Xtreme Forms – WP Contact Form Builder, Lead Capture, Form to Email & Webhooks
Changelog
2.5.16
Major readme + plugin-name SEO pass for WordPress.org discovery. Plugin name expanded from Xtreme Forms to Xtreme Forms – WP Contact Form Builder, Lead Capture, Form to Email & Webhooks (matches WP.org’s heavily-weighted title-search signal for wp form, contact form, form builder, lead capture, and form to email queries). Short description rewritten to lead with Free WP contact form plugin … Lightweight WPForms alternative. Tag set rebalanced from generic forms + lead generation to higher-intent lead capture + wp form. New “Switching From Another WordPress Form Plugin?” section covers migration from WPForms / Contact Form 7 / Gravity Forms / Ninja Forms / Formidable / Forminator / Fluent Forms. New “Works With Your Page Builder” section names Elementor, Bricks, Beaver Builder, Divi, Oxygen, WPBakery, block themes, and the classic editor. FAQ expanded from 7 questions to 10, each one targeting a high-volume long-tail WP.org search. No code changes.
2.5.15
Welcome screen now actually carries the Xtreme Forms styling and brand icon. The asset enqueue check only matched hooks containing xtreme-forms (with the hyphen used by the visible menu pages), so the welcome page’s hook admin_page_xtremeforms-welcome (no hyphen between xtreme and forms) silently fell through and neither admin/css/xf-admin.css nor admin/js/xf-admin.js got loaded. The page rendered as raw HTML on WordPress’s default admin styling — no Manrope, no cards, no colors. Widened the hook match so both spellings load the assets. Also added the wrap xf-wrap classes alongside xf-welcome-wrap on the page wrapper so the base palette inherits correctly.
Welcome screen logo is the actual Xtreme Forms brand icon (bundled at assets/img/xtreme-forms-icon.png, 128×128 PNG with the same design as the WP.org listing icon) instead of the placeholder envelope SVG. The logo container picked up a soft white card + subtle teal-tinted radial accent behind it and a rounded 22 px corner so the welcome screen reads as a product surface rather than a generic admin page.
2.5.14
Fixed: welcome screen rendered as a giant unscaled SVG icon filling the entire viewport. Two-part fix: (1) the hero envelope SVG was declared without width/height attributes — browsers fall back to 300×150 or fill the parent if there’s no CSS sizing. Added explicit width=”38″ height=”38″ so it can never grow unbounded again. (2) The welcome-page CSS lived in an ob_start/ob_get_clean/wp_add_inline_style block at the top of the partial; on hosts where late-attached inline styles get dropped, the entire welcome-screen stylesheet vanished and the SVG defaulted to the browser’s enormous fallback. Moved the ~380 lines of welcome CSS into the properly-enqueued admin/css/xf-admin.css so it loads reliably (same pattern as the 2.5.6 form-builder fix).
2.5.13
Fixed: “Sorry, you are not allowed to access this page” right after plugin activation. The submenu slug for the welcome screen was registered as xtremeforms-welcome in admin/class-xf-admin.php:103, but the post-activation redirect was sending users to admin.php?page=xf-welcome (legacy slug, line 394). WordPress couldn’t find the page → fell through to the standard not-allowed error before the user could see the welcome screen on a fresh install. One-character fix to the redirect target. Existing installs are unaffected — the redirect only fires on first activation.
2.5.12
Readme: added a prominent “Useful Links” block at the top of the WP.org listing description with direct links to the plugin homepage, the #features section, and the pricing page. Also restructured the “Optional Pro Add-On” section further down to surface the same three subpage links instead of a single generic homepage link. Source / issues link added to the GitHub repo. No code changes.
2.5.11
Public-form Submit button now matches the canvas preview height across all themes. 2.5.9 locked padding and font-size with !important, but themes like Astra, GeneratePress, Elementor, Bricks, Divi and most page-builder form addons also set min-height: 50px+, line-height: 2, and (sometimes) height: auto !important on button[type=”submit”] — that’s what was inflating the rendered button to 2–3× the size the admin chose. Added line-height: 1.4, min-height: 0, height: auto, text-transform: none, and border: none locks on both the base .xf-btn-submit rule and every xf-btn-size-{sm,md,lg,xl} variant. The frontend button now renders at exactly the dimensions the admin previews on the form-builder canvas.
2.5.10
Form builder: BUTTON TEXT now updates the canvas Submit button live + persists on save. The hidden <input name=”submit_label”> in the partial was missing its matching id=”submit_label” attribute, so document.getElementById(‘submit_label’) in the builder JS returned null. The live-update event listener was guarded by if (inp && labelInput) which always skipped, the canvas card never re-rendered with the new label, and the unchanged hidden input’s old value was the one saved on form submit. Net effect: typing a new label in the right-side panel did nothing on the canvas and the new label never reached the frontend after save. Fixed by adding id=”submit_label” to the hidden input. (This is the root cause of the “preview shows one text, frontend shows another” report from earlier.)
2.5.9
Form builder: the “Click to edit button” hint now sits cleanly outside the dashed Submit-card box on the right, with a small curved arrow pointing back into the button. Previously the hint was positioned right: 14px inside the box, which clipped or overlapped the button text whenever Width was set to 100%. Hidden automatically on narrow canvases (<980px) so it doesn’t push the canvas wider than the form card.
Public form: the four button-size variants (Small / Medium / Large / XL) and the Full-width toggle now win against theme / Elementor / Bricks button rules — the size classes were getting silently overridden by higher-specificity selectors like .elementor-form button[type=”submit”]. Scoped the variants under .xf-form-wrap and marked them !important so they consistently produce the same dimensions on every theme.
Public form: Cloudflare Turnstile widget now sits in a flex container with a small transform: scale(0.92) and a slight rounding, so it lines up with the form fields instead of floating sloppily off to one side. Min-height is reserved so the layout doesn’t jump when the widget finishes loading.
2.5.8
Public form now renders in Manrope (same as the admin since 2.5.5). The font was previously “Fira Sans” with a system fallback chain. The @font-face declarations point at the same assets/fonts/manrope/ bundle the admin uses, so no second copy of the font files is shipped and no request is made to fonts.googleapis.com or fonts.gstatic.com. All hardcoded font-family: “Fira Sans” declarations in public/css/xf-public.css (5 of them) were swapped to var(–xf-font) so they inherit the Manrope-first stack.
2.5.7
Public form — phone fields auto-format as (555) 123-4567. As the visitor types digits into a phone field the value live-formats US-style. International numbers (anything beginning with +) are left alone, so a +44 7700 900123 still goes through unchanged. The field placeholder defaults to (555) 123-4567 only when the form admin hasn’t configured a different one.
Public form — date fields open the picker on a single click anywhere in the field. Previously the browser’s date picker only opened when the visitor clicked the small calendar icon at the far right of the input. Now clicking anywhere on the field (or pressing Enter/Space when focused) calls input.showPicker(). The cursor turns into a pointer and the calendar icon is enlarged + brighter on hover so it actually reads as a target.
Also added the Save Form button white-checkmark fix from the previous local commit (the icon was inheriting the dashicon default blue and was invisible on the blue button).
2.5.6
Form builder — Submit card styling now actually loads. The Submit-button preview, the “Click to edit button” hint, the width badge, and the dashed outline were all defined in a <style> block at the bottom of the form-builder partial that was being attached via wp_add_inline_style() after the page <head> had already shipped the parent stylesheet. On some hosts the inline CSS was being dropped entirely, leaving the Submit row with default browser styling (small blue button, hint sitting flush against it). Moved the ~300 lines of builder CSS into the properly-enqueued admin/css/xf-builder.css so they load with the rest of the builder stylesheet.
Form builder — preset chips refreshed. The HEIGHT (lines), WIDTH (Full / 1/2 / 1/3 / 1/4), and BUTTON SIZE (Small / Medium / Large / XL) chip buttons in the right-side field settings panel now use a cleaner light-on-white style with a clear blue-tinted “selected” state, matching the original 2.0.6 design. Active state is also wired up on first render — clicking a chip toggles the highlight and the slider (for HEIGHT) stays in sync.
2.5.5
Restored the Manrope font on the admin UI, self-hosted. The Manrope @import from Google Fonts was removed in 2.4.0 for WordPress.org compliance; the admin has been running on the system font stack since. The font is now back, bundled inside the plugin under assets/fonts/manrope/ (six woff2 subset files, ~92 KB total, plus the OFL 1.1 license), with the @font-face declarations inlined at the top of admin/css/xf-admin.css. No request is ever made to fonts.googleapis.com or fonts.gstatic.com — the font ships locally so this remains compliant with the WordPress.org “no undisclosed external services” guideline.
Form builder: restored the always-visible “Click to edit button” hint on the Submit-button preview card. The hover-only ::after affordance introduced in 2.5.2 was too subtle in practice — users were missing that the Submit area is editable. Back to the pre-2.5.2 behavior: the dashed outline, width badge (when floated), and italic gray hint all show by default; they still hide automatically when the Submit button is floated at 1/2 / 1/3 / 1/4 width so it can sit cleanly inline with the last row of fields.
2.5.4
Dashboard: added a one-click “Copy shortcode” button next to each form in the Top Performing Forms card. Click the clipboard icon and the shortcode ([xtreme_forms id=”X”]) lands on your clipboard — no need to open the form’s edit screen first. The icon briefly turns green ✓ on success.
2.5.3
Dashboard: added a fourth Total Forms KPI tile to the top row, linking to the Forms list and showing how many forms are currently active. The four KPI icons now use distinct colors (teal / blue / purple / orange) so the eye can pick out a tile by color.
Dashboard: the Leads by Form chart is now a doughnut with a side legend instead of a bar chart. The center of the doughnut shows the total leads in the selected range; the legend lists each form with its lead count and percentage share. Hovering a legend row highlights the corresponding doughnut slice.
2.5.2
Fixed: five built-in form templates (Quote Request, Newsletter, Integrations) shipped placeholder / option strings containing the literal characters …, –, and — instead of the intended ellipsis / en-dash / em-dash. They were typed inside single-quoted PHP strings where PHP does not interpret unicode escapes, so end users saw raw … in the Project Description placeholder of the Quote Request form, in the Budget Range dropdown options, and in two “Saving…” / “Testing…” admin labels. Replaced with the actual UTF-8 characters.
Improved: the form-builder canvas no longer renders a permanent “Click to edit button” hint next to the Submit button. The affordance is now a CSS ::after label that fades in only on hover or when the submit card is selected, so the default canvas view stays clean.
2.5.1
WordPress.org review round 4 — readme-only fix. Added the Xtreme Plugins licensing API to the External services section to disclose that the License tab’s Activate / Deactivate buttons make server-to-server calls to https://xtremeplugins.com/api/v1/license/{activate,deactivate} (license key + site URL only, on button click only). Includes terms-of-service and privacy-policy links for xtremeplugins.com. No code changes.
2.5.0
License tab for the optional Pro add-on. New “License” tab under Xtreme Forms → Settings lets administrators paste their Pro license key, click Activate, and see status / plan / expiry. Deactivation releases the seat. Free plugin functionality is unchanged — no feature is gated by license status (per WP.org guideline 5, trialware compliance). The Pro add-on (sold separately at https://xtremeplugins.com/plugins/xtreme-forms) reads the activated license via the new Xtremeforms_License::is_active() / get_plan() public API to decide whether to enable its own features.
New includes/class-xf-license.php — license storage, activation/deactivation against the xtremeplugins.com licensing API (https://xtremeplugins.com/api/v1/license/*, overridable via the xtremeforms_license_activate_url / xtremeforms_license_deactivate_url filters).
New admin/partials/xf-admin-license.php — License tab UI with masked key display, status pill, plan code, expiry date (when returned), and an “View Pricing →” CTA linking to xtremeplugins.com when no license is active. Inline JS is registered through wp_add_inline_script( ‘xtremeforms-admin’, … ) (consistent with the 2.4.0 review fix).
Two new AJAX handlers: xtremeforms_activate_license and xtremeforms_deactivate_license (both require manage_options + nonce).
2.4.4
Fix duplicated “Assignment saved” text in the lead-assign feedback banner. When the assigned WordPress user has no email on file, the inline feedback used to read “Assignment saved. Assignment saved, but the notification email could not be sent…” — the JS already prepends “Assignment saved.” so the server-side warning is now just “Notification email could not be sent — the assigned user has no email address on file.” Result: “Assignment saved. Notification email could not be sent — the assigned user has no email address on file.”
2.4.3
WordPress.org automated scan: bumped the Tested up to: header from 6.9 to 7.0 to match the current WordPress release. No code changes.
No more raw ALTER TABLE queries. The four columns previously added by conditional ALTER TABLE ADD COLUMN statements after dbDelta() (activate_at, expire_at, closed_message on the forms table; consent_given on the leads table) are now declared inline in the CREATE TABLE strings. All schema mutation flows through dbDelta(), which is idempotent. Resolves the reviewer report that the plugin “repeatedly tries to create existing tables/columns” during activation and update checks, reproducible on WordPress Playground.
maybe_upgrade() is now an option-read fast path. On a fully-migrated site it returns after a single get_option() + version_compare() — no schema queries at all. Adds a per-request static guard so plugins_loaded firing more than once cannot double-invoke dbDelta().
PRIMARY KEY uses two spaces in every CREATE TABLE string (per the dbDelta() docs), eliminating a known dbDelta parsing quirk that can re-emit ADD PRIMARY KEY on each run.
wpdb errors silenced around the dbDelta block with hide_errors() + suppress_errors(), restored on exit — activation never prints DB notices to the admin even if a host returns a benign warning.
2.4.1
Fixed form submission validation false-positive — required Name / Email / Phone / etc. were rejected even when filled because the public form rendered inputs as name=”xf_field[ID]” while the AJAX handler read $_POST[‘xtremeforms_field’]. Server now reads $_POST[‘xf_field’], matching the rendered names. Affects every form / every field type.
Fixed UTM cookie fallback never captured (server xtremeforms_utm_cookie vs JS xf_utm_cookie).
Fixed submit_duration always null (server xtremeforms_submit_duration vs JS xf_submit_duration).
Fixed server-side redirect-after-submit broken on forms with a configured Redirect URL.
2.4.0
WordPress.org review compliance round 2:
Attribution: removed the hard-coded “Sent by Xtreme Forms” credit link from outgoing emails. The link is now strictly opt-in via a new checkbox under Xtreme Forms → Email Templates → Plugin Attribution and defaults to OFF.
Third-party requests: removed the Google Fonts (fonts.googleapis.com) @import from the admin stylesheet. The admin UI now uses the operating-system native font stack only — no third-party font requests are made.
Naming: renamed the short xf_ / xl_ AJAX action prefixes to the unique xtremeforms_ prefix across all hooks, nonces, and localized data objects (40+ endpoints) to satisfy the 4+ character prefix requirement.
Assets: moved all inline <script> and <style> blocks out of admin partials and into properly enqueued files registered through wp_enqueue_script() / wp_enqueue_style() / wp_add_inline_script() / wp_add_inline_style().
Security: added explicit nonce verification (wp_verify_nonce / check_ajax_referer) to every $_GET / $_POST / $_REQUEST read flagged by Plugin Check, in addition to the existing current_user_can() capability gates.
Vendor: upgraded the bundled Chart.js library to v4.5.1 (latest stable).
Contributors: added the plugin owner’s WordPress.org username (loanpartnership) to the readme contributors list.
2.3.3
WordPress.org review: documented all third-party / external services (Google reCAPTCHA, Cloudflare Turnstile, Zoho CRM, HubSpot CRM, Salesforce, Pipedrive, custom webhooks, Google Fonts) under a new “External services” section in readme.txt
WordPress.org review: lowered admin menu position — Xtreme Forms now appears at the bottom of the admin menu rather than alongside core items
WordPress.org review: added explicit current_user_can() capability checks at the top of every admin partial that reads $_GET (defence in depth — the page callbacks were already capability-gated, but partials now self-guard)
WordPress.org review: renamed the short XF_ class prefix to Xtremeforms_ across all 23 classes (XF_Forms → Xtremeforms_Forms, etc.) to satisfy the 4+ character prefix requirement and prevent collisions with other plugins
PHP 8.1+: replaced null parent_slug with empty string in the 11 hidden add_submenu_page() calls — silences the “Passing null to parameter of type string is deprecated” notices that WP core emits inside plugin_basename()
Security: added wp_unslash() + sanitize_text_field() to all submit-layout $_POST reads in the admin save handler
Repository hygiene: removed the plugin-directory .gitignore (hidden file not allowed by Plugin Check); dev ignores moved to .git/info/exclude
Removed phpunit.xml from the shipped plugin (dev-only)
Form Builder: floated Submit button now sits inline with the last row of floated fields (width 1/2, 1/3, 1/4)
Form Builder: when Submit is floated, the admin preview hides the dashed outline, percentage badge, and “Click to edit” hint
Form Settings: new Styling tab with “Remove background” toggle — renders the frontend form without the white card, border, or shadow
Fix: cleared field labels now persist through reload (empty string no longer reverts to default “Text Field”)
Fix: Forms list, Form Metrics table, Dashboard widget, and Gutenberg block all now emit the correct [xtreme_forms id=”X”] shortcode (was [xtremeleads] in 4 places — block render was broken)
Docs: README.md, CHANGELOG.md and readme.txt updated with the corrected shortcode
2.0.3
Stability release following the XtremeLeads → Xtreme Forms rename
Ensured all text domain references use xtreme-forms
Minor admin UI polish
2.0.2
Fixed hidden .gitkeep file in assets/img/ (Plugin Check compliance)
Added .distignore to exclude dev files from WP.org SVN releases
PHPCS compliance: fixed inline ignore comments on multi-line expressions in admin partials
Auto-corrected 1461 code formatting issues via phpcbf
2.0.1
Added first-activation welcome screen (appears once after activation, dismissed automatically)
Welcome screen sections: getting started video placeholder, 8-feature grid, Pro upgrade section, testimonials
Version bump from 1.6.7 to 2.0.1 marks the plugin rename milestone (XtremeLeads → Xtreme Forms)
1.6.0
Added full import/export with JSON round-trip (export all forms + leads, re-import on any site)
Added multisite support — per-site tables, network-aware activation, new blog provisioning
Added append-only audit log for all admin actions
Improved settings page organization with tabbed layout
1.5.0
Added webhooks with delivery logging and configurable retry logic
Added GDPR consent checkbox (per form), right-to-erasure data deletion, configurable data retention
