environment configuration options
  • Export of invoice-related data to CSV or XML formats
  • Local PDF rendering of invoice representations
  • Error reporting and retry workflows based on AEAT responses
  • Snapshot-based storage of invoice data at creation time

System Requirements

  • WordPress 5.8 or higher
  • WooCommerce 6.0 or higher
  • PHP 8.2 or higher
  • PHP Extensions:
    • OpenSSL (required)
    • DOM (required)
    • GD or Imagick (recommended)
    • ZipArchive (recommended; fallback to PclZip)
  • Spanish digital certificate in .p12 or .pfx format
  • HTTPS-enabled website (required for AEAT communication)

How It Works

  1. Configure business identification details (name, NIF)
  2. Upload a valid digital certificate provided by the user
  3. Configure invoice numbering series
  4. Generate draft SIF documentation if required
  5. Generate invoice data from WooCommerce orders
  6. Optionally transmit invoice data to AEAT environments

All steps require correct configuration and validation by the user.

VeriFactu Framework Reference

This plugin is developed with reference to publicly available technical documentation, including:

  • Real Decreto 1007/2023
  • Orden HFP/1177/2024

Implementation of these specifications does not imply certification, validation, or approval by the Agencia Tributaria (AEAT). Interpretation of regulatory requirements and compliance decisions remain the responsibility of the user.

AEAT Communication

When enabled and configured by the user, the plugin may transmit invoice-related data directly from the user’s WordPress installation to AEAT servers.

The plugin developer does not monitor, intercept, validate, or store transmitted data. Users are solely responsible for:

  • Accuracy and legality of submitted information
  • Maintaining valid digital certificates
  • Selecting the appropriate AEAT environment
  • Any fiscal, legal, or administrative consequences resulting from submitted data

Data Handling

All invoice data is stored locally in the user’s WordPress database. No data is collected, processed, or transmitted by the plugin developer.

Communication, when enabled, occurs directly between the user’s server and AEAT servers.

Legal Disclaimer

This plugin is provided “as is”, without warranty of any kind, express or implied, including but not limited to warranties of correctness, fitness for a particular purpose, legal compliance, or uninterrupted operation.

The authors and contributors shall not be liable for any damages, penalties, fines, data loss, business interruption, or legal consequences arising from the use or misuse of this software.

Use of this plugin is entirely at your own risk.

External Services

This plugin connects to the following external services when configured and enabled by the user:

AEAT VeriFactu API (Agencia Tributaria – Spain)

This plugin sends invoice data to Spain’s Tax Agency (AEAT) for electronic invoice validation under the VeriFactu system.

  • What the service is: Official Spanish Tax Agency electronic invoicing validation system (AEAT – Agencia Estatal de Administración Tributaria)
  • What it is used for: Submitting signed invoice records for tax compliance under Spain’s VeriFactu regulations
  • Data sent: Invoice number, date, amounts, tax breakdown, company NIF, customer NIF (if provided), cryptographic hash, digital signature, and invoice chain reference
  • When data is sent: Each time an invoice is generated and the user has enabled AEAT submission in the plugin settings
  • Service provider: Agencia Estatal de Administración Tributaria (AEAT) – Spanish Tax Agency
  • Terms of Service: https://sede.agenciatributaria.gob.es/Sede/avisos-legales.html
  • Privacy Policy: https://sede.agenciatributaria.gob.es/Sede/avisos-legales/privacidad.html

API Endpoints (all operated by AEAT, all subject to the Terms of Service and Privacy Policy linked above):

  • Test Environment (for development/testing — domain: prewww1.aeat.es and prewww2.aeat.es):

    • SOAP VeriFactu endpoint: https://prewww1.aeat.es/wlpl/TIKE-CONT/ws/SistemaFacturacion/VerifactuSOAP
    • QR Verification endpoint: https://prewww2.aeat.es/wlpl/TIKE-CONT/ValidarQR

  • Production Environment (for live submissions — domain: www3.agenciatributaria.gob.com.es and www2.agenciatributaria.gob.es):

    • SOAP VeriFactu endpoint: https://www3.agenciatributaria.gob.com.es/wlpl/TIKE-CONT/ws/SistemaFacturacion/VerifactuSOAP
    • QR Verification endpoint: https://www2.agenciatributaria.gob.es/wlpl/TIKE-CONT/ValidarQR

All four domains above (prewww1.aeat.es, prewww2.aeat.es, www3.agenciatributaria.gob.com.es, www2.agenciatributaria.gob.es) are operated by the Agencia Tributaria and are subject to their Terms of Service (https://sede.agenciatributaria.gob.es/Sede/avisos-legales.html) and Privacy Policy (https://sede.agenciatributaria.gob.es/Sede/avisos-legales/privacidad.html).

QR Code Generation

QR codes are generated locally using the Endroid QR Code library bundled with the plugin. No external API calls are made for QR generation. The QR codes contain verification URLs pointing to AEAT’s ValidarQR service (documented above).

Open Source Libraries

  • DOMPDF (LGPL-2.1)
  • Endroid QR Code (MIT)
  • Verifactu-PHP (MIT)

Trademark Notice

“VeriFactu” and “AEAT” are trademarks of the Agencia Estatal de Administración Tributaria. This plugin is an independent implementation and is not affiliated with or endorsed by AEAT.

  1. Upload the freefactu folder to /wp-content/plugins/
  2. Activate the plugin via the WordPress Plugins menu
  3. Access the plugin via WooCommerce settings
  4. Configure required technical and business parameters
  5. Test configuration in AEAT test environment before any production use
  1. Invoice history panel showing generated VeriFactu records with AEAT submission status

    Invoice history panel showing generated VeriFactu records with AEAT submission status

  2. Plugin settings page for configuring business details, certificate upload, and environment selection

    Plugin settings page for configuring business details, certificate upload, and environment selection

  3. Invoice numbering series configuration for managing multiple invoice sequences

    Invoice numbering series configuration for managing multiple invoice sequences

  4. Generated PDF invoice with QR verification code and digital signature data

    Generated PDF invoice with QR verification code and digital signature data

  5. WooCommerce orders list with one-click VeriFactu invoice generation actions

    WooCommerce orders list with one-click VeriFactu invoice generation actions

  6. Debug and diagnostics panel with detailed AEAT response logs

    Debug and diagnostics panel with detailed AEAT response logs

Is this plugin certified by AEAT?

No. This plugin is not certified, approved, or endorsed by AEAT.

Does this plugin guarantee legal or tax compliance?

No. Compliance depends entirely on correct configuration, usage, and legal interpretation by the user.

Is this plugin a replacement for professional tax advice?

No. This plugin is a technical tool only.

Who is responsible if AEAT rejects my submission?

The user is solely responsible for submitted data and resulting consequences.

0.5.6

  • Security: Added explicit nonce verification and capability check at the top of sanitize_settings()
  • Security: Added sanitize_text_field() to $_FILES tmp_name fields in both certificate upload paths
  • Security: Added sanitize_text_field() and wp_unslash() to $_POST[‘option_page’] access
  • Documentation: Updated External Services section with exact endpoint URLs matching source code
  • Documentation: Listed all four AEAT domains (prewww1, prewww2, www3, www2) with explicit Terms/Privacy links
  • Documentation: Added phpcs:ignore comments to DOMPDF PDF templates explaining inline CSS requirement
  • Code Quality: Removed redundant nonce check in certificate upload block (now validated at function entry)

0.5.5

  • Security: Added esc_attr() escaping to all boolean ternaries in HTML class/style attributes
  • Security: Added explicit nonce and capability checks to settings certificate upload
  • Security: Added sanitize_file_name() and is_uploaded_file() to certificate uploads
  • Updated: endroid/qr-code from v5.1.0 to v6.0.9 (major version migration)
  • Updated: dompdf/dompdf from 3.1.4 to 3.1.5
  • Updated: josemmo/verifactu-php from 0.3.3 to 0.3.4
  • Code Quality: Renamed 8 generic Aeat_* classes to Freefactu_Aeat_* prefix
  • Code Quality: Comprehensive output escaping audit across all templates

0.5.4

  • Dependency structure: Moved scoped dependencies from deps/ to vendor/ per WordPress.org reviewer guidelines
  • Distribution: composer.json now included in plugin submission
  • Build: Updated PHP-Scoper output to target vendor/ directory

0.5.3

  • (changelog pending)

0.5.2

  • Security: Replaced direct active_plugins manipulation with WordPress activate_plugin/deactivate_plugins API
  • Security: Added nonce verification to ajax_get_declaration handler
  • Documentation: Enhanced External Services section with complete AEAT endpoint documentation
  • Documentation: Added Terms of Service and Privacy Policy links for AEAT
  • Documentation: Improved PHPCS ignore comments with security explanations
  • Code Quality: Enhanced docblocks for output escaping safety documentation

0.5.1

  • Security: Improved input sanitization and output escaping
  • Security: Replaced move_uploaded_file() with wp_handle_upload()
  • Security: Secured uninstall.php with proper capability checks
  • Improvement: Converted inline scripts/styles to wp_enqueue functions
  • Improvement: Added direct file access protection
  • Documentation: Added external services disclosure in readme.txt
  • Updated: DOMPDF library to latest stable version

0.5.0

  • Initial public release
  • Technical invoicing tools related to VeriFactu specifications
  • Digital signature support
  • Invoice data export
  • AEAT test and production environment configuration
  • Snapshot-based invoice storage
  • Error reporting workflows
Back to top