PBJ Form Builder Changelog (v1.2.0): Stripe Payments and Security Hardening
PBJ Form Builder is our self-hosted form plugin: unlimited forms with custom fields, dropped anywhere via shortcode, with optional payments through Stripe, Square, or PayPal. Anti-bot protection is built in — math CAPTCHA, honeypot, time-trap, and per-IP rate limiting — with no Google reCAPTCHA anywhere. Here’s the version history.
Version 1.2.0
- Stripe gateway. Stripe.js Elements card field in the browser with a server-side PaymentIntents charge. Test vs live is decided by which keys you enter — no environment toggle to forget.
- Buyer receipt emails. Paid submissions email the buyer a receipt (fields, amount, transaction ID, gateway) with a configurable subject; replies go to the admin notification address.
- Richer admin emails — amount, transaction ID, and gateway on paid submissions, with Reply-To set to the buyer.
- Security hardening: proxy IP headers (
CF-Connecting-IP/X-Forwarded-For) are no longer trusted by default; math-CAPTCHA tokens are single-use and bound to the form; Square and Stripe charges are idempotent so a retried submission can never double-charge; PayPal order creation is rate-limited; and field keys that would collide with the plugin’s own inputs are auto-prefixed. - Time-trap hardening — a missing render timestamp is now rejected instead of skipping the check.
- Non-JS feedback — visitors without JavaScript now see the success or error message rendered server-side.
- Paid-but-unsaved alerting — if a payment captures but the submission row fails to save, the plugin logs a critical line and emails the admin the transaction details for recovery.
Version 1.1.1
- The
shortcode now also resolves by exacttitle, e.g.. Likeslug, the title survives a Studio→Live clone, so the shortcode keeps resolving after a sync.
Version 1.1.0
- The
shortcode accepts aslugattribute, e.g.. Slugs survive a Studio→Live clone (numeric post IDs do not), so slug-based shortcodes keep resolving after a sync. The numericidattribute still works.
Version 1.0.0
- Initial release: forms custom post type with shortcode renderer and field repeater builder.
- Standard field types (text, email, phone, URL, number, date, paragraph, dropdown, radio, checkbox, consent, hidden) plus a custom field type.
- Built-in anti-bot stack: math CAPTCHA (HMAC-signed, works on cached pages), honeypot, time-trap, and per-IP rate limit.
- Square Web Payments SDK integration with server-side charge, and PayPal Smart Buttons with server-side capture and amount verification.
- Submission storage with its own admin list and detail view, plus optional admin email notification.
Update URIheader and self-hosted updater for in-place upgrades, with settings schema versioning and idempotent migrations.
July 4, 2026
PBJ Form Builder is our self-hosted form plugin: unlimited forms with custom fields, dropped anywhere via shortcode, with optional payments through Stripe, Square, or PayPal. Anti-bot protection is built in — math CAPTCHA, honeypot, time-trap, and per-IP rate limiting — with no Google reCAPTCHA anywhere. Here’s the version history.
Version 1.2.0
- Stripe gateway. Stripe.js Elements card field in the browser with a server-side PaymentIntents charge. Test vs live is decided by which keys you enter — no environment toggle to forget.
- Buyer receipt emails. Paid submissions email the buyer a receipt (fields, amount, transaction ID, gateway) with a configurable subject; replies go to the admin notification address.
- Richer admin emails — amount, transaction ID, and gateway on paid submissions, with Reply-To set to the buyer.
- Security hardening: proxy IP headers (
CF-Connecting-IP/X-Forwarded-For) are no longer trusted by default; math-CAPTCHA tokens are single-use and bound to the form; Square and Stripe charges are idempotent so a retried submission can never double-charge; PayPal order creation is rate-limited; and field keys that would collide with the plugin’s own inputs are auto-prefixed. - Time-trap hardening — a missing render timestamp is now rejected instead of skipping the check.
- Non-JS feedback — visitors without JavaScript now see the success or error message rendered server-side.
- Paid-but-unsaved alerting — if a payment captures but the submission row fails to save, the plugin logs a critical line and emails the admin the transaction details for recovery.
Version 1.1.1
- The
shortcode now also resolves by exacttitle, e.g.. Likeslug, the title survives a Studio→Live clone, so the shortcode keeps resolving after a sync.
Version 1.1.0
- The
shortcode accepts aslugattribute, e.g.. Slugs survive a Studio→Live clone (numeric post IDs do not), so slug-based shortcodes keep resolving after a sync. The numericidattribute still works.
Version 1.0.0
- Initial release: forms custom post type with shortcode renderer and field repeater builder.
- Standard field types (text, email, phone, URL, number, date, paragraph, dropdown, radio, checkbox, consent, hidden) plus a custom field type.
- Built-in anti-bot stack: math CAPTCHA (HMAC-signed, works on cached pages), honeypot, time-trap, and per-IP rate limit.
- Square Web Payments SDK integration with server-side charge, and PayPal Smart Buttons with server-side capture and amount verification.
- Submission storage with its own admin list and detail view, plus optional admin email notification.
Update URIheader and self-hosted updater for in-place upgrades, with settings schema versioning and idempotent migrations.