Skip to main content

PBJ Form Builder Changelog (v1.2.0): Stripe Payments and Security Hardening

PBJ Form Builder is our self-hosted form plugin: unlimited forms with custom fields, dropped anywhere via shortcode, with optional payments through Stripe, Square, or PayPal. Anti-bot protection is built in — math CAPTCHA, honeypot, time-trap, and per-IP rate limiting — with no Google reCAPTCHA anywhere. Here’s the version history.

Version 1.2.0

  • Stripe gateway. Stripe.js Elements card field in the browser with a server-side PaymentIntents charge. Test vs live is decided by which keys you enter — no environment toggle to forget.
  • Buyer receipt emails. Paid submissions email the buyer a receipt (fields, amount, transaction ID, gateway) with a configurable subject; replies go to the admin notification address.
  • Richer admin emails — amount, transaction ID, and gateway on paid submissions, with Reply-To set to the buyer.
  • Security hardening: proxy IP headers (CF-Connecting-IP / X-Forwarded-For) are no longer trusted by default; math-CAPTCHA tokens are single-use and bound to the form; Square and Stripe charges are idempotent so a retried submission can never double-charge; PayPal order creation is rate-limited; and field keys that would collide with the plugin’s own inputs are auto-prefixed.
  • Time-trap hardening — a missing render timestamp is now rejected instead of skipping the check.
  • Non-JS feedback — visitors without JavaScript now see the success or error message rendered server-side.
  • Paid-but-unsaved alerting — if a payment captures but the submission row fails to save, the plugin logs a critical line and emails the admin the transaction details for recovery.

Version 1.1.1

  • The shortcode now also resolves by exact title, e.g.
    . Like slug, the title survives a Studio→Live clone, so the shortcode keeps resolving after a sync.

Version 1.1.0

  • The shortcode accepts a slug attribute, e.g.
    . Slugs survive a Studio→Live clone (numeric post IDs do not), so slug-based shortcodes keep resolving after a sync. The numeric id attribute still works.

Version 1.0.0

  • Initial release: forms custom post type with shortcode renderer and field repeater builder.
  • Standard field types (text, email, phone, URL, number, date, paragraph, dropdown, radio, checkbox, consent, hidden) plus a custom field type.
  • Built-in anti-bot stack: math CAPTCHA (HMAC-signed, works on cached pages), honeypot, time-trap, and per-IP rate limit.
  • Square Web Payments SDK integration with server-side charge, and PayPal Smart Buttons with server-side capture and amount verification.
  • Submission storage with its own admin list and detail view, plus optional admin email notification.
  • Update URI header and self-hosted updater for in-place upgrades, with settings schema versioning and idempotent migrations.
July 4, 2026

PBJ Form Builder is our self-hosted form plugin: unlimited forms with custom fields, dropped anywhere via shortcode, with optional payments through Stripe, Square, or PayPal. Anti-bot protection is built in — math CAPTCHA, honeypot, time-trap, and per-IP rate limiting — with no Google reCAPTCHA anywhere. Here’s the version history.

Version 1.2.0

  • Stripe gateway. Stripe.js Elements card field in the browser with a server-side PaymentIntents charge. Test vs live is decided by which keys you enter — no environment toggle to forget.
  • Buyer receipt emails. Paid submissions email the buyer a receipt (fields, amount, transaction ID, gateway) with a configurable subject; replies go to the admin notification address.
  • Richer admin emails — amount, transaction ID, and gateway on paid submissions, with Reply-To set to the buyer.
  • Security hardening: proxy IP headers (CF-Connecting-IP / X-Forwarded-For) are no longer trusted by default; math-CAPTCHA tokens are single-use and bound to the form; Square and Stripe charges are idempotent so a retried submission can never double-charge; PayPal order creation is rate-limited; and field keys that would collide with the plugin’s own inputs are auto-prefixed.
  • Time-trap hardening — a missing render timestamp is now rejected instead of skipping the check.
  • Non-JS feedback — visitors without JavaScript now see the success or error message rendered server-side.
  • Paid-but-unsaved alerting — if a payment captures but the submission row fails to save, the plugin logs a critical line and emails the admin the transaction details for recovery.

Version 1.1.1

  • The shortcode now also resolves by exact title, e.g.
    . Like slug, the title survives a Studio→Live clone, so the shortcode keeps resolving after a sync.

Version 1.1.0

  • The shortcode accepts a slug attribute, e.g.
    . Slugs survive a Studio→Live clone (numeric post IDs do not), so slug-based shortcodes keep resolving after a sync. The numeric id attribute still works.

Version 1.0.0

  • Initial release: forms custom post type with shortcode renderer and field repeater builder.
  • Standard field types (text, email, phone, URL, number, date, paragraph, dropdown, radio, checkbox, consent, hidden) plus a custom field type.
  • Built-in anti-bot stack: math CAPTCHA (HMAC-signed, works on cached pages), honeypot, time-trap, and per-IP rate limit.
  • Square Web Payments SDK integration with server-side charge, and PayPal Smart Buttons with server-side capture and amount verification.
  • Submission storage with its own admin list and detail view, plus optional admin email notification.
  • Update URI header and self-hosted updater for in-place upgrades, with settings schema versioning and idempotent migrations.

Latest Articles