=== Ultimate Form ===
Contributors: desktopmoe
Tags: form builder, multi-step form, contact form, conditional logic, drag and drop
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 2.5.7
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

A fast, privacy-first multi-step form builder with drag-and-drop, conditional logic, email notifications and design configurator.

== Description ==

**Ultimate Form** is a powerful, free form builder for WordPress. Build multi-step funnels, set up conditional logic, send email notifications and manage submissions — all from a single plugin with no limits on active forms.

= Key Features =

* **Drag & Drop Builder** with 20+ field types (text, email, textarea, select, checkbox, radio, file upload, date, number, ...)
* **Multi-Step Forms** with configurable progress bar and step navigation
* **Conditional Logic** -- show/hide fields and steps based on previous answers
* **Email Notifications** -- per-form templates for customer, admin and custom recipients
* **Design Configurator** -- live preview for colors, typography, spacing, logo
* **Entries Management** -- view, search, star and export submissions as CSV
* **Webhook Integration** -- send form data to any external URL via HTTP POST
* **Honeypot Spam Protection** -- invisible spam protection for every form
* **GDPR Compliant** -- IP hashing, consent checkbox generator
* **Shortcode Embed** -- `[ultimate_form id="X"]` works with any theme or page builder

= Need More? =

**[Ultimate Form Pro](https://delta-web-solution.de/wordpress-plugins/ultimate-form/)** adds powerful features for businesses:

* Stripe & PayPal payment processing
* WooCommerce integration
* CRM integration (Brevo, HubSpot, ActiveCampaign, Pipedrive, Salesforce, Mailchimp)
* Native PDF generation from submissions
* Elementor widget
* Iframe embed for external websites
* Telegram, Discord & Slack notifications
* Zapier / Make automation
* Form cloning, A/B testing, submission limits
* GDPR data export & erasure tools
* Signature field
* Priority support

[Get Ultimate Form Pro](https://delta-web-solution.de/wordpress-plugins/ultimate-form/)

== External Services ==

This plugin does not communicate with any external service by default. All form submissions are stored locally in your WordPress database. The following optional features may connect to a third-party service, but only when explicitly enabled and configured by the site administrator:

= 1. Webhook Addon (Generic HTTP POST) =

**What it does:** Forwards form submission data to an arbitrary URL that the administrator configures inside the plugin settings (Settings → Addons → Webhook).

**When data is sent:** Only when (a) the Webhook addon is enabled, (b) a valid URL is provided by the administrator, and (c) a form submission is received that is mapped to the webhook.

**What data is sent:** The serialized form submission (form ID, submitted field values, submission ID, timestamp). The complete payload is the data the administrator configured the form to collect.

**Where it is sent:** The endpoint URL is entirely controlled by the administrator. The plugin does not ship with a pre-configured destination. There is no Ultimate Form vendor server involved at any point.

**Service provider:** N/A — the destination is user-configured. The administrator is responsible for ensuring that the receiving endpoint complies with their privacy policy and applicable law.

= 2. Plugin Support Form (delta-web-solution.de) =

**What it does:** The plugin Help page contains a contact form that, when submitted by an administrator, sends an email to `ultimate@delta-web-solution.de` (the plugin vendor) using the WordPress `wp_mail()` function.

**When data is sent:** Only when the administrator clicks "Send" on the Help page support form.

**What data is sent:** The message text and reply-to email address typed by the administrator. Nothing is sent automatically.

**Where it is sent:** Routed via the local WordPress `wp_mail()` mailer to `ultimate@delta-web-solution.de`. No third-party API is involved.

**Service provider:** Delta Web Solution (the plugin author).

* Website: [https://delta-web-solution.de](https://delta-web-solution.de)
* Terms of Use: [https://delta-web-solution.de/agb](https://delta-web-solution.de/agb)
* Privacy Policy: [https://delta-web-solution.de/datenschutz](https://delta-web-solution.de/datenschutz)

= Note on the free version =

The free Ultimate Form plugin does not contain any license server, telemetry, analytics or "phone home" code. All feature-detection happens locally inside the plugin code. There is no upgrade or activation check that contacts a remote server.

== Installation ==

1. Upload the plugin files to the `/wp-content/plugins/ultimate-form` directory, or install via **Plugins > Add New**.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Go to **Ultimate Form** in the admin sidebar to create your first form.
4. Use the shortcode `[ultimate_form id="1"]` to embed forms on any page or post.

== Frequently Asked Questions ==

= How many forms can I create? =
There is no limit. You can create and publish as many forms as you need. The free plugin has no form quotas, time limits or feature gates.

= Does the plugin send data to external servers? =
By default, no. All form submissions are stored in your WordPress database. The plugin does not contact any external server unless you explicitly enable and configure the Webhook addon. See the "External Services" section for full details.

= Is it GDPR compliant? =
Yes. IP addresses are hashed (not stored raw), a consent checkbox generator is included. No data leaves your server unless you explicitly enable an external integration.

= Which page builders are supported? =
The shortcode `[ultimate_form id="X"]` works with Gutenberg, Elementor, Divi, Bricks, Beaver Builder, Oxygen and the classic editor. The dedicated Elementor widget is available in Ultimate Form Pro.

= What are the minimum requirements? =
WordPress 6.0+ and PHP 8.0+. Recommended: WordPress 6.4+ and PHP 8.1+.

= Is there a Pro version? =
Yes. Ultimate Form Pro adds payment processing, WooCommerce integration, CRM connections, PDF generation and more. The Pro version is hosted separately on the author's website and is NOT included in or required by the free plugin distributed via WordPress.org. Visit [delta-web-solution.de](https://delta-web-solution.de/wordpress-plugins/ultimate-form/) for details.

== Screenshots ==

1. Form builder -- drag-and-drop interface with field palette and live preview
2. Multi-step form with progress bar on the frontend
3. Email template editor per form
4. Design configurator with live preview
5. Entries list with export

== Changelog ==

= 2.5.7 =
* Maintenance: removed non-WordPress.org contributor handle from the Contributors header (silences the import warning shown only to plugin authors)

= 2.5.6 =
* Compliance: radio-card label now escapes the raw option value via `esc_html()` at the output site (no longer relies on a pre-escaped variable Plugin Check cannot trace)
* Compliance: the TTL-preserving rate-limit counter increment on `wp_options` now carries an explicit Plugin Check annotation explaining why the transient API cannot be used here

= 2.5.5 =
* Compliance: added `/* translators: */` annotations to every `__()`/`esc_html__()` call that uses placeholders (Plugin Check requirement)
* Compliance: replaced `rand()` with `wp_rand()` in the math-captcha renderer
* Compliance: every `wp_redirect()` in admin page callbacks replaced with `wp_safe_redirect()`
* Compliance: explicit output escaping for `$total_unread` and radio-card `alt` attributes
* Compliance: `error_log()` debug calls gated behind `WP_DEBUG` + `WP_DEBUG_LOG` (no production logging)
* Documentation: class-level PHPCS justifications added to `UltimateForm_Admin` and `UltimateForm_Form_Manager` explaining the plugin's custom-table architecture, the nonce-verification helper indirection, and the intentional cache bypass

= 2.5.4 =
* Fix: registered the public REST route `ultimateform/v1/checkout` that the frontend form engine posts submissions to (this route was previously only shipped with the Pro edition, which left the free version unable to submit forms)
* Improved: client IP resolution falls back through CF-Connecting-IP, X-Forwarded-For and REMOTE_ADDR, with strict IPv4/IPv6 validation
* Improved: confirmation message is now passed through `wp_kses_post()` before output

= 2.5.3 =
* Hardened output escaping in the upgrade comparison table (per-cell if/else instead of conditional echo expressions)
* Field renderer attribute output split into separate echo statements with explicit per-line phpcs annotations

= 2.5.2 =
* Security: added nonce verification to the entry-detail admin screen before marking an entry as read (prevents CSRF state changes via crafted GET URLs)
* Compliance: removed the Plugin URI header (no broken external link in the directory listing)
* Compliance: contributor list now includes the WordPress.org account that owns the plugin

= 2.5.1 =
* Security: recursive sanitization for all JSON-decoded administrator inputs (logic, conditions, visible_fields, import payloads)
* Security: all REST endpoints use a custom permission callback with rate limiting (no `__return_true`)
* Compliance: removed `load_plugin_textdomain()` call (WordPress 4.6+ auto-loads translations)
* Compliance: every PHP file with executable code starts with an `ABSPATH` direct-access guard
* Compliance: file/path resolution uses `plugin_dir_path()`, `plugin_dir_url()` and `wp_upload_dir()` only (no hardcoded `site_url()` → `ABSPATH` string replacements)
* Documentation: External Services section expanded with per-service data flow, destination and provider information
* Documentation: clarification that the free plugin contains no license server calls or telemetry of any kind

= 2.5 =
* Security: replaced permissive permission callbacks with nonce validation and IP rate limiting on all REST endpoints
* Improved: inline scripts and styles replaced with properly enqueued assets via `wp_enqueue_script()` / `wp_add_inline_script()`
* Improved: all administrator-facing output properly escaped via `esc_html()`, `esc_attr()` and `esc_url()`
* Plugin version constant updated throughout

= 2.4 =
* Split save button: Save as Draft vs Publish in form editor
* Toast notifications redesigned (fixed full-width banner bug)
* Delete form action fixed (double event handler removed)

== Upgrade Notice ==

= 2.5.7 =
Minor maintenance release. No functional changes. Safe to skip if you are already on 2.5.6.

= 2.5.6 =
Two more Plugin Check Tool compliance fixes (radio-card label escaping, rate-limit query annotation). Recommended for all installations.

= 2.5.5 =
Compliance pass for the WordPress.org Plugin Check Tool: translators comments, `wp_rand()`, `wp_safe_redirect()`, escape-hardening, and gated debug logging. Recommended for all installations.

= 2.5.4 =
Critical fix: form submissions now work in the free version (the REST submit route was previously only present in the Pro edition). Strongly recommended.

= 2.5.3 =
Minor escape-hardening for two admin templates. Recommended for all installations.

= 2.5.2 =
Security and compliance update: nonce check on the entry-detail screen to block CSRF state changes, removed invalid Plugin URI header, and contributor list updated. Recommended for all installations.

= 2.5.1 =
Compliance and documentation update for the WordPress.org plugin directory. Expands the External Services section with per-service detail and adds recursive sanitization to all JSON-decoded administrator inputs. Recommended for all installations.

= 2.5 =
Security update -- REST API endpoints now validate nonces and apply IP rate limiting. Update recommended for all installations.
