Formatrica – Drag and Drop Form Builder

1.0.6 – 2026-03-06

• Escaped all remaining output variables at the echo boundary (escape-late pattern) per WP.org reviewer feedback
• Hardened all wp_add_inline_style() and wp_add_inline_script() calls with wp_kses_no_null and close-tag neutralisation
• Removed phpcs:ignore EscapeOutput annotations replaced by proper escaping

1.0.5 – 2026-02-24

• Removed all use function imports for WordPress global functions across 31 PHP files to resolve PHP “name already in use” errors in certain hosting environments

1.0.4 – 2026-02-24

• Converted all inline <style> and <script> output to wp_add_inline_style() and wp_add_inline_script() for WordPress enqueue compliance
• Added comprehensive “External Services” section to readme.txt documenting all third-party services, data sent, and links to Terms of Service and Privacy Policy
• Encrypt CAPTCHA secret keys at rest and expose them as write-only fields in the builder
• Fixed “Send test email” button doing nothing when “Use global Recipient email” is enabled
• Fixed Plugin Check output-escaping issues for admin page header icon URLs
• Fixed translators comment placement for placeholder-based error strings

1.0.3 – 2026-02-15

WordPress Plugin Directory Compliance

Security Hardening
* Added ABSPATH direct-access guards to all 69 PHP files in app/
* Replaced all error_log() calls with hook-based debug logger (formatrica_debug_log action)
* Escaped all frontend-facing exception messages with esc_html__() or sanitize_text_field()
* Sanitized all $_SERVER, $_GET, and $_COOKIE superglobal reads with sanitize_text_field(wp_unslash())
* Added PHPCS ignore annotations with rationale for legitimate nonce-free $_GET reads (admin screen checks, signed-token flows)

Database
* Hardened all SQL queries with %i identifier placeholders for table names

Internationalization
* Added /* translators: */ comments to all sprintf() calls containing translatable strings
* Fixed unordered placeholders to use positional format (%1$d, %2$d)

Filesystem
* Replaced unlink() calls with wp_delete_file() in Export_Controller
* Added PHPCS ignore annotations for legitimate filesystem operations (fopen, fwrite, fputcsv, fclose, filesize, readfile)

Plugin Bootstrap
* Removed manual load_textdomain() call (WordPress handles this automatically for directory-hosted plugins)
* Fixed Tested up to header to use major.minor format (6.9)

Bug Fixes
* Fixed “Send test email” button doing nothing when “Use global Recipient email” is enabled
* Fixed additional Plugin Check output-escaping issues for admin page header icon URLs (Forms list, Settings, and Form Builder pages)
* Fixed translators comment placement for placeholder-based error strings in form repository save/duplicate operations

1.0.2 – 2026-02-14

• Removed Microsoft Teams integration
• Added Privacy section to readme with third-party service disclosure
• Fixed Contributors field for WordPress.org compliance
• Cleaned up installation instructions for end users

1.0.1 – 2025-10-31

Bug Fixes
* Fixed: Mailpit sender domain enforcement causing unnecessary deliverability warnings during local development
* Mailpit now bypasses sender domain validation (like API providers) since it’s a development-only tool

1.0.0 – 2025-10-23

Initial Release

Form Builder
* Vue.js 3 + Pinia drag-and-drop form builder with SortableJS
* Real-time field editing with live preview
* Form preview functionality with zoom control (50-100%)
* 15 pre-built templates
* 13 field types with inline validation
* Template selection modal with Quick Start notification

Email Delivery
* 9 email delivery providers: WordPress, SendGrid, SMTP2GO, Mailgun, Postmark, Brevo, Amazon SES, SMTP, Mailpit
* Encrypted credentials storage (AES-256-CBC)
* Test email functionality
* Per-form email configuration

Integrations
* Zapier, Make.com, Slack integration
* WordPress Post creation with full ACF support (20+ field types)
* WooCommerce order creation
* Mailchimp audience subscription
* Salesforce Web-to-Lead
* HubSpot Forms API
* Custom webhooks with HMAC-SHA256 signing
* Async integration queue for background processing (WordPress Cron)
* Dramatically improved submission performance (5-15s → <200ms for webhook-heavy forms)

Security & Privacy
* Multiple CAPTCHA providers (reCAPTCHA v3, Turnstile, FriendlyCaptcha)
* Honeypot protection, CSRF tokens, rate limiting
* IP anonymization options (full, anonymized, none)
* Auto-delete submissions after X days
* GDPR-friendly data handling
* File upload validation with MIME type checking

User Registration
* WordPress user registration form type
* Email verification required before login
* Verification emails use form’s configured delivery provider
* Login blocking for unverified users

Developer Features
* Comprehensive API documentation
* 15+ action and filter hooks
* REST API endpoints
* Database schema versioning system with migration support
* Service Layer Architecture with 22 specialized classes
* PSR-4 autoloaded architecture
* Modular ES6 JavaScript

Admin Features
* Active/Inactive form filters with counts
* Activate/Deactivate actions
* Safe delete confirmations
* Form duplication
* Settings modal with tabs (General, Email, Integrations, Security, Privacy, Advanced)

Infrastructure
* Custom database tables for forms and submissions
* WordPress Cron integration for cleanup and async processing
* Vite build system for assets
* Full i18n support (text domain: formatrica)

Code Quality
* WordPress.org coding standards compliance
* Removed aggressive admin notice suppression
* Removed @ error suppressors (proper error handling)
* Sanitized all nonce reads
* PSR-12 code formatting standards