Just checked — indeed, the vulnerability I discovered yesterday is not on the particular merchant's side, but on the entire crypto payment provider.

Of course I won't tell which provider it is, but I wonder which other shops are using it now...