fix: resolve all Week 1 critical bugs (F1.1–F1.9)

- Fix Customer::update() fatal error (undefined $table_name, $new_args)
- Fix Order::delete() using wrong variable $id instead of $order_id
- Fix Order::bulk_delete() using outer $order_id instead of loop $id
- Fix Email::send_email() calling non-existent class (use parent::)
- Add missing Order import in Paypal.php
- Fix BankTransfer unique_code triple DB call (call once, reuse result)
- Fix color field label showing "Number" instead of "Color"
- Add nonce verification to Customer::formipay_tabledata_customers()

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

includes/Customer.php

@@ -162,7 +162,7 @@ class Customer {
 
         $where = [ 'id' => $customer_id ];
         // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
-		$update = $wpdb->update( $table_name, $new_args, $where );
+		$update = $wpdb->update( $table, $insert_data, $where );
         
         return $update;
 
@@ -204,6 +204,7 @@ class Customer {
                 'ajax_url' => admin_url('admin-ajax.php'),
                 'site_url' => site_url(),
                 'customer_id' => $customer_id,
+                'nonce' => wp_create_nonce( 'formipay-admin-access-nonce' ),
                 'columns' => [
                     'id' => esc_html__( 'ID', 'formipay' ),
                     'name' => esc_html__( 'Name', 'formipay' ),
@@ -230,6 +231,8 @@ class Customer {
 
     public function formipay_tabledata_customers() {
 
+        check_ajax_referer( 'formipay-admin-access-nonce', '_wpnonce' );
+
         $get_all_customers = $this->get();
         $customers = [];