fix: resolve all Week 2 performance & security issues (F1.10–F1.19)

Security:
- Replace maybe_serialize() in cookies with json_encode() (PHP object injection fix)
- Add PayPal webhook signature verification
- Add current_user_can('manage_options') to all 18 admin-ajax handlers

Performance:
- Remove flush_rewrite_rules() from init hooks (Thankyou + Payment)
- Add activation/deactivation hooks for flush_rewrite_rules
- Cache currency, country, flags JSON reads in static variables
- Add server-side pagination to Customer::formipay_tabledata_customers()
- Optimize Order::formipay_tabledata_orders() with COUNT(*) GROUP BY

Cleanup:
- Delete Paypal.phpbak backup file
- Fix timezone hardcode Asia/Jakarta → wp_timezone_string()
- Create uninstall.php for proper cleanup on uninstall

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

includes/Customer.php

@@ -233,11 +233,40 @@ class Customer {
 
         check_ajax_referer( 'formipay-admin-access-nonce', '_wpnonce' );
 
-        $get_all_customers = $this->get();
-        $customers = [];
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
 
-        if(!empty($get_all_customers)){
-            foreach($get_all_customers as $customer){
+        global $wpdb;
+        $table = $wpdb->prefix . 'formipay_customers';
+
+        $limit = isset($_REQUEST['limit']) ? intval($_REQUEST['limit']) : 10;
+        $offset = isset($_REQUEST['offset']) ? intval($_REQUEST['offset']) : 0;
+        $keyword = isset($_REQUEST['keyword']) ? sanitize_text_field(wp_unslash($_REQUEST['keyword'])) : '';
+
+        $where = '';
+        $params = [];
+
+        if (!empty($keyword)) {
+            $where = "WHERE `name` LIKE %s OR `email` LIKE %s OR `phone` LIKE %s";
+            $like = '%' . $wpdb->esc_like($keyword) . '%';
+            $params = [$like, $like, $like];
+        }
+
+        // Get total count
+        $count_sql = "SELECT COUNT(*) FROM {$table} {$where}";
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared
+        $total = empty($params) ? $wpdb->get_var($count_sql) : $wpdb->get_var($wpdb->prepare($count_sql, ...$params));
+
+        // Get paginated results
+        $sql = "SELECT * FROM {$table} {$where} ORDER BY `id` DESC LIMIT %d OFFSET %d";
+        $params_paginated = array_merge($params, [$limit, $offset]);
+        // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared
+        $get_customers = $wpdb->get_results($wpdb->prepare($sql, ...$params_paginated));
+
+        $customers = [];
+        if (!empty($get_customers)) {
+            foreach ($get_customers as $customer) {
                 $customers[] = [
                     'ID' => $customer->id,
                     'name' => $customer->name,
@@ -247,14 +276,13 @@ class Customer {
                 ];
             }
         }
-    
-        // Prepare response data
+
         $response = [
             'results' => $customers,
-            'total' => count($get_all_customers),
-            'posts_report' =>  $customers
+            'total' => (int) $total,
+            'posts_report' => $customers
         ];
-    
+
         wp_send_json($response);
 
     }
@@ -263,6 +291,10 @@ class Customer {
 
         check_ajax_referer( 'formipay-form-editor', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         $form_id = isset($_REQUEST['post']) ? intval($_REQUEST['post']) : 0;
 
         $saved = [