fix: resolve all Week 2 performance & security issues (F1.10–F1.19)

Security:
- Replace maybe_serialize() in cookies with json_encode() (PHP object injection fix)
- Add PayPal webhook signature verification
- Add current_user_can('manage_options') to all 18 admin-ajax handlers

Performance:
- Remove flush_rewrite_rules() from init hooks (Thankyou + Payment)
- Add activation/deactivation hooks for flush_rewrite_rules
- Cache currency, country, flags JSON reads in static variables
- Add server-side pagination to Customer::formipay_tabledata_customers()
- Optimize Order::formipay_tabledata_orders() with COUNT(*) GROUP BY

Cleanup:
- Delete Paypal.phpbak backup file
- Fix timezone hardcode Asia/Jakarta → wp_timezone_string()
- Create uninstall.php for proper cleanup on uninstall

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

includes/Access.php

@@ -434,6 +434,10 @@ class Access {
 
         check_ajax_referer( 'formipay-admin-access-nonce', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         $args = [
             'post_type' => 'formipay-access',
             'posts_per_page' => -1,
@@ -524,6 +528,10 @@ class Access {
 
         check_ajax_referer( 'formipay-admin-access-nonce', 'nonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         if (!isset($_POST['search']) || empty($_POST['search'])) {
             wp_send_json_error( __('No search term provided.', 'formipay') );
         }
@@ -554,6 +562,10 @@ class Access {
 
         check_ajax_referer( 'formipay-admin-access-nonce', 'nonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         if( !empty($_REQUEST['title']) ){
             $title = sanitize_text_field( wp_unslash($_REQUEST['title']) );
             $post_id = wp_insert_post( [
@@ -582,6 +594,10 @@ class Access {
 
         check_ajax_referer( 'formipay-admin-access-nonce', 'nonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         if( empty($_REQUEST['id']) ){
             wp_send_json_error( [
                 'title' => esc_html__( 'Failed', 'formipay' ),
@@ -613,6 +629,10 @@ class Access {
 
         check_ajax_referer( 'formipay-admin-access-nonce', 'nonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         if( empty($_REQUEST['ids']) ){
             wp_send_json_error( [
                 'title' => esc_html__( 'Failed', 'formipay' ),
@@ -656,6 +676,10 @@ class Access {
 
         check_ajax_referer( 'formipay-admin-access-nonce', 'nonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         if( empty($_REQUEST['id']) ){
             wp_send_json_error( [
                 'title' => esc_html__('Failed', 'formipay'),