Sync master from upstream

README.md

@@ -4,11 +4,11 @@
 **Requires at least:** 6.4  
 **Tested up to:** 7.0  
 **Requires PHP:** 7.4  
-**Stable tag:** 2.11.1  
+**Stable tag:** 2.12.0  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
 
-AI WordPress form builder. Create contact forms, payment forms, surveys, quizzes & multi-step forms — drag & drop, no code.
+SureForms is an AI-powered WordPress form builder for creating contact forms, payment forms, surveys, quizzes, and multi-step forms without code.
 
 ## Description ##
 
@@ -458,17 +458,19 @@ Yes. SureForms Business includes fully functional user registration forms and lo
 You can report security issues through our [Bug Bounty Program](https://brainstormforce.com/bug-bounty-program/). We collaborate with Patchstack to provide opportunities for researchers to report vulnerabilities. The Patchstack team will help validate, triage, and handle any reported security issues.
 
 ## Changelog ##
+### 2.12.0 - 24th June 2026 ###
+* New: Added action hooks around payment success, cancellation, and refund events so plugins such as SureMembers, LMS, and CRMs can grant or revoke access for both Stripe and PayPal.
+* Fix: Cancel Subscription now routes through the correct payment gateway so PayPal subscriptions cancel properly instead of always calling Stripe.
+* Fix: Forms with multiple Cloudflare Turnstile widgets now submit correctly instead of silently failing with a generic error.
+* Fix: Resolved an issue where the Stripe Payment Element failed to render on live accounts that have Bacs Direct Debit, Link, Cash App, or BNPL enabled.
+* Fix: Restored the form editor on WordPress 6.x sites running plugins that register older-style blocks such as ThirstyAffiliates, Ninja Forms, and Gravity Forms.
 ### 2.11.1 - 16th June 2026 ###
 * Fix: Phone field auto country detection always resolved to the United States.
 * Fix: Corrected the Cloudflare Turnstile "Get Keys" link.
 * Fix: This update addressed a security bug. Props to Yaswanth Reddy Sunkara for reporting it responsibly to our team.
 ### 2.11.0 - 10th June 2026 ###
 * New: Added a Form Migrator to import forms from Contact Form 7, WPForms, Gravity Forms, and Ninja Forms in a single click.
 * New: Added native WPML support to translate each form individually using String Packages.
-### 2.10.1 - 1st June 2026 ###
-* Improvement: Improved compatibility with older Block API versions so the SureForms editor loads reliably across WordPress environments.
-* Fix: Resolved an issue where the Textarea character counter was misaligned.
-* Fix: Resolved an issue where the {entry_id} smart tag failed to resolve in email notifications.
 The full changelog is available [here](https://sureforms.com/whats-new/?utm_source=wordpress.org&utm_medium=whats_new).
 
 ## Upgrade Notice ##

admin/admin.php

@@ -1639,7 +1639,7 @@ public function display_srfm_rating_notice() {
 				'message'                    => $this->build_notice_markup(
 					esc_html__( 'Amazing! SureForms is powering your forms and submissions - let\'s keep growing together!', 'sureforms' ),
 					esc_html__( 'If SureForms has been helpful, would you mind taking a moment to leave a 5-star review on WordPress.org?', 'sureforms' ),
-					esc_url( 'https://wordpress.org/support/plugin/sureforms/reviews/?filter=5#new-post' ),
+					esc_url( 'https://wordpress.org/support/plugin/sureforms/reviews/' ),
 					esc_html__( 'Rate SureForms', 'sureforms' ),
 					esc_html__( 'Maybe later', 'sureforms' ),
 					esc_html__( 'I already did', 'sureforms' ),

assets/js/stripe-payment.js

@@ -283,6 +283,15 @@ class StripePayment {
 		// Add type-specific configuration
 		if ( paymentType === 'one-time' ) {
 			elementsConfig.captureMethod = 'manual';
+			// Manual capture is incompatible with some account-enabled payment methods
+			// (e.g. Bacs Direct Debit, Link, Cash App, BNPL). When any of those are enabled,
+			// Stripe rejects the deferred elements/sessions request with HTTP 400 and the
+			// Payment Element fails to render — which is why the card field does not load in
+			// live mode while test mode (card-only) works. Scope the element to card so only
+			// capture-compatible methods are offered. Apple Pay / Google Pay still appear
+			// (they are surfaced through `card`); the methods dropped here could never be used
+			// with manual capture anyway, so no working checkout is lost.
+			elementsConfig.paymentMethodTypes = [ 'card' ];
 		}
 
 		// Create and mount payment element

assets/js/unminified/form-submit.js

@@ -137,7 +137,12 @@ function initializeFormHandlers() {
 					'button.srfm-custom-button'
 				);
 
-				if ( hasHiddenClass && ! isCustomButton ) {
+				// Check if the custom button is hidden by conditional logic.
+				const isCustomButtonHidden = isCustomButton
+					?.closest( '.srfm-custom-button-ctn' )
+					?.classList.contains( 'hide-element' );
+
+				if ( hasHiddenClass && ( ! isCustomButton || isCustomButtonHidden ) ) {
 					console.warn(
 						'Form submission is disabled because the submit button is hidden.'
 					);

assets/js/unminified/validation.js

@@ -1226,9 +1226,22 @@ export const handleCaptchaValidation = (
 	} else if ( !! hCaptchaDiv ) {
 		captchaResponse = hcaptcha.getResponse();
 	} else if ( !! turnstileDiv ) {
-		captchaResponse = turnstile.getResponse();
+		// `turnstile.getResponse()` without a widget id is unreliable when more
+		// than one Turnstile widget is rendered on the page — it can return
+		// `undefined`, which previously threw a TypeError on `.length` below and
+		// surfaced as a generic "An error occurred while submitting your form".
+		// Read the token from the hidden response field scoped to THIS form's
+		// widget, falling back to the global getResponse() for safety.
+		const turnstileResponseField = turnstileDiv.querySelector(
+			'[name="cf-turnstile-response"]'
+		);
+		captchaResponse =
+			turnstileResponseField?.value || turnstile.getResponse();
 	}
-	const isValid = captchaResponse.length > 0;
+	// Guard against captcha libraries returning `undefined` (e.g. multiple
+	// widgets on the page) so a missing token shows the captcha error instead
+	// of throwing and failing the whole submission silently.
+	const isValid = ( captchaResponse || '' ).length > 0;
 	captchaErrorElement.style.display = isValid ? 'none' : 'block';
 
 	return isValid;

inc/abilities/abilities-registrar.php

@@ -84,6 +84,9 @@ class_exists( 'WP\MCP\Plugin' ) &&
 	 * @return void
 	 */
 	public function register_mcp_server( $adapter ) {
+		// wp_get_abilities() is a WP 6.9+ Abilities API function. This method is only hooked
+		// when mcp_adapter_enabled() is true, which itself requires function_exists( 'wp_register_ability' ),
+		// so it is inert on WP 6.4-6.8. Plugin Check's static WP-version check reports a false positive here.
 		$abilities = wp_get_abilities();
 		$tools     = [];
 
@@ -122,6 +125,9 @@ public function register_mcp_server( $adapter ) {
 	 * @return void
 	 */
 	public function register_category() {
+		// wp_has_ability_category() / wp_register_ability_category() are WP 6.9+ Abilities API
+		// functions, each called only behind its own function_exists() guard, so they are inert
+		// on WP 6.4-6.8. Plugin Check's static WP-version check reports false positives here.
 		if ( function_exists( 'wp_has_ability_category' ) && wp_has_ability_category( 'sureforms' ) ) {
 			return;
 		}
@@ -198,6 +204,9 @@ public function register_abilities() {
 			}
 
 			// Skip abilities already registered by zipwp-mcp.
+			// wp_has_ability() is a WP 6.9+ Abilities API function, called only behind its
+			// function_exists() guard, so it is inert on WP 6.4-6.8. Plugin Check's static
+			// WP-version check reports a false positive here.
 			if ( function_exists( 'wp_has_ability' ) && wp_has_ability( $ability->get_id() ) ) {
 				continue;
 			}

inc/abilities/abstract-ability.php

@@ -222,6 +222,10 @@ public function register() {
 
 		$annotations = $this->get_annotations();
 
+		// wp_register_ability() is a WP 6.9+ Abilities API function. It is only reached
+		// after the function_exists() guard above (and via the wp_abilities_api_init hook),
+		// so it is inert on WP 6.4-6.8. Plugin Check's static WP-version check cannot see the
+		// runtime guard, so it reports a false positive here.
 		wp_register_ability(
 			$this->id,
 			[

inc/abilities/forms/list-forms.php

@@ -183,7 +183,7 @@ private function get_entry_counts( array $form_ids ) {
 		$table_name   = $wpdb->prefix . 'srfm_entries';
 		$placeholders = implode( ',', array_fill( 0, count( $form_ids ), '%d' ) );
 
-		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching -- Batch query to avoid N+1; results are not cached as they reflect real-time entry counts.
+		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter -- Batch query to avoid N+1; table name from $wpdb->prefix and placeholders from array_fill() (not user input); results not cached as they reflect real-time entry counts.
 		$results = $wpdb->get_results(
 			$wpdb->prepare(
 				// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare -- Table name and placeholders are constructed from $wpdb->prefix and array_fill(), not user input.

inc/admin-ajax.php

@@ -184,7 +184,7 @@ public function generate_data_for_suretriggers_integration() {
 
 		// Translators: %s: Form ID.
 		$form_name = ! empty( $form->post_title ) ? $form->post_title : sprintf( __( 'SureForms id: %s', 'sureforms' ), $form_id );
-		$api_url   = apply_filters( 'suretriggers_get_iframe_url', SRFM_SURETRIGGERS_INTEGRATION_BASE_URL );
+		$api_url   = apply_filters( 'suretriggers_get_iframe_url', SRFM_SURETRIGGERS_INTEGRATION_BASE_URL ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- SureTriggers' own filter; the name must match SureTriggers exactly to integrate.
 
 		// This is the format of data required by SureTriggers for adding iframe in target id.
 		$body = [
@@ -451,10 +451,10 @@ public function download_export_file() {
 		}
 
 		// Output the file.
-		readfile( $filepath ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_readfile -- Need direct file output for download.
+		readfile( $filepath ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_readfile, WordPress.WP.AlternativeFunctions.file_system_operations_readfile -- Direct file output is required to stream the download.
 
 		// Clean up the temporary file.
-		unlink( $filepath );
+		wp_delete_file( $filepath );
 
 		exit;
 	}

inc/compatibility/multilingual/providers/wpml-provider.php

@@ -15,6 +15,8 @@
 	exit; // Exit if accessed directly.
 }
 
+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- This adapter exists solely to call WPML's own hooks (wpml_*); their names must match WPML exactly to integrate.
+
 /**
  * WPML_Provider.
  *

inc/database/tables/entries.php

@@ -513,7 +513,7 @@ public static function has_duplicate_field_value( $form_id, $field_key, $field_v
 		$table_name = self::get_instance()->get_tablename();
 		$json_path  = '$."' . $field_key . '"';
 
-		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching -- One-off existence check; caching not beneficial for uniqueness validation.
+		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, PluginCheck.Security.DirectDB.UnescapedDBParameter -- One-off existence check; table name from get_tablename() (not user input); caching not beneficial for uniqueness validation.
 		$exists = $wpdb->get_var(
 			$wpdb->prepare(
 				"SELECT 1 FROM {$table_name} WHERE form_id = %d AND status != 'trash' AND JSON_UNQUOTE(JSON_EXTRACT(form_data, %s)) = %s LIMIT 1", // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- Table name is internally generated.

inc/database/tables/payments.php

@@ -1126,7 +1126,7 @@ public static function get_all_main_payments( $args = [], $set_limit = true ) {
 			$query = $wpdb->prepare( $query, $params );
 		}
 
-		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared -- Custom table query with dynamic preparation, caching not applicable for dynamic queries.
+		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter -- Custom table query with dynamic preparation; table name internal, not user input; caching not applicable for dynamic queries.
 		$results = $wpdb->get_results( $query, ARRAY_A );
 
 		return is_array( $results ) ? $results : [];
@@ -1183,7 +1183,7 @@ public static function get_total_main_payments_by_status( $status = 'all', $form
 			$query = $wpdb->prepare( $query, $params );
 		}
 
-		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared -- Custom table query with dynamic preparation, caching not applicable for count operations.
+		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter -- Custom table query with dynamic preparation; table name internal, not user input; caching not applicable for count operations.
 		$result = $wpdb->get_var( $query );
 
 		return absint( $result );

inc/entries.php

@@ -358,7 +358,7 @@ public static function export_entries( $args = [] ) {
 			$csv_filepath = $temp_dir . $csv_filename;
 
 			if ( file_exists( $csv_filepath ) ) {
-				unlink( $csv_filepath );
+				wp_delete_file( $csv_filepath );
 			}
 
 			$stream = fopen( $csv_filepath, 'wb' ); // phpcs:ignore -- Using fopen to decrease the memory use.
@@ -399,7 +399,7 @@ public static function export_entries( $args = [] ) {
 			// Clean up CSV files.
 			foreach ( $csv_files as $csv_file ) {
 				if ( file_exists( $csv_file ) ) {
-					unlink( $csv_file );
+					wp_delete_file( $csv_file );
 				}
 			}
 

inc/fields/inlinebutton-markup.php

@@ -208,7 +208,8 @@ public function markup() {
 				if ( 'cf-turnstile' === $this->captcha_security_type ) {
 					if ( ! empty( $this->cf_turnstile_site_key ) ) {
 						// Cloudflare Turnstile script.
-						wp_enqueue_script( // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion
+						// phpcs:disable WordPress.WP.EnqueuedResourceParameters.MissingVersion, PluginCheck.CodeAnalysis.EnqueuedResourceOffloading.OffloadedContent -- Cloudflare Turnstile must be loaded from Cloudflare's servers for token verification; the version is controlled by Cloudflare.
+						wp_enqueue_script(
 							SRFM_SLUG . '-cf-turnstile',
 							'https://challenges.cloudflare.com/turnstile/v0/api.js',
 							[],
@@ -218,13 +219,14 @@ public function markup() {
 								'defer' => true,
 							]
 						);
+						// phpcs:enable WordPress.WP.EnqueuedResourceParameters.MissingVersion, PluginCheck.CodeAnalysis.EnqueuedResourceOffloading.OffloadedContent
 					} else {
 						Helper::render_missing_sitekey_error( 'Cloudflare Turnstile' );
 					}
 				}
 				if ( 'hcaptcha' === $this->captcha_security_type ) {
 					if ( ! empty( $this->hcaptcha_site_key ) ) {
-						wp_enqueue_script( 'hcaptcha', 'https://js.hcaptcha.com/1/api.js', [], null, [ 'strategy' => 'defer' ] ); // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion
+						wp_enqueue_script( 'hcaptcha', 'https://js.hcaptcha.com/1/api.js', [], null, [ 'strategy' => 'defer' ] ); // phpcs:ignore WordPress.WP.EnqueuedResourceParameters.MissingVersion, PluginCheck.CodeAnalysis.EnqueuedResourceOffloading.OffloadedContent -- hCaptcha must be loaded from hCaptcha's servers for token verification; the version is controlled by hCaptcha.
 					} else {
 						Helper::render_missing_sitekey_error( 'HCaptcha' );
 					}

inc/form-submit.php

@@ -1310,7 +1310,7 @@ protected function is_known_language( string $language ): bool {
 		// Use WPML's filter when available — works regardless of which
 		// multilingual plugin is the active provider, as Polylang implements
 		// the same filter for compatibility.
-		$active = apply_filters( 'wpml_active_languages', null, 'skip_missing=0' );
+		$active = apply_filters( 'wpml_active_languages', null, 'skip_missing=0' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound -- WPML's own filter; the name must match WPML/Polylang exactly to integrate.
 		if ( is_array( $active ) && ! empty( $active ) ) {
 			return array_key_exists( $language, $active );
 		}