Merge pull request #1339 from woocommerce/PCP-1600-v2-possible-cross-site-request-forgery-csrf-can-invalidate-merchant-credentials

Cross Site Request Forgery (CSRF) can invalidate merchant credentials (1600)

modules/ppcp-wc-gateway/src/Settings/SettingsListener.php

@@ -168,8 +168,7 @@ class SettingsListener {
 	 * Listens if the merchant ID should be updated.
 	 */
 	public function listen_for_merchant_id() {
-
-		if ( ! $this->is_valid_site_request() ) {
+		if ( ! $this->is_valid_site_request() || $this->state->current_state() === State::STATE_ONBOARDED ) {
 			return;
 		}