=== LeadConnector ===
Contributors: varunvairavanlc, pranoylc, alphaenigma, iamnfinitylc, hemantlc, raahatsharma
Plugin URI: https://www.leadconnectorhq.com/
Tags: chat-widget, crm, funnels, forms, marketing-automation
Requires at least: 6.2
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 3.0.31
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html

Connect WordPress to LeadConnector for chat widgets, funnels, forms, calendars, reviews, custom values, and CRM tools.

== Description ==

**LeadConnector brings your CRM, funnels, and conversion tools into WordPress.**

LeadConnector connects your WordPress website with your LeadConnector account. Add chat widgets, publish funnel steps, embed forms and calendars, show reviews, sync custom values, and manage conversion tools from one WordPress admin panel.

**Why Choose LeadConnector?**

* **CRM-connected tools**: Connect WordPress to your LeadConnector location.
* **Conversion embeds**: Add chat widgets, forms, calendars, surveys, quizzes, phone pools, and reviews.
* **Funnel publishing**: Import funnel steps with iframe, redirect, or native HTML display.
* **Personalization**: Use LeadConnector custom values in WordPress content.
* **SEO, email, and cache tools**: Use supported SEO overrides, SMTP email, and optional Rocket.net cache purge.

**Key Features**

* **Chat Widget**: Enable and select the LeadConnector chat widget to display on your site.
* **Funnel Pages**: Import LeadConnector funnel steps and publish them as WordPress-managed funnel pages.
* **Forms, Calendars, Surveys, and Quizzes**: Embed LeadConnector assets.
* **Reviews Widget**: Display reputation and review widgets.
* **Phone Number Pools**: Add dynamic phone tracking.
* **Custom Values**: Sync CRM custom values and use them in WordPress content placeholders.
* **Email Sending**: Route WordPress email through LeadConnector SMTP when enabled.
* **SEO Overrides**: Manage titles, descriptions, keywords, and social metadata for supported paths.
* **AI Pages**: Use supported LeadConnector AI workflows for landing pages, blogs, and e-commerce layouts.
* **CDN Cache Purge**: Purge Rocket.net cache when configured and triggered by an administrator.

**Available Shortcodes**

* `[leadconnector_form]` - Embed a LeadConnector form.
* `[leadconnector_calendar]` - Embed a LeadConnector calendar.
* `[leadconnector_survey]` - Embed a LeadConnector survey.
* `[leadconnector_quiz]` - Embed a LeadConnector quiz.
* `[leadconnector_reviews_widget]` - Embed a LeadConnector reviews widget.
* `[leadconnector_phone_number_pool]` - Add a LeadConnector phone number tracking pool.

The shorter `[lc_*]` aliases (`[lc_form]`, `[lc_calendar]`, `[lc_survey]`, `[lc_quiz]`, `[lc_reviews_widget]`, `[lc_phone_number_pool]`) remain registered for backward compatibility with content authored before 3.0.29 and will be removed in a future major release. New content should use the canonical `[leadconnector_*]` tags.

**For Developers**

LeadConnector registers a funnel custom post type, authenticated REST proxy endpoints, OAuth token refreshes, and a WP-CLI Elementor import command. Source for the compiled admin UI is linked below.

== Installation ==

= Minimum Requirements =

* WordPress 6.2 or greater
* PHP 7.4 or greater

= Recommended Environment =

* WordPress 6.4 or greater
* PHP 7.4.9 or greater
* WordPress memory limit of 64 MB or greater; 128 MB or higher is preferred

= Setup =

1. Install LeadConnector from the WordPress plugin installer, or upload the plugin folder to `/wp-content/plugins/`.
1. Activate the plugin from the WordPress Plugins screen.
1. Go to **LeadConnector** in the WordPress admin menu.
1. Connect your LeadConnector account.
1. Select your location and enable the tools you want to use.

== Frequently Asked Questions ==

= Do I need a LeadConnector account? =

Yes. You need an active LeadConnector account and a connected location to use the CRM-connected features.

= Is the plugin free? =

The WordPress plugin is free. A LeadConnector subscription may be required to use connected services such as widgets, funnels, forms, calendars, email, and CRM tools.

= How do I connect my LeadConnector account? =

Open **LeadConnector** in the WordPress admin menu and follow the connection flow. Settings changes use authenticated WordPress admin requests.

= How do I add the chat widget to my site? =

Open **LeadConnector > Chat Widget**, enable the widget, and select the widget you want to display. The plugin loads the selected LeadConnector chat widget on your WordPress site.

= How do I publish a LeadConnector funnel in WordPress? =

Open **LeadConnector > Funnels**, choose a funnel and funnel step, set the WordPress slug, and publish it. Funnel pages are stored in WordPress as LeadConnector funnel content and routed through the selected display method.

= What shortcodes are available? =

The plugin includes `[leadconnector_form]`, `[leadconnector_calendar]`, `[leadconnector_survey]`, `[leadconnector_quiz]`, `[leadconnector_reviews_widget]`, and `[leadconnector_phone_number_pool]`. The historical `[lc_*]` aliases remain registered for backward compatibility and will be removed in a future major release.

= Does the plugin work with Elementor and other page builders? =

Yes. The plugin includes Elementor-specific compatibility support and frontend styles for supported LeadConnector funnel pages. Compatibility can vary by theme, template, and builder configuration.

= Does the plugin support RTL languages? =

Yes. LeadConnector includes Right-to-Left language support for supported plugin screens and frontend output.

== Screenshots ==

1. LeadConnector settings and account connection screen.
2. Chat widget setup and widget selection.
3. Chat widget preview on the website.
4. Add and edit LeadConnector funnel steps as WordPress pages.
5. View and manage published LeadConnector pages.

== External Services ==

This plugin connects to external services to authenticate your account, load widgets and embeds, sync CRM data, publish funnel content, refresh OAuth tokens, and optionally purge CDN cache. Each domain below is contacted only when the corresponding feature is enabled or the corresponding admin action is taken. Common terms and privacy policy links apply to every LeadConnector-owned host: https://www.leadconnectorhq.com/terms2 and https://www.leadconnectorhq.com/privacy-policy.

= services.leadconnectorhq.com / rest.leadconnectorhq.com / api.leadconnectorhq.com / backend.leadconnectorhq.com =

* What is sent: OAuth access token, refresh token, location ID, WordPress site URL, plugin settings (chat-widget, SMTP, SEO override fields), funnel/page IDs, custom-value field keys.
* When sent: during admin-triggered actions only - the OAuth connect/disconnect flow, settings save, funnel import, OAuth token refresh, custom-value sync, and SMTP enable/disable.
* Additional triggers (CDN cache purge): when the LeadConnector CDN integration is connected (`CDN_WP_ID` / `CDN_SITE_ID` defined and an OAuth session exists) the plugin sends an authenticated `POST` to `services.leadconnectorhq.com/wordpress/lc-plugin/site/{locationId}/{wpId}/clear-cache` to remotely purge cached funnel pages whenever (a) a connected WordPress administrator clicks "Purge everything on all domains" in the admin bar, (b) the LeadConnector settings page is saved, or (c) a public post (any post type marked `public => true`, including pages, posts, and CPTs that themes register) is published or updated via the standard `save_post` hook. No body payload is sent beyond the location/site identifiers; the call is skipped on autosaves, revisions, and non-public post types.
* What is not sent: anonymous front-end visitor traffic does not touch these hosts. Custom-value placeholder resolution at front-end render time is served from the local transient cache; it falls back to `services.leadconnectorhq.com` only when the cache is cold for a placeholder, and only with an admin-issued OAuth bearer.
* Service terms: https://www.leadconnectorhq.com/terms2
* Privacy policy: https://www.leadconnectorhq.com/privacy-policy

= app.leadconnectorhq.com =

* What is sent: location ID and the funnel step path being imported or rendered.
* When sent: during the admin "import a funnel step" flow, and at front-end render time when a published funnel step is requested in `iframe` or `native` display mode.
* Service terms: https://www.leadconnectorhq.com/terms2
* Privacy policy: https://www.leadconnectorhq.com/privacy-policy

= widgets.leadconnectorhq.com =

* What is sent: location ID and selected chat-widget ID inside the widget URL. The widget is loaded by the visitor's browser, so the visitor's IP address and user-agent are visible to the host.
* When sent: only on front-end pages where the chat-widget feature is enabled and a widget is selected.
* Service terms: https://www.leadconnectorhq.com/terms2
* Privacy policy: https://www.leadconnectorhq.com/privacy-policy

= marketplace.leadconnectorhq.com =

* What is sent: page metadata fetch parameters (page ID) under an authenticated server-to-server request signed with the OAuth access token; no end-visitor data is forwarded.
* When sent: only during admin "import / refresh a funnel step" actions.
* Service terms: https://www.leadconnectorhq.com/terms2
* Privacy policy: https://www.leadconnectorhq.com/privacy-policy

= link.msgsndr.com =

* What is sent: the messaging short-link slug carried inside a click-through URL. No PII is forwarded by the plugin itself; the host receives whatever the visitor's browser sends (referrer, user-agent, IP) when the link is followed.
* When sent: only when a visitor clicks a LeadConnector-rendered short-link inside funnel/page content. The plugin does not initiate any background request to this host.
* Service terms: https://www.leadconnectorhq.com/terms2
* Privacy policy: https://www.leadconnectorhq.com/privacy-policy

= reputationhub.site =

* What is sent: location ID and review-widget configuration parameters embedded in the widget URL. The widget is loaded in the visitor's browser, so the visitor's IP address and user-agent are visible to the host.
* When sent: only on front-end pages that contain a `[leadconnector_reviews_widget]` shortcode (or its `[lc_reviews_widget]` alias) for an enabled review widget.
* Service terms: https://www.leadconnectorhq.com/terms2
* Privacy policy: https://www.leadconnectorhq.com/privacy-policy

= OAuth client ID =

The plugin ships with a public OAuth client ID constant (`LEAD_CONNECTOR_OAUTH_CLIENT_ID`) used only to start the LeadConnector authorization flow. It is not a secret. Sites may override it in `wp-config.php`:

`define( 'LEAD_CONNECTOR_OAUTH_CLIENT_ID', 'your-client-id' );`

== Source Code ==

The WordPress.org distribution includes compiled JavaScript for the LeadConnector admin UI (`admin/app.js`, `admin/chunk-vendors.js`). Human-readable source, build instructions, and version history live in the public repository:

https://github.com/LeadConnectorHQ/leadconnector-fe

== Debug Logging ==

Debug logging is **off by default**. Enable it for support sessions only:

* `define( 'LEADCONNECTOR_DEBUG', true );` in `wp-config.php`, or
* Enable WordPress core `WP_DEBUG` + `WP_DEBUG_LOG`.

When logging is enabled the plugin writes daily files to:

* `WP_CONTENT_DIR/leadconnector-logs/leadconnector-YYYY-MM-DD.log` (default)
* Override with `define( 'LEADCONNECTOR_LOG_DIR', '/path/outside/webroot/leadconnector-logs' );`

OAuth tokens, refresh tokens, API keys, SMTP passwords, the OAuth `code` query parameter, and `Authorization:` headers are redacted by the logger before lines are written. Context payloads larger than 2 KB are truncated. The directory is created with an `index.php` stub and (under Apache) a `.htaccess` "Deny from all" file.

Under **nginx or Caddy** the generated `.htaccess` is ignored. Add the following snippet to your server block (adjust paths to match your install):

`
location ^~ /wp-content/leadconnector-logs/ {
    deny all;
    return 403;
}
`

For Caddy:

`
@leadconnectorLogs path /wp-content/leadconnector-logs/*
respond @leadconnectorLogs 403
`

For Apache 2.4+ where the `.htaccess` has been allowed, the bundled directive uses the modern `Require all denied` directive automatically.

== Uninstalling ==

By default, uninstalling the plugin leaves your stored settings, funnel pages, and custom values in the database. To remove all plugin data on uninstall, set one of the following before deleting the plugin:

* `update_option( 'leadconnector_delete_data_on_uninstall', true );`
* `define( 'LEADCONNECTOR_DELETE_DATA_ON_UNINSTALL', true );` in `wp-config.php`
* Enable `delete_data_on_uninstall` in the main plugin options array

== Privacy Policy ==

LeadConnector connects WordPress with your LeadConnector account. Depending on enabled features, the plugin may store connection details, selected widget IDs, location IDs, OAuth tokens, funnel settings, and embed configuration.

When connected features are used, relevant account, location, site, funnel, widget, form, calendar, survey, quiz, review, phone, custom value, and email configuration data may be exchanged with LeadConnector services. Visitor interactions with embedded widgets are handled by LeadConnector services.


== Changelog ==

= 3.0.31 =
**Security**

* Admin REST responses no longer return decrypted OAuth access tokens, OAuth refresh tokens, API keys, or the full plugin options blob to the browser. The admin UI now only receives connection-status flags. (#A1)
* AES-256-CTR at-rest encryption replaced with AES-256-GCM (authenticated encryption). The hardcoded fallback key/salt has been removed; the plugin halts with `wp_die()` and a translatable error if `LOGGED_IN_KEY/LOGGED_IN_SALT` are missing or the OpenSSL PHP extension is unavailable, instead of silently degrading to plaintext. Existing CTR ciphertexts continue to decrypt successfully via a read-only back-compat path; values are re-encrypted under GCM the next time the OAuth token is refreshed or the SMTP password is saved. (#A3)
* The `/leadconnector_api/v1/proxy` GET route now requires a valid `X-WP-Nonce` for state-changing endpoints (`wp_disconnect`, `wp_validate_oauth`, `wp_regenerate_token`, `wp_enable_email`, `wp_disable_email`, `wp_save_options`, `wp_insert_post`, `wp_delete_post`). Requests without a nonce - drive-by CSRF, image preloads, browser-extension fetches - are rejected with HTTP 403; legitimate admin requests continue to work because the bundled admin app already attaches the nonce. (#A4)
* `process_page_request()` validates the inbound `Host` header against `home_url()` before treating it as a routing key, blocking host-header spoof attacks. (#C13)
* `LeadConnector_Logger::__wakeup()` now throws to actually prevent unserialization of the singleton. (#D6)
* Logic bug fixed in OAuth token regeneration: missing-or-empty refresh tokens are now both detected. (#D1)
* SEO Overrides module no longer emits `<meta name="leadconnector-seo-debug-*">` tags into the front-end response on every request. The debug breadcrumb path is removed entirely and SEO override meta tags are only rendered when at least one override is configured for the current path. Resolves an information-disclosure issue where every visitor (including search engine bots) received the plugin's debug state. (#C4)
* Admin asset bundle no longer monkey-patches the global `window.fetch` function. The previous wrapper intercepted every admin XHR to detect a successful `wp_validate_oauth` response; it has been replaced with a `leadconnector:purge-toolbar-refresh` `CustomEvent` listener plus a `wp.hooks` action so other plugins that also wrap `window.fetch` are no longer broken by load order. (#C5)
* `LeadConnector_Logger` now redacts secret-shaped context keys (`password`, `secret`, `token`, `api_key`, `apikey`, `authorization`, `auth`, `code`, `bearer`, `session`, `cookie`) and secret-shaped substrings (`code=…`, `refresh_token=…`, `access_token=…`, `api_key=…`, `Authorization: Bearer …`, JSON pairs like `"password":"…"`) before any line is written to disk. Context payloads larger than 2 KB are truncated. Removes the previous behaviour of writing full decoded LeadConnector API responses verbatim. (#C7, #H2)
* `leadconnector_oauth_wp_remote_get()` no longer returns the decrypted OAuth access token to its caller (and therefore through the REST proxy to the browser) on the after-two-attempts error envelope. A boolean `has_access_token` flag replaces it so the admin UI can still detect a missing token without learning the bearer value. (#C7)
* Funnel CPT registration no longer references a non-existent `remove_save_box` method via `register_meta_box_cb`. The argument has been removed entirely. (#C8)
* "Redirect to Funnel URL" display method no longer side-steps `wp_safe_redirect()` by adding the destination host to `allowed_redirect_hosts` for the duration of the call. Hosts are now validated against a fixed allowlist (canonical LeadConnector hosts + the site's own home host + an admin-configured white-label URL host) before the redirect is issued, and out-of-allowlist destinations surface a translated `wp_die()` error instead of an open redirect. A new `leadconnector_allowed_funnel_redirect_hosts` filter is exposed for sites that need to register additional vanity hosts. (#H10)
* Funnel head allowlist no longer permits the `<base href>` tag. A `<base href>` rewrites every relative URL in the document, so a malicious upstream funnel could redirect form posts, asset loads, and link clicks to an attacker-controlled host without ever placing a script tag. (#M12)
* `process_page_request()` now punycode-normalizes both the incoming `Host:` header and the canonical `home_url()` host before comparing them, defeating an IDN-encoding bypass where a Unicode Host header (e.g. `münchen.example`) would fail to match an ASCII-encoded expected host (`xn--mnchen-3ya.example`). (#M11)

**Compliance**

* `Tested up to: 6.7` (was the non-existent `7.0`); `Requires at least` aligned across `README.txt` and the plugin header. (#B2)
* Translation files renamed from `LeadConnector-*` to lowercase `leadconnector-*` so WordPress 4.6+ auto-loads them under the declared `leadconnector` text domain. (#B3)
* Tags hyphenated to single tokens (`chat-widget`, `marketing-automation`, `funnels`). (#B6)
* External Services section expanded with per-host disclosures of what data is sent and when. (#B7)
* Translations are now picked up automatically by WordPress 4.6+ just-in-time loading without calling `load_plugin_textdomain()` manually. The `Domain Path: /languages` header remains declared so the WordPress.org Translate Console and bundled `.mo` files are still discoverable. (#B8)
* Custom post type `leadconn_funnels` registration cleaned up: invalid `hide_post_row_actions` argument removed (replaced with a proper `post_row_actions` filter), `supports` set to `array( 'title' )` instead of `array( '' )`, `has_archive` set to `false` (consistent with `public => false`), `show_in_rest => false` made explicit, and the description wrapped in `__()`. The slug remains `leadconn_funnels` for back-compat with existing funnel posts. (#B5, #D3)
* Removed unused `/leadconnector/v1/input/site-create`, `/leadconnector/v1/input/site-delete`, and `/leadconnector/v1/input/user-update` validator routes (and their DTOs) per WP.org reviewer guidance. (#C9)
* Replaced `esc_sql()` table-name interpolation with `$wpdb->prepare()` `%i` identifier placeholders. (#C12)
* Copyright headers updated to `Copyright (C) 2020-2026 LeadConnector`. (#B9)
* Added "Silence is golden" `index.php` stubs to every shipped subdirectory. (#C17)
* `README.txt` `Tested up to:` lowered to `6.7` (was the non-existent `7.0` claim from 3.0.31). (#C1)
* `README.txt` "External Services" section now discloses that connecting the LeadConnector CDN integration (when `CDN_WP_ID` / `CDN_SITE_ID` is defined and an OAuth session exists) causes the plugin to send an authenticated remote cache-purge `POST` to `services.leadconnectorhq.com` on every public-post `save_post`, in addition to the admin-bar "Purge everything on all domains" click and the settings save. (#H4)
* `README.txt` "Available Shortcodes" section now advertises the canonical `[leadconnector_*]` shortcodes; the deprecated `[lc_*]` aliases are documented as remaining only for backward compatibility. (#M1)
* New "Debug Logging" section in `README.txt` documents the relocated log directory, the `LEADCONNECTOR_LOG_DIR` override constant, the redaction policy, and the nginx / Caddy server-block snippets required to block direct HTTP access on stacks that do not honour `.htaccess`.

**Reliability**

* `LeadConnector_Logger` writes log files to `WP_CONTENT_DIR/leadconnector-logs/` instead of `wp-content/uploads/leadconnector-logs/`. The directory is created with `index.php`, a modern Apache 2.4 `Require all denied` `.htaccess` (with a legacy `Order/Deny` fallback for Apache 2.2), and a documented nginx.conf snippet. A new `LEADCONNECTOR_LOG_DIR` constant lets site administrators relocate the log directory entirely (e.g. outside the web root). When `wp_upload_dir()` returns an `error` key, the legacy fallback path is skipped instead of producing a malformed path. (#H9, #M10)
* REST proxy handlers for `wp_insert_post`, `wp_validate_oauth`, and `wp_delete_post` now validate required fields up front and return a structured `error => true / message / field` envelope when a required property is missing, instead of producing PHP `Undefined property: stdClass::$…` warnings and half-populated post meta on partial payloads. (#M9)

**Performance**

* Custom value placeholder filters now early-exit when the rendered string contains no `{{custom_values.…}}` marker, and the `LeadConnector_CustomValues` instance is shared across all 15+ filter callbacks per request instead of being re-instantiated each time. (#C5)
* Front-end `dashicons` enqueue now only fires on LeadConnector funnel pages, not on every front-end render for logged-in admins. (#C16)
* `LeadConnector_Logger` no longer reads-then-rewrites the entire log file on every line; it appends instead, with a per-day size cap to bound growth. (#C4)
* The `crypto.randomUUID` polyfill emitted on native funnel pages is now a versioned static asset (`public/js/leadconnector-native-polyfills.js`) instead of an inline script. (#D2)

**Developer**

* `WP_DEBUG`-gated debug HTML in the native funnel template now logs to `error_log()` and is no longer rendered as visible markup on production sites that have `WP_DEBUG_DISPLAY = false`. (#D4)

= 3.0.30 =
**Security**

* Funnel iframe HTML no longer ships an inline `<style>` block. The page now links to `public/css/leadconnector-funnel-iframe.css` via a `<link rel="stylesheet">` tag, addressing the WordPress.org reviewer's "use wp_enqueue commands" guidance for the standalone iframe document.
* `get_page_iframe()` now applies `wp_kses()` to the fully-assembled HTML document at the function boundary (escape late) using a dedicated `iframe_page_allowed_html()` allowlist, so the function itself returns escape-safe output regardless of the caller.
* Funnel head font-swap inline script now relies on `wp_print_inline_script_tag()` (WordPress 5.7+) unconditionally; the legacy `function_exists()` guard was removed since the plugin already requires WordPress 5.7 or greater.

**Fixed**

* Custom value placeholders in plain-text title filters (`the_title`, `wp_title`, `document_title_parts`, `pre_get_document_title`, `widget_title`, `nav_menu_item_title`, `meta_description`) no longer double-encode HTML entities. The substitution helper now escapes each replacement once, then the public text-context wrapper escapes the final returned string once via `esc_html()`. HTML-context filters (`the_content`, `widget_text`, `comment_text`, navigation block render callbacks, etc.) continue to escape only the substituted values.

= 3.0.29 =
**Improved**

* Reorganized plugin bootstrap and class files under LeadConnector-prefixed naming for clearer structure.
* Shortcodes use the `leadconnector_` prefix; existing `lc_` shortcodes remain registered for backward compatibility.
* Admin and include code formatting aligned with PHPCS/WPCS standards.

= 3.0.28 =
**Security**

* Funnel and native page HTML output sanitized with `wp_kses()` and script handling via WordPress enqueue APIs.
* Centralized REST API input sanitization and validation for admin routes.
* Resolved Plugin Check security findings for remote content and meta output.

**Fixed**
* Automatic upgrade migrates legacy `lc_` identifiers to `leadconnector_` in database tables, post meta, options, and cron hooks.

**Improved**

* Standardized plugin-wide naming conventions and prefix usage for WordPress.org minimum prefix length.
* Additional admin output sanitization for JSON encoding, SEO meta tags, and public-facing HTML.
* PHP 7.4 minimum requirement, readme contributors and licensing updates, and build script improvements.

= 3.0.27 =
**Fixed**

* Readme stable tag and Tested up to version aligned with the plugin release for WordPress.org compliance.
* Admin menu labels use escaped strings for i18n tooling compatibility.

**Improved**

* Added Source Code documentation for compiled admin assets.
* Standardized the Plugin URI readme header and removed duplicate third-party service text from the Upgrade Notice.

= 3.0.26 =
* Fix: Resolved chat widget breakage on some themes.

= 3.0.25 =
* Feature: Added ability to regenerate images for AI Pages.

= 3.0.24 =
* Feature: Added preview of color customization for AI pages.

= 3.0.23 =
* Fix: Resolved chat widget issues in some cases.
* Improved: Minor copy changes.

= 3.0.22 =
* Security: Added security patches.

= 3.0.21 =
* Fix: Resolved login failures when WordPress is installed in a subfolder configuration.
* Fix: Addressed cache issues when updating settings. Cache now auto-refreshes when changes are made.

= 3.0.20 =
* Fix: Resolved plugin breakage when permalink structure is set to Plain.

= 3.0.19 =
* Enhancement: CDN cache purge option now has broader visibility.

= 3.0.18 =
* Fix: Resolved layout shift on the left side in some themes.
* Fix: Resolved external video embedding issues in funnels.

= 3.0.17 =
* Feature: Introduced AI-Powered WordPress Page Builder.
* Fix: Improved template loading and builder panel compatibility.

= 3.0.16 =
* Enhancement: Added WordPress header and footer support in funnel HTML embed.

= 3.0.15 =
* Fix: Resolved UI breakage when a banner is present on top.

= 3.0.14 =
* Fix: Resolved embedded HTML issue.

= 3.0.13 =
* Feature: Added review widgets, calendars, surveys, and quizzes.

= 3.0.12 =
* Feature: Added LeadConnector-powered SEO capabilities.

= 3.0.11 =
* Feature: Added custom values integration for WordPress.

= 3.0.10.5 =
* Fix: Resolved plugin breakage with Advanced Custom Fields.

= 3.0.10.4 =
* Feature: Added support for Right-to-Left (RTL) languages.

= 3.0.10.3 =
* Feature: Added "Purge everything on all domains" option to the CDN cache dropdown.

= 3.0.10.2 =
* Fix: Resolved login and PHP 7.3 compatibility issues.

= 3.0.10.1 =
* Improved: Minor copy changes.

= 3.0.10 =
* Feature: Added usability notifications.

= 3.0.9 =
* Fix: Handled warning messages.

= 3.0.8 =
* Fix: Resolved errors related to funnels and added minor performance enhancements.

= 3.0.7 =
* Enhancement: Added native HTML funnel embeds, including order forms.

= 3.0.6 =
* Enhancement: Enabled support for multiple chat widgets.

= 3.0.4 =
* Performance: Resolved performance issues for websites with stale cron events.

= 3.0.3 =
* Security: Added sanitization and escaping for parameters.

= 3.0 =
* Fix: Improved cron job scheduling.

== Upgrade Notice ==

= 3.0.31 =
Security: admin REST redacts OAuth/API secrets; AES-256-GCM replaces CTR (legacy decrypt + re-encrypt on token refresh); GET /proxy mutations require X-WP-Nonce (403 without). WP.org readme/compliance fixes. Existing OAuth sessions remain valid.

= 3.0.30 =
WordPress.org review fixes: funnel iframe CSS moved to an external stylesheet link (no inline <style>), font-swap script printed via wp_print_inline_script_tag() with the legacy fallback removed, and a title-filter double-escape bug for custom value placeholders fixed. Safe to upgrade.

= 3.0.29 =
Plugin structure and shortcode naming updates with backward-compatible aliases. Safe to upgrade.

= 3.0.28 =
WordPress.org Plugin Check security and prefix migration release. Existing funnel and widget data is migrated automatically on upgrade. Safe to upgrade.

= 3.0.27 =
Readme, source code, and admin menu i18n alignment for WordPress.org compliance. Safe to upgrade.

= 3.0.26 =
Fixes chat widget breakage on some themes. Safe to upgrade.

= 3.0.21 =
Improves subfolder login handling and refreshes cache after settings updates. Safe to upgrade.

= 3.0.17 =
Adds AI-powered page builder workflows and improves template compatibility. Review your page builder templates after upgrading.
