Modal Survey – Wordpress Poll Survey & Quiz Plugin Version History
14 versions available
2 Credits
per install
Subscribe to connect and install
v2.0.2.2.5
LatestVerified Safe
Released 6.2 MB
Fixed
Fixed critical regression where saving an existing survey deleted all its questions permanently. The save handler now validates the incoming question JSON before deleting existing data; if the payload is invalid the save is aborted with an error instead of wiping the survey.
Fixed question and answer text being partially stripped on save. sanitize_text_field() (which removes HTML tags) was replaced with wp_kses_post() for question and answer content, preserving HTML formatting in quiz questions and answer labels.
Fixed incorrect number_format call in survey_answers average-score path; third argument was the decimal count instead of the decimal separator, producing garbled output.
Fixed undefined variable warnings in survey_open_answers, survey_records, and survey_compare_chart shortcode handlers when results are absent or labels/sessions are not set.
end-content email timing so chartless PDFs are no longer sent prematurely; final emails are sent after chart capture is ready.
chart capture/render timing so PDF attachments receive actual chart images consistently.
PDF embedding of chart images (base64 handling, temp image lifecycle, and rendering behavior).
Other
2.0.2.2.4 - Security Release (2026-06-27)
Security Fixes (internal audit):
Critical: Added current_user_can('manage_options') capability check to manual plugin updater; previously any WP user could trigger a plugin overwrite.
Critical: Removed print_r($this->temp_path) debug statement disclosing the absolute server filesystem path on the Update admin page.
Critical: Added version downgrade protection to manual updater; uploading an older plugin version is now rejected.
Security: Added esc_html() around version strings and esc_html() around changelog content read from uploaded ZIP in the updater.
Security: Changed throw_error() to use wp_kses_post() instead of raw echo.
Security: Added ['allowed_classes' => false] + is_array() guard to all unserialize() calls on participant .custom field data in settings_participants.php, settings.php (send_admin_email, send_autoresponse), and all four export modules (csv, xls, txt, xml).
Security: Added wp_verify_nonce() CSRF protection to all three participant delete operations (delete_samesession, delete_incomplete, bulk delete_participants).
Added
selecting a font now displays a sample of the font name rendered in the chosen typeface directly below the selector.
client-side canvas snapshot capture: survey result charts are now captured as base64 PNG data before mail/PDF generation begins.
Improved
completion-mail flow reliability after participant form submission.
survey completion flow to separate lightweight answer saving from mail/PDF finalization, reducing timeout risk for large exports.
modal_survey.js to track pending completion mail state and conditionally defer mail sending until after chart rendering completes.
modal_s
Removed
duplicate chart output in personal PDFs and disabled unnecessary global-chart duplication in that flow.
Critical: Added current_user_can('manage_options') capability check to manual plugin updater; previously any WP user could trigger a plugin overwrite.
Critical: Removed print_r($this->temp_path) debug statement disclosing the absolute server filesystem path on the Update admin page.
Critical: Added version downgrade protection to manual updater; uploading an older plugin version is now rejected.
Security: Added esc_html() around version strings and esc_html() around changelog content read from uploaded ZIP in the updater.
Security: Changed throw_error() to use wp_kses_post() instead of raw echo.
v2.0.2.2.3
Verified Safe
Released 6.2 MB
Other
Security & Bug Fixes:
Critical: Fixed logic bug where assignment operator was used instead of equality check for survey style detection, causing all surveys to incorrectly use the 'click' branch.
Critical: Fixed path traversal vulnerability in campaign module loader; allowed module names are now strictly whitelisted.
Critical: Sanitized cookie-sourced survey_viewed arrays with absint() before use in SQL IN clauses to prevent injection via crafted cookie values.
Security: All plugin cookies (ms-uid, ms-session, modal_survey) now set secure=is_ssl() and httponly=true, including legacy fallback setcookie() calls.
Security: Replaced insecure mt_rand()-based session ID generation with cryptographically secure bin2hex(random_bytes(16)).
v2.0.2.2.0
File unavailableVerified Safe
Released 6.2 MB
Other
Completion Flow & PDF Export Improvements:
Implemented new `finalize` AJAX endpoint in settings.php to trigger mail and PDF exports after charts have been fully rendered on the client.
Enhanced front-end chart initialization with MutationObserver fallback to handle late-injected markup and delayed script loading gracefully.
Result charts in generated PDFs now display the exact chart rendered to the user, eliminating missing or placeholder images.
Documentation & Compatibility:
Split completion request into two lightweight phases, improving reliability on servers with stricter timeout limits.
Security: Escaped survey name with esc_html() in settings_savedforms.php survey title output.
Security: Wrapped all custom-field configuration properties ($cf->id, $cf->name, $cf->warning, $cf->minlength, $cf->position) with esc_attr() in the survey editor.
Security: Replaced plugin_dir_path() server path disclosure in import error message with a safe relative path.
2.0.2.2.3
Security & Bug Fixes:
Critical: Fixed logic bug where assignment operator was used instead of equality check for survey style detection, causing all surveys to incorrectly use the 'click' branch.
Critical: Fixed path traversal vulnerability in campaign module loader; allowed module names are now strictly whitelisted.
Critical: Sanitized cookie-sourced survey_viewed arrays with absint() before use in SQL IN clauses to prevent injection via crafted cookie values.
Security: All plugin cookies (ms-uid, ms-session, modal_survey) now set secure=is_ssl() and httponly=true, including legacy fallback setcookie() calls.
Security: Replaced insecure mt_rand()-based session ID generation with cryptographically secure bin2hex(random_bytes(16)).
Security: Escaped featured image URL with esc_url() in Open Graph meta output.
Security: Fixed unsanitized direct $_COOKIE['ms-uid'] access in ajax_survey_back; now uses sanitize_text_field/wp_unslash with isset guard.
Security: Reduced export directory permissions from 0777 to 0755.
2.0.2.2.2
2.0.2.2.1
Hardened backend chart-payload validation to accept only real image data, not empty JSON placeholders.
Cleaned up temporary debug instrumentation after verification.
2.0.2.2.0
Completion Flow & PDF Export Improvements:
Implemented new `finalize` AJAX endpoint in settings.php to trigger mail and PDF exports after charts have been fully rendered on the client.
Enhanced front-end chart initialization with MutationObserver fallback to handle late-injected markup and delayed script loading gracefully.
Security: Added ['allowed_classes' => false] + is_array() guard to all unserialize() calls on participant .custom field data in settings_participants.php, settings.php (send_admin_email, send_autoresponse), and all four export modules (csv, xls, txt, xml).
Security: Added wp_verify_nonce() CSRF protection to all three participant delete operations (delete_samesession, delete_incomplete, bulk delete_participants).
Security: Escaped survey name with esc_html() in settings_savedforms.php survey title output.
Security: Wrapped all custom-field configuration properties ($cf->id, $cf->name, $cf->warning, $cf->minlength, $cf->position) with esc_attr() in the survey editor.
Security: Replaced plugin_dir_path() server path disclosure in import error message with a safe relative path.
2.0.2.2.3
Security & Bug Fixes:
Critical: Fixed logic bug where assignment operator was used instead of equality check for survey style detection, causing all surveys to incorrectly use the 'click' branch.
Critical: Fixed path traversal vulnerability in campaign module loader; allowed module names are now strictly whitelisted.
Critical: Sanitized cookie-sourced survey_viewed arrays with absint() before use in SQL IN clauses to prevent injection via crafted cookie values.
Security: All plugin cookies (ms-uid, ms-session, modal_survey) now set secure=is_ssl() and httponly=true, including legacy fallback setcookie() calls.
Security: Replaced insecure mt_rand()-based session ID generation with cryptographically secure bin2hex(random_bytes(16)).
Security: Escaped featured image URL with esc_url() in Open Graph meta output.
Security: Fixed unsanitized direct $_COOKIE['ms-uid'] access in ajax_survey_back; now uses sanitize_text_field/wp_unslash with isset guard.
Security: Reduced export directory permissions from 0777 to 0755.
2.0.2.2.2
2.0.2.2.1
Hardened backend chart-payload validation to accept only real image data, not empty JSON placeholders.
Cleaned up temporary debug instrumentation after verification.
2.0.2.2.0
Completion Flow & PDF Export Improvements:
Implemented new `finalize` AJAX endpoint in settings.php to trigger mail and PDF exports after charts have been fully rendered on the client.
Enhanced front-end chart initialization with MutationObserver fallback to handle late-injected markup and delayed script loading gracefully.
Result charts in generated PDFs now display the exact chart rendered to the user, eliminating missing or placeholder images.
Documentation & Compatibility:
Split completion request into two lightweight phases, improving reliability on servers with stricter timeout limits.
Chart images are now properly embedded in PDF exports by capturing rendered Chart.js canvases on the client side.
Bootstrap logic for answer charts is now resilient
Fixed
Fixed incorrect number_format call in survey_answers average-score path; third argument was the decimal count instead of the decimal separator, producing garbled output.
Fixed undefined variable warnings in survey_open_answers, survey_records, and survey_compare_chart shortcode handlers when results are absent or labels/sessions are not set.
end-content email timing so chartless PDFs are no longer sent prematurely; final emails are sent after chart capture is ready.
chart capture/render timing so PDF attachments receive actual chart images consistently.
PDF embedding of chart images (base64 handling, temp image lifecycle, and rendering behavior).
Added
selecting a font now displays a sample of the font name rendered in the chosen typeface directly below the selector.
client-side canvas snapshot capture: survey result charts are now captured as base64 PNG data before mail/PDF generation begins.
Improved
completion-mail flow reliability after participant form submission.
survey completion flow to separate lightweight answer saving from mail/PDF finalization, reducing timeout risk for large exports.
modal_survey.js to track pending completion mail state and conditionally defer mail sending until after chart rendering completes.
modal_survey_answer.js with `window.ModalSurveyCaptureChartData()` helper to extract chart canvases as base64 payloads for PDF embedding.
Removed
duplicate chart output in personal PDFs and disabled unnecessary global-chart duplication in that flow.
Security: Escaped featured image URL with esc_url() in Open Graph meta output.
Security: Fixed unsanitized direct $_COOKIE['ms-uid'] access in ajax_survey_back; now uses sanitize_text_field/wp_unslash with isset guard.
Security: Reduced export directory permissions from 0777 to 0755.
Fixed
Fixed incorrect number_format call in survey_answers average-score path; third argument was the decimal count instead of the decimal separator, producing garbled output.
Fixed undefined variable warnings in survey_open_answers, survey_records, and survey_compare_chart shortcode handlers when results are absent or labels/sessions are not set.