fix: resolve all Week 2 performance & security issues (F1.10–F1.19)

Security:
- Replace maybe_serialize() in cookies with json_encode() (PHP object injection fix)
- Add PayPal webhook signature verification
- Add current_user_can('manage_options') to all 18 admin-ajax handlers

Performance:
- Remove flush_rewrite_rules() from init hooks (Thankyou + Payment)
- Add activation/deactivation hooks for flush_rewrite_rules
- Cache currency, country, flags JSON reads in static variables
- Add server-side pagination to Customer::formipay_tabledata_customers()
- Optimize Order::formipay_tabledata_orders() with COUNT(*) GROUP BY

Cleanup:
- Delete Paypal.phpbak backup file
- Fix timezone hardcode Asia/Jakarta → wp_timezone_string()
- Create uninstall.php for proper cleanup on uninstall

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

includes/Form.php

@@ -1525,6 +1525,10 @@ class Form {
 
         check_ajax_referer( 'formipay-form-editor', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         if(isset($_GET['post_id'])){
             $post_id = intval($_GET['post_id']);
             $formipay_post_meta = get_post_meta($post_id, 'formipay_settings', true);
@@ -1545,6 +1549,10 @@ class Form {
 
         check_ajax_referer( 'formipay-admin-post', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         global $wpdb;
         
         // Initialize default args
@@ -1623,6 +1631,10 @@ class Form {
 
         check_ajax_referer( 'formipay-admin-post', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         $title = isset($_REQUEST['title']) ? sanitize_text_field( wp_unslash($_REQUEST['title']) ) : '';
 
         if( !empty($title) && '' !== $title ){
@@ -1692,6 +1704,10 @@ class Form {
 
         check_ajax_referer( 'formipay-admin-post', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         $form_id = isset($_REQUEST['id']) ? intval($_REQUEST['id']) : '';
 
         $delete = wp_delete_post($form_id, true);
@@ -1716,6 +1732,10 @@ class Form {
 
         check_ajax_referer( 'formipay-admin-post', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         if( empty($_REQUEST['ids']) ){
             wp_send_json_error( [
                 'title' => esc_html__( 'Failed', 'formipay' ),
@@ -1759,6 +1779,10 @@ class Form {
 
         check_ajax_referer( 'formipay-admin-post', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+        }
+
         $post_id = isset($_REQUEST['id']) ? intval($_REQUEST['id']) : '';
         $post = get_post($post_id);
         if (!$post) {