Ultimate Form

Changelog

2.7.3

• Fixed: saving the General settings tab no longer wipes the Email-template settings (and vice-versa) — each tab now saves only its own fields. This also stops the admin notification address and the honeypot/analytics toggles from being reset.
• Fixed: the “Confirmation message” and “Redirect URL” fields are visible again on the Settings screen (a broken script kept both rows hidden).
• Fixed: “Redirect to URL” after submission now actually redirects (the saved option was read under the wrong name).
• Fixed: spam protection no longer blocks legitimate submissions on forms that contain an unrelated field whose name ends in “_token”.
• Fixed: leaving a field’s min/max length empty in the builder now means “no limit” again instead of forcing it to 0.
• Fixed: importing a form/template with incomplete conditional-logic rules no longer creates broken rules or warnings.
• Fixed: entry detail no longer double-encodes form titles that contain “&” or special characters.
• Improved: a saved global e-mail heading is now used for customer confirmations; hardened a few output paths against PHP 8.1 notices.

2.7.2

• Fixed: floating labels now display correctly on the public form — the field label sits inside the field as a placeholder and lifts up on focus/fill (a bulletproof CSS rule was forcing the label to stay bold and static on forms that use the Design configurator).
• Fixed: removed a broken script on the form editor screen that threw a JavaScript console error (a stray template artifact).
• Fixed: creating a form from a template now generates a clean slug (e.g. “contact”) instead of carrying the internal template prefix (e.g. “tpl_contact”).
• Fixed: the form-editor preview button now reads “Submit” instead of a leftover checkout label.

2.7.1

• New: Step-abandonment analysis in Form Analytics — a visual funnel showing exactly which step visitors reach before leaving an unfinished form, with the drop-off rate and the field they last touched at each step.
• Improved: clearer “where visitors stop” reporting to pinpoint the steps and fields that cost you conversions.

2.7.0

• New: Form Analytics — a privacy-first conversion dashboard. See views, start rate, conversion rate, average time-to-complete, a step-by-step funnel, where visitors drop off, which fields throw the most errors, plus device and traffic-source breakdowns. No cookies, no IP, no personal data — anonymous and aggregated, with an automatic data-retention cleanup and a Do-Not-Track option.
• New: privacy controls under Settings → “Analytics & privacy” (enable/disable tracking, honour Do-Not-Track, set retention days).
• Design: the public-facing form is fully redesigned — modern floating labels that sit inside each field and lift up on focus, softer inputs, a clearer focus ring, and primary buttons with subtle depth and a smooth hover lift.
• Added: a trust line under every form (“Spam-protected · GDPR-compliant”).
• Improved: the entire plugin (admin + frontend) now shares one consistent brand colour system.
• Fixed: the focus ring and the red “invalid field” border are reliably visible again (a defensive style reset was hiding them).
• Maintenance: uninstall now also removes view counters, analytics tables, the retention cron and orphaned per-field options.
• Note: floating labels apply to text, email, phone, URL, number, password, textarea, select and date/time fields; choice, file, rating and composite fields keep their static labels for clarity and accessibility.

2.5.9

• Design: unified the entire admin colour scheme to a single brand blue (previously 5 different blue tones were mixed across screens)
• Design: redesigned the “Create New Form” screen — colourful template icons, a feature highlight bar, a clear “start from scratch” entry, hover states and full-width gallery
• Improved: template meta now uses correct singular/plural (“1 step” vs “3 steps”) and is fully translatable
• Improved: replaced inconsistent emoji template icons with crisp inline SVG icons

2.5.8

• Fix: creating a form from a template now opens the editor correctly instead of a blank screen (import routine now returns the new form ID)
• Fix: the email template editor now saves all fields — greeting, footer, recipient, CC, BCC, custom HTML and field selection were previously discarded on save
• Fix: conditional logic rules are now stored correctly (the save handler read the wrong field keys, so rules were saved empty and never applied on the frontend)
• Fix: the password field strength meter now renders and works (a duplicate switch case had disabled it)
• Improved: admin notification emails now set Reply-To to the submitter’s address, so replying goes straight to the lead
• Improved: deleting a form now also removes its entries, entry fields and view stats (no more orphaned rows)
• Security: email From header is stripped of CR/LF to prevent header injection via stored settings

2.5.7

• Maintenance: removed non-WordPress.org contributor handle from the Contributors header (silences the import warning shown only to plugin authors)

2.5.6

• Compliance: radio-card label now escapes the raw option value via esc_html() at the output site (no longer relies on a pre-escaped variable Plugin Check cannot trace)
• Compliance: the TTL-preserving rate-limit counter increment on wp_options now carries an explicit Plugin Check annotation explaining why the transient API cannot be used here

2.5.5

• Compliance: added /* translators: */ annotations to every __()/esc_html__() call that uses placeholders (Plugin Check requirement)
• Compliance: replaced rand() with wp_rand() in the math-captcha renderer
• Compliance: every wp_redirect() in admin page callbacks replaced with wp_safe_redirect()
• Compliance: explicit output escaping for $total_unread and radio-card alt attributes
• Compliance: error_log() debug calls gated behind WP_DEBUG + WP_DEBUG_LOG (no production logging)
• Documentation: class-level PHPCS justifications added to UltimateForm_Admin and UltimateForm_Form_Manager explaining the plugin’s custom-table architecture, the nonce-verification helper indirection, and the intentional cache bypass

2.5.4

• Fix: registered the public REST route ultimateform/v1/checkout that the frontend form engine posts submissions to (this route was previously only shipped with the Pro edition, which left the free version unable to submit forms)
• Improved: client IP resolution falls back through CF-Connecting-IP, X-Forwarded-For and REMOTE_ADDR, with strict IPv4/IPv6 validation
• Improved: confirmation message is now passed through wp_kses_post() before output

2.5.3

• Hardened output escaping in the upgrade comparison table (per-cell if/else instead of conditional echo expressions)
• Field renderer attribute output split into separate echo statements with explicit per-line phpcs annotations

2.5.2

• Security: added nonce verification to the entry-detail admin screen before marking an entry as read (prevents CSRF state changes via crafted GET URLs)
• Compliance: removed the Plugin URI header (no broken external link in the directory listing)
• Compliance: contributor list now includes the WordPress.org account that owns the plugin

2.5.1

• Security: recursive sanitization for all JSON-decoded administrator inputs (logic, conditions, visible_fields, import payloads)
• Security: all REST endpoints use a custom permission callback with rate limiting (no __return_true)
• Compliance: removed load_plugin_textdomain() call (WordPress 4.6+ auto-loads translations)
• Compliance: every PHP file with executable code starts with an ABSPATH direct-access guard
• Compliance: file/path resolution uses plugin_dir_path(), plugin_dir_url() and wp_upload_dir() only (no hardcoded site_url() → ABSPATH string replacements)
• Documentation: External Services section expanded with per-service data flow, destination and provider information
• Documentation: clarification that the free plugin contains no license server calls or telemetry of any kind

2.5

• Security: replaced permissive permission callbacks with nonce validation and IP rate limiting on all REST endpoints
• Improved: inline scripts and styles replaced with properly enqueued assets via wp_enqueue_script() / wp_add_inline_script()
• Improved: all administrator-facing output properly escaped via esc_html(), esc_attr() and esc_url()
• Plugin version constant updated throughout

2.4

• Split save button: Save as Draft vs Publish in form editor
• Toast notifications redesigned (fixed full-width banner bug)
• Delete form action fixed (double event handler removed)