Changeset 3433818

Timestamp:

01/06/2026 05:21:52 PM (6 weeks ago)

Author:

rnzo

Message:

Update strongly recommended - improved security and UI

Location:

contact-form-7-mailchimp-extension

Files:

• tags/0.9.68/assets/js/chimpmatic-lite.js (modified) (5 diffs)
• tags/0.9.68/assets/js/chimpmatic.js (modified) (9 diffs)
• tags/0.9.68/lib/activate.php (modified) (1 diff)
• tags/0.9.68/lib/class-cmatic-api-panel.php (modified) (3 diffs)
• tags/0.9.68/lib/class-cmatic-audiences.php (modified) (2 diffs)
• tags/0.9.68/lib/class-cmatic-plugin-links.php (modified) (2 diffs)
• tags/0.9.68/lib/class-cmatic-pursuit.php (modified) (2 diffs)
• tags/0.9.68/lib/enqueue.php (modified) (1 diff)
• tags/0.9.68/lib/handler.php (modified) (12 diffs)
• tags/0.9.68/lib/rest-api.php (modified) (13 diffs)
• tags/0.9.68/lib/tools.php (modified) (3 diffs)
• trunk/assets/js/chimpmatic-lite.js (modified) (5 diffs)
• trunk/assets/js/chimpmatic.js (modified) (9 diffs)
• trunk/lib/activate.php (modified) (1 diff)
• trunk/lib/class-cmatic-api-panel.php (modified) (3 diffs)
• trunk/lib/class-cmatic-audiences.php (modified) (2 diffs)
• trunk/lib/class-cmatic-plugin-links.php (modified) (2 diffs)
• trunk/lib/class-cmatic-pursuit.php (modified) (2 diffs)
• trunk/lib/enqueue.php (modified) (1 diff)
• trunk/lib/handler.php (modified) (12 diffs)
• trunk/lib/rest-api.php (modified) (13 diffs)
• trunk/lib/tools.php (modified) (3 diffs)

contact-form-7-mailchimp-extension/tags/0.9.68/assets/js/chimpmatic-lite.js

@@ -311 +311 @@
     }
 
+    /**
+     * Securely get the API key - fetches from REST endpoint if masked.
+     * This prevents sending masked values (with bullets) to the server.
+     * CVE-2025-68989 fix: API key no longer stored in data-real-key attribute.
+     */
+    async function getSecureApiKey(apiKeyInput, formId) {
+        const isMasked = apiKeyInput.dataset.isMasked === '1';
+        const hasKey = apiKeyInput.dataset.hasKey === '1';
+        const inputValue = apiKeyInput.value.trim();
+
+        // If not masked, the input contains the real key (user just typed/pasted it).
+        if (!isMasked) {
+            return inputValue;
+        }
+
+        // If masked but no key exists in DB, return empty.
+        if (!hasKey) {
+            return '';
+        }
+
+        // Masked with existing key - fetch the real key from secure endpoint.
+        try {
+            const response = await fetch(
+                `${chimpmaticLite.restUrl}api-key/${formId}`,
+                {
+                    method: 'GET',
+                    headers: {
+                        'X-WP-Nonce': chimpmaticLite.restNonce,
+                        'Content-Type': 'application/json'
+                    }
+                }
+            );
+
+            if (!response.ok) {
+                console.error('ChimpMatic: Failed to fetch API key');
+                return '';
+            }
+
+            const data = await response.json();
+            return data.api_key || '';
+        } catch (err) {
+            console.error('ChimpMatic: Error fetching API key', err);
+            return '';
+        }
+    }
+
     // Fetch Mailchimp Lists Button
     const fetchListsButton = document.getElementById('chm_activalist');
@@ -323 +369 @@
 
             const formId = getFormId();
-            const isMasked = apiKeyInput.dataset.isMasked === '1';
-            const apiKey = (isMasked && apiKeyInput.dataset.realKey) ? apiKeyInput.dataset.realKey : apiKeyInput.value.trim();
+            const apiKey = await getSecureApiKey(apiKeyInput, formId);
 
             if (!apiKey) {
@@ -1304 +1349 @@
 });
 
-// API Key Eye Toggle
+// API Key Eye Toggle (CVE-2025-68989 fix: fetch key via secure REST endpoint)
 document.addEventListener('DOMContentLoaded', function() {
     const eye = document.querySelector('.cmatic-eye');
@@ -1310 +1355 @@
     if (!eye || !input) return;
 
-    eye.addEventListener('click', function(e) {
+    // Cache for the fetched API key (only fetched once per page load).
+    let cachedRealKey = null;
+
+    eye.addEventListener('click', async function(e) {
         e.preventDefault();
         const icon = this.querySelector('.dashicons');
         const isMasked = input.dataset.isMasked === '1';
-
-        if (isMasked) {
-            input.value = input.dataset.realKey;
+        const hasKey = input.dataset.hasKey === '1';
+
+        if (isMasked && hasKey) {
+            // Show real key - fetch from secure endpoint if not cached.
+            if (!cachedRealKey) {
+                const formId = typeof chimpmaticLite !== 'undefined' ? chimpmaticLite.formId : 0;
+                if (!formId) {
+                    console.warn('ChimpMatic: No form ID available');
+                    return;
+                }
+
+                try {
+                    eye.style.opacity = '0.5';
+                    const response = await fetch(
+                        `${chimpmaticLite.restUrl}api-key/${formId}`,
+                        {
+                            method: 'GET',
+                            headers: {
+                                'X-WP-Nonce': chimpmaticLite.restNonce,
+                                'Content-Type': 'application/json'
+                            }
+                        }
+                    );
+
+                    if (!response.ok) {
+                        throw new Error('Failed to fetch API key');
+                    }
+
+                    const data = await response.json();
+                    cachedRealKey = data.api_key || '';
+                } catch (err) {
+                    console.error('ChimpMatic: Error fetching API key', err);
+                    eye.style.opacity = '1';
+                    return;
+                }
+                eye.style.opacity = '1';
+            }
+
+            input.value = cachedRealKey;
             input.dataset.isMasked = '0';
             icon.classList.remove('dashicons-visibility');
             icon.classList.add('dashicons-hidden');
         } else {
+            // Hide key - show masked version.
             input.value = input.dataset.maskedKey;
             input.dataset.isMasked = '1';
@@ -1330 +1415 @@
     const form = input.closest('form');
     if (form) {
-        form.addEventListener('submit', function() {
+        form.addEventListener('submit', async function(e) {
             const isMasked = input.dataset.isMasked === '1';
-            if (isMasked && input.dataset.realKey) {
-                input.value = input.dataset.realKey;
+            const hasKey = input.dataset.hasKey === '1';
+
+            // If masked and has existing key, restore real key for submission.
+            if (isMasked && hasKey) {
+                if (cachedRealKey) {
+                    input.value = cachedRealKey;
+                } else {
+                    // Need to fetch synchronously for form submit.
+                    const formId = typeof chimpmaticLite !== 'undefined' ? chimpmaticLite.formId : 0;
+                    if (formId) {
+                        e.preventDefault();
+                        try {
+                            const response = await fetch(
+                                `${chimpmaticLite.restUrl}api-key/${formId}`,
+                                {
+                                    method: 'GET',
+                                    headers: {
+                                        'X-WP-Nonce': chimpmaticLite.restNonce,
+                                        'Content-Type': 'application/json'
+                                    }
+                                }
+                            );
+
+                            if (response.ok) {
+                                const data = await response.json();
+                                cachedRealKey = data.api_key || '';
+                                input.value = cachedRealKey;
+                            }
+                        } catch (err) {
+                            console.error('ChimpMatic: Error fetching API key for submit', err);
+                        }
+                        // Re-submit the form.
+                        form.submit();
+                    }
+                }
             }
         });

contact-form-7-mailchimp-extension/tags/0.9.68/assets/js/chimpmatic.js

@@ -97 +97 @@
 }
 
-function getApiKey() {
+/**
+ * Securely get the API key - fetches from REST endpoint if masked.
+ * CVE-2025-68989 fix: API key no longer stored in data-real-key attribute.
+ * @returns {Promise<string>} The API key.
+ */
+async function getApiKey() {
     const apiInput = document.getElementById('cmatic-api');
     if (!apiInput) return '';
+
     const isMasked = apiInput.dataset.isMasked === '1';
-    return (isMasked && apiInput.dataset.realKey)
-        ? apiInput.dataset.realKey
-        : apiInput.value;
+    const hasKey = apiInput.dataset.hasKey === '1';
+    const inputValue = apiInput.value.trim();
+
+    // If not masked, the input contains the real key (user just typed/pasted it).
+    if (!isMasked) {
+        return inputValue;
+    }
+
+    // If masked but no key exists in DB, return empty.
+    if (!hasKey) {
+        return '';
+    }
+
+    // Masked with existing key - fetch the real key from secure endpoint.
+    const formId = getFormId();
+    if (!formId) return '';
+
+    try {
+        // Use Lite endpoint (works for both Lite and PRO).
+        const restUrl = typeof chimpmaticLite !== 'undefined'
+            ? chimpmaticLite.restUrl
+            : getRestUrl().replace('chimpmatic/v1/', 'chimpmatic-lite/v1/');
+        const nonce = typeof chimpmaticLite !== 'undefined'
+            ? chimpmaticLite.restNonce
+            : (typeof wpApiSettings !== 'undefined' ? wpApiSettings.nonce : '');
+
+        const response = await fetch(
+            `${restUrl}api-key/${formId}`,
+            {
+                method: 'GET',
+                headers: {
+                    'X-WP-Nonce': nonce,
+                    'Content-Type': 'application/json'
+                }
+            }
+        );
+
+        if (!response.ok) {
+            console.error('ChimpMatic: Failed to fetch API key');
+            return '';
+        }
+
+        const data = await response.json();
+        return data.api_key || '';
+    } catch (err) {
+        console.error('ChimpMatic: Error fetching API key', err);
+        return '';
+    }
 }
 
@@ -335 +386 @@
 
 // Fetch Your Fields and Groups
-document.addEventListener('click', function(event) {
+document.addEventListener('click', async function(event) {
     if (event.target && (event.target.id === 'chm_selgetcampos' || event.target.id === 'mce_fetch_fields')) {
         event.preventDefault();
@@ -346 +397 @@
             chm_idformxx: getFormId(),
             chm_listid: document.getElementById('wpcf7-mailchimp-list')?.value || '',
-            chimpapi: getApiKey()
+            chimpapi: await getApiKey()
         };
 
@@ -409 +460 @@
 
 // Load Groups
-document.addEventListener('click', function(event) {
+document.addEventListener('click', async function(event) {
     if (event.target && event.target.id === 'chm_activagroups') {
         event.preventDefault();
@@ -417 +468 @@
             chm_idformxx: getFormId(),
             chm_listid: document.getElementById('wpcf7-mailchimp-list')?.value || '',
-            chimpapi: getApiKey()
+            chimpapi: await getApiKey()
         };
 
@@ -444 +495 @@
 
 // Export Users
-document.addEventListener('click', function(event) {
+document.addEventListener('click', async function(event) {
     if (event.target && event.target.id === 'chm_userexport') {
         event.preventDefault();
@@ -463 +514 @@
             tool_key: document.getElementById('wpcf7-mailchimp-tool_key')?.value || '',
             chm_idformxx: getFormId(),
-            chimpapi: getApiKey(),
+            chimpapi: await getApiKey(),
             cadseluser: valuesChecked
         };
@@ -481 +532 @@
 
 // Get Interest (Groups - Arbitrary)
-document.addEventListener('change', function(event) {
+document.addEventListener('change', async function(event) {
     if (event.target && event.target.classList.contains('chimp-gg-arbirary')) {
         event.preventDefault();
@@ -494 +545 @@
             chm_idformxx: getFormId(),
             chm_listid: document.getElementById('wpcf7-mailchimp-list')?.value || '',
-            chimpapi: getApiKey(),
+            chimpapi: await getApiKey(),
             indtag: itag,
             ggid: ggKeyInput ? ggKeyInput.value : ''

contact-form-7-mailchimp-extension/tags/0.9.68/lib/activate.php

@@ -201 +201 @@
         if ( $file === 'contact-form-7-mailchimp-extension/chimpmatic-lite.php' ) {
 
-            $links[] = '<a href="' . MCE_URL . '" target="_blank" title="Chimpmatic Lite Documentation">Chimpmatic Documentation</a>';
+            $links[] = '<a href="' . esc_url( Cmatic_Pursuit::docs( '', 'plugin_row_meta' ) ) . '" target="_blank" title="Chimpmatic Lite Documentation">Chimpmatic Documentation</a>';
         }
         return $links;

contact-form-7-mailchimp-extension/tags/0.9.68/lib/class-cmatic-api-panel.php

@@ -9 +9 @@
 
 class Cmatic_Api_Panel {
-
-    /** @var string Help URL for API key instructions. */
-    const HELP_URL = '//chimpmatic.com/help/how-to-get-your-mailchimp-api-key';
 
     /** Mask an API key for display. */
@@ -33 +30 @@
         $btn_class = 'button';
 
-        $help_url = class_exists( 'Pursuit' )
-            ? Cmatic_Pursuit::docs( 'how-to-get-your-mailchimp-api-key', 'api_panel_help' )
-            : self::HELP_URL;
+        $help_url = Cmatic_Pursuit::docs( 'how-to-get-your-mailchimp-api-key', 'api_panel_help' );
 
         ?>
@@ -48 +43 @@
                 placeholder="<?php echo esc_attr__( 'Enter Your Mailchimp API key Here', 'chimpmatic-lite' ); ?>"
                 value="<?php echo esc_attr( $is_masked ? $masked_key : $api_key ); ?>"
-                data-real-key="<?php echo esc_attr( $api_key ); ?>"
                 data-masked-key="<?php echo esc_attr( $masked_key ); ?>"
                 data-is-masked="<?php echo $is_masked ? '1' : '0'; ?>"
+                data-has-key="<?php echo ! empty( $api_key ) ? '1' : '0'; ?>"
             />
             <button type="button" class="cmatic-eye" title="<?php echo esc_attr__( 'Show/Hide', 'chimpmatic-lite' ); ?>">

contact-form-7-mailchimp-extension/tags/0.9.68/lib/class-cmatic-audiences.php

@@ -10 +10 @@
 class Cmatic_Audiences {
 
-    /** @var string Help URL for list ID instructions. */
-    const HELP_URL = '//chimpmatic.com/help/how-to-get-your-mailchimp-api-key';
-
     /** Render the audiences panel. */
     public static function render( string $apivalid, ?array $listdata, array $cf7_mch ): void {
@@ -18 +15 @@
         $count = isset( $listdata['lists'] ) && is_array( $listdata['lists'] ) ? count( $listdata['lists'] ) : 0;
 
-        $help_url = class_exists( 'Pursuit' )
-            ? Cmatic_Pursuit::docs( 'how-to-get-your-mailchimp-api-key', 'audiences_help' )
-            : self::HELP_URL;
+        $help_url = Cmatic_Pursuit::docs( 'how-to-get-your-mailchimp-api-key', 'audiences_help' );
 
         $disclosure_class = ( '1' === $apivalid ) ? 'chmp-active' : 'chmp-inactive';

contact-form-7-mailchimp-extension/tags/0.9.68/lib/class-cmatic-plugin-links.php

@@ -10 +10 @@
 class Cmatic_Plugin_Links {
 
-    /** @var string Panel key for CF7 tab. */
     const PANEL_KEY = 'Chimpmatic';
-
-    /** @var string Documentation URL. */
-    const DOCS_URL = 'https://chimpmatic.com/help';
 
     /** Get the settings URL for the plugin. */
@@ -52 +48 @@
     }
 
-    /** Get the documentation link HTML. */
     public static function get_docs_link() {
         return sprintf(
             '<a href="%s" target="_blank" title="%s">%s</a>',
-            esc_url( self::DOCS_URL ),
+            esc_url( Cmatic_Pursuit::docs( '', 'plugins_page' ) ),
             esc_attr__( 'Chimpmatic Documentation', 'chimpmatic-lite' ),
             esc_html__( 'Docs', 'chimpmatic-lite' )

contact-form-7-mailchimp-extension/tags/0.9.68/lib/class-cmatic-pursuit.php

@@ -19 +19 @@
         'promo'   => 'https://chimpmatic.com/almost-there',
         'home'    => 'https://chimpmatic.com',
+        'author'  => 'https://renzojohnson.com',
     );
 
@@ -70 +71 @@
     }
 
+    public static function author( string $content = '' ): string {
+        return self::url( self::BASE_URLS['author'], 'plugin', $content, 'author' );
+    }
+
     public static function adminbar( string $destination, string $content = '' ): string {
         $base = self::BASE_URLS[ $destination ] ?? self::BASE_URLS['home'];

contact-form-7-mailchimp-extension/tags/0.9.68/lib/enqueue.php

@@ -138 +138 @@
             'nonce'           => wp_create_nonce( 'wp_rest' ),
             'pluginUrl'       => SPARTAN_MCE_PLUGIN_URL,
+            'formId'          => $form_id,
             'mergeFields'     => $merge_fields,
             'loggingEnabled'  => $logging_enabled,

contact-form-7-mailchimp-extension/tags/0.9.68/lib/handler.php

@@ -1 +1 @@
 <?php
-/**
- * Form submission handler.
- *
- * @package ChimpMatic_Lite
- */
 
 defined( 'ABSPATH' ) || exit;
@@ -21 +16 @@
 function cmatic_add_editor_panel( $panels ) {
     if ( defined( 'CMATIC_VERSION' ) ) {
+        return $panels;
+    }
+
+    $post_id = isset( $_GET['post'] ) ? absint( $_GET['post'] ) : 0;
+    if ( ! current_user_can( 'wpcf7_edit_contact_form', $post_id ) ) {
         return $panels;
     }
@@ -60 +60 @@
     }
 
-    // CF7 verified nonce earlier; re-verification fails for new forms (nonce used post_ID=-1, form now has real ID).
-
-    // Send form_saved signal (blocking - must complete before save continues).
     if ( class_exists( 'Cmatic\\Metrics\\Core\\Sync' ) && class_exists( 'Cmatic\\Metrics\\Core\\Collector' ) ) {
         $payload = \Cmatic\Metrics\Core\Collector::collect( 'form_saved' );
@@ -87 +84 @@
         if ( isset( $posted_data[ $field ] ) ) {
             $sanitized_value = trim( sanitize_text_field( $posted_data[ $field ] ) );
-            // Only save non-empty values (skip empty/whitespace "Choose.." placeholder).
             if ( '' !== $sanitized_value ) {
                 $sanitized_settings[ $field ] = $sanitized_value;
@@ -143 +139 @@
     }
 
-    // Check global debug setting (from cmatic option structure)
     $logfile_enabled = (bool) mce_get_cmatic( 'debug', false );
     $logger          = new Cmatic_File_Logger( 'api-events', $logfile_enabled );
@@ -250 +245 @@
         $response_data = cmatic_call_api_put( $api_key, $url, $info );
 
-        // Check for API errors in response.
         $api_response = isset( $response_data[0] ) ? $response_data[0] : array();
 
-        // Log only the Mailchimp API response body, not the full HTTP response object.
         $logger->log( 'INFO', 'Mailchimp API Response.', $api_response );
 
-        // Check for WP_Error from cmatic_call_api_put (network failure).
         if ( false === $response_data[0] ) {
             $logger->log( 'ERROR', 'Network request failed.', array( 'response' => $response_data[1] ) );
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::failure( 'network_error', '', $email ) );
         } elseif ( empty( $api_response ) ) {
-            // Empty response - likely invalid API key or server error.
             $logger->log( 'ERROR', 'Empty API response received.' );
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::failure( 'api_error', 'Empty response from Mailchimp API.', $email ) );
@@ -269 +260 @@
                 $php_logger->log( 'ERROR', 'Mailchimp API Error received.', $error );
             }
-            // Set feedback for API error.
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::parse_api_error( $api_response, $email ) );
         } elseif ( isset( $api_response['status'] ) && is_int( $api_response['status'] ) && $api_response['status'] >= 400 ) {
-            // HTTP error status in response body (e.g., 401 Unauthorized, 404 Not Found).
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::parse_api_error( $api_response, $email ) );
         } elseif ( isset( $api_response['title'] ) && stripos( $api_response['title'], 'error' ) !== false ) {
-            // Response contains error title (some Mailchimp errors have title but no status code).
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::parse_api_error( $api_response, $email ) );
         } else {
             mce_save_contador();
 
-            // Set success feedback with merge fields sent.
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::success( $email, $status, $merge_vars, $api_response ) );
 
-            /**
-             * Fires after successful Mailchimp subscription.
-             *
-             * @param int    $form_id The CF7 form ID.
-             * @param string $email   The subscriber email address.
-             */
             do_action( 'cmatic_subscription_success', $form_id, $email );
         }
@@ -303 +284 @@
             return is_array( $submitted ) ? implode( ', ', $submitted ) : $submitted;
         }
-        return $matches[0]; // Return the tag itself if no value found
+        return $matches[0];
     }
     return $subject;
@@ -322 +303 @@
         <label for="wpcf7-mailchimp-list">
             <?php
-            /* translators: %d: number of Mailchimp audiences */
             printf( esc_html__( 'Total Mailchimp Audiences: %d', 'chimpmatic-lite' ), esc_html( $count ) );
             ?>
@@ -356 +336 @@
     $saved_value = isset( $cf7_mch[ $field_name ] ) ? trim( sanitize_text_field( $cf7_mch[ $field_name ] ) ) : '';
 
-    // Auto-select matching form field based on merge tag (fuzzy match).
     if ( '' === $saved_value && ! empty( $merge_tag ) ) {
         $merge_tag_lower = strtolower( $merge_tag );
         foreach ( $form_tags as $tag ) {
-            // Match by basetype for email, or by name containing the merge tag.
             if ( 'email' === $filter && ( 'email' === $tag['basetype'] || false !== strpos( strtolower( $tag['name'] ), 'email' ) ) ) {
                 $saved_value = '[' . $tag['name'] . ']';
@@ -384 +362 @@
                 continue;
             }
-            // Filter by field type when $filter is specified (fuzzy match for email).
             if ( 'email' === $filter ) {
                 $is_email_field = ( 'email' === $tag['basetype'] || false !== strpos( strtolower( $tag['name'] ), 'email' ) );
@@ -637 +614 @@
     }
 
-    // Use Cmatic_Pursuit::promo() which handles WP Engine's utm_* stripping via u_* prefix.
     $pursuit_addy = add_query_arg(
         array(

contact-form-7-mailchimp-extension/tags/0.9.68/lib/rest-api.php

@@ -1 +1 @@
 <?php
-/**
- * REST API endpoints.
- *
- * @package ChimpMatic_Lite
- */
-
 defined( 'ABSPATH' ) || exit;
 
@@ -16 +10 @@
             'methods'             => 'POST',
             'callback'            => 'cmatic_rest_get_lists',
-            'permission_callback' => 'cmatic_rest_permission_check',
+            'permission_callback' => 'cmatic_rest_api_key_permission_check',
             'args'                => array(
                 'form_id' => array(
@@ -139 +133 @@
             'methods'             => 'POST',
             'callback'            => 'cmatic_rest_get_merge_fields',
-            'permission_callback' => 'cmatic_rest_permission_check',
+            'permission_callback' => 'cmatic_rest_api_key_permission_check',
             'args'                => array(
                 'form_id' => array(
@@ -188 +182 @@
             'methods'             => 'POST',
             'callback'            => 'cmatic_rest_save_form_field',
-            'permission_callback' => 'cmatic_rest_permission_check',
+            'permission_callback' => 'cmatic_rest_api_key_permission_check',
             'args'                => array(
                 'form_id' => array(
@@ -207 +201 @@
         )
     );
+
+    register_rest_route(
+        'chimpmatic-lite/v1',
+        '/api-key/(?P<form_id>\d+)',
+        array(
+            'methods'             => 'GET',
+            'callback'            => 'cmatic_rest_get_api_key',
+            'permission_callback' => 'cmatic_rest_api_key_permission_check',
+            'args'                => array(
+                'form_id' => array(
+                    'required'          => true,
+                    'type'              => 'integer',
+                    'sanitize_callback' => 'absint',
+                    'validate_callback' => function ( $param ) {
+                        return is_numeric( $param ) && $param > 0;
+                    },
+                ),
+            ),
+        )
+    );
 }
 add_action( 'rest_api_init', 'cmatic_register_rest_routes' );
@@ -231 +245 @@
 }
 
+function cmatic_rest_api_key_permission_check( $request ) {
+    $form_id = $request->get_param( 'form_id' );
+
+    if ( ! current_user_can( 'wpcf7_edit_contact_form', $form_id ) ) {
+        return new WP_Error(
+            'rest_forbidden',
+            esc_html__( 'You do not have permission to access the API key.', 'chimpmatic-lite' ),
+            array( 'status' => 403 )
+        );
+    }
+
+    $nonce = $request->get_header( 'X-WP-Nonce' );
+    if ( ! wp_verify_nonce( $nonce, 'wp_rest' ) ) {
+        return new WP_Error(
+            'rest_cookie_invalid_nonce',
+            esc_html__( 'Cookie nonce is invalid.', 'chimpmatic-lite' ),
+            array( 'status' => 403 )
+        );
+    }
+
+    return true;
+}
+
 
 function cmatic_rest_get_lists( $request ) {
@@ -236 +273 @@
     $api_key = $request->get_param( 'api_key' );
 
-    // Track API setup funnel: Sync attempted
     if ( ! mce_get_cmatic( 'api.sync_attempted' ) ) {
-        // First time user clicks "Sync Audiences"
         mce_update_cmatic( 'api.sync_attempted', time() );
     }
-    // Increment sync attempts counter
     $current_count = (int) mce_get_cmatic( 'api.sync_attempts_count', 0 );
     mce_update_cmatic( 'api.sync_attempts_count', $current_count + 1 );
@@ -248 +282 @@
     $cf7_mch     = get_option( $option_name, array() );
 
-    // Defensive: ensure $cf7_mch is array (corrupt options can return empty string).
     if ( ! is_array( $cf7_mch ) ) {
         $cf7_mch = array();
     }
 
-    // Use global debug logger setting (not per-form)
     $logfile_enabled = (bool) get_option( CMATIC_LOG_OPTION, false );
 
@@ -331 +363 @@
             array(
                 'api'          => $api_key,
-                'merge_fields' => $merge_fields,  // Save formatted merge fields
+                'merge_fields' => $merge_fields,
             )
         );
         update_option( $option_name, $settings_to_save );
 
-        // Save lisdata globally for Signals (single source of truth, always freshest).
         if ( ! empty( $lists_result['lisdata'] ) ) {
             mce_update_cmatic( 'lisdata', $lists_result['lisdata'] );
@@ -436 +467 @@
             'enabled' => $enabled,
             'message' => $enabled
-                /* translators: %s: setting name */
                 ? sprintf( __( '%s enabled.', 'chimpmatic-lite' ), $label )
-                /* translators: %s: setting name */
                 : sprintf( __( '%s disabled.', 'chimpmatic-lite' ), $label ),
         )
@@ -478 +507 @@
             'enabled' => $enabled,
             'message' => $enabled
-                /* translators: %s: tag name */
                 ? sprintf( __( 'Tag [%s] enabled.', 'chimpmatic-lite' ), $tag )
-                /* translators: %s: tag name */
                 : sprintf( __( 'Tag [%s] disabled.', 'chimpmatic-lite' ), $tag ),
         )
@@ -548 +575 @@
         return new WP_Error(
             'invalid_field',
-            /* translators: %s: field name */
             sprintf( __( 'Field "%s" is not allowed.', 'chimpmatic-lite' ), $field ),
             array( 'status' => 400 )
@@ -984 +1010 @@
     );
 }
+
+function cmatic_rest_get_api_key( $request ) {
+    $form_id     = $request->get_param( 'form_id' );
+    $option_name = 'cf7_mch_' . $form_id;
+    $cf7_mch     = get_option( $option_name, array() );
+
+    if ( ! is_array( $cf7_mch ) ) {
+        $cf7_mch = array();
+    }
+
+    $api_key = isset( $cf7_mch['api'] ) ? $cf7_mch['api'] : '';
+
+    return rest_ensure_response(
+        array(
+            'success' => true,
+            'api_key' => $api_key,
+        )
+    );
+}

contact-form-7-mailchimp-extension/tags/0.9.68/lib/tools.php

@@ -20 +20 @@
 function mce_author() {
     $author_pre   = 'Contact form 7 Mailchimp extension by ';
-    $author_name  = 'Renzo Johnson';
-    $author_url   = '//renzojohnson.com';
     $author_title = 'Renzo Johnson - Web Developer';
+    $author_url   = Cmatic_Pursuit::author( 'backlink' );
 
     $mce_author  = '<p style="display: none !important">';
     $mce_author .= $author_pre;
-    $mce_author .= '<a href="' . $author_url . '" ';
-    $mce_author .= 'title="' . $author_title . '" ';
+    $mce_author .= '<a href="' . esc_url( $author_url ) . '" ';
+    $mce_author .= 'title="' . esc_attr( $author_title ) . '" ';
     $mce_author .= 'target="_blank">';
-    $mce_author .= '' . $author_title . '';
+    $mce_author .= esc_html( $author_title );
     $mce_author .= '</a>';
     $mce_author .= '</p>' . "\n";
@@ -65 +64 @@
 
 function mce_init_constants() {
-    define( 'MCE_URL', '//chimpmatic.com/help' );
-    define( 'MC_URL', '//chimpmatic.com/help' );
-    define( 'MCE_AUTH', '//renzojohnson.com' );
     define( 'MCE_AUTH_COMM', '<!-- Chimpmatic -->' );
     define( 'MCE_NAME', 'MailChimp Contact Form 7 Extension' );
     define( 'MCE_SETT', admin_url( 'admin.php?page=wpcf7' ) );
     define( 'MCE_DON', 'https://www.paypal.me/renzojohnson' );
-    define( 'CHIMPL_URL', '//chimpmatic.com' );
-    define( 'CHIMPHELP_URL', '//chimpmatic.com/help' );
 }
 add_action( 'init', 'mce_init_constants' );
@@ -172 +166 @@
 function mce_set_welcomebanner() {
     $default_panel = '<p class="about-description">Hello. My name is Renzo, I <span alt="f487" class="dashicons dashicons-heart red-icon"> </span> WordPress and I develop this free plugin to help users like you. I drink copious amounts of coffee to keep me running longer <span alt="f487" class="dashicons dashicons-smiley red-icon"> </span>. If you\'ve found this plugin useful, please consider making a donation.</p><br>
-      <p class="about-description">Would you like to <a class="button-primary" href="http://bit.ly/cafe4renzo" target="_blank">buy me a coffee?</a> or <a class="button-primary" href="http://bit.ly/cafe4renzo" target="_blank">Donate with Paypal</a></p>';
+      <p class="about-description">Would you like to <a class="button-primary" href="https://bit.ly/cafe4renzo" target="_blank">buy me a coffee?</a> or <a class="button-primary" href="https://bit.ly/cafe4renzo" target="_blank">Donate with Paypal</a></p>';
 
     $banner = get_site_option( 'mce_conten_panel_welcome', $default_panel );

contact-form-7-mailchimp-extension/trunk/assets/js/chimpmatic-lite.js

@@ -311 +311 @@
     }
 
+    /**
+     * Securely get the API key - fetches from REST endpoint if masked.
+     * This prevents sending masked values (with bullets) to the server.
+     * CVE-2025-68989 fix: API key no longer stored in data-real-key attribute.
+     */
+    async function getSecureApiKey(apiKeyInput, formId) {
+        const isMasked = apiKeyInput.dataset.isMasked === '1';
+        const hasKey = apiKeyInput.dataset.hasKey === '1';
+        const inputValue = apiKeyInput.value.trim();
+
+        // If not masked, the input contains the real key (user just typed/pasted it).
+        if (!isMasked) {
+            return inputValue;
+        }
+
+        // If masked but no key exists in DB, return empty.
+        if (!hasKey) {
+            return '';
+        }
+
+        // Masked with existing key - fetch the real key from secure endpoint.
+        try {
+            const response = await fetch(
+                `${chimpmaticLite.restUrl}api-key/${formId}`,
+                {
+                    method: 'GET',
+                    headers: {
+                        'X-WP-Nonce': chimpmaticLite.restNonce,
+                        'Content-Type': 'application/json'
+                    }
+                }
+            );
+
+            if (!response.ok) {
+                console.error('ChimpMatic: Failed to fetch API key');
+                return '';
+            }
+
+            const data = await response.json();
+            return data.api_key || '';
+        } catch (err) {
+            console.error('ChimpMatic: Error fetching API key', err);
+            return '';
+        }
+    }
+
     // Fetch Mailchimp Lists Button
     const fetchListsButton = document.getElementById('chm_activalist');
@@ -323 +369 @@
 
             const formId = getFormId();
-            const isMasked = apiKeyInput.dataset.isMasked === '1';
-            const apiKey = (isMasked && apiKeyInput.dataset.realKey) ? apiKeyInput.dataset.realKey : apiKeyInput.value.trim();
+            const apiKey = await getSecureApiKey(apiKeyInput, formId);
 
             if (!apiKey) {
@@ -1304 +1349 @@
 });
 
-// API Key Eye Toggle
+// API Key Eye Toggle (CVE-2025-68989 fix: fetch key via secure REST endpoint)
 document.addEventListener('DOMContentLoaded', function() {
     const eye = document.querySelector('.cmatic-eye');
@@ -1310 +1355 @@
     if (!eye || !input) return;
 
-    eye.addEventListener('click', function(e) {
+    // Cache for the fetched API key (only fetched once per page load).
+    let cachedRealKey = null;
+
+    eye.addEventListener('click', async function(e) {
         e.preventDefault();
         const icon = this.querySelector('.dashicons');
         const isMasked = input.dataset.isMasked === '1';
-
-        if (isMasked) {
-            input.value = input.dataset.realKey;
+        const hasKey = input.dataset.hasKey === '1';
+
+        if (isMasked && hasKey) {
+            // Show real key - fetch from secure endpoint if not cached.
+            if (!cachedRealKey) {
+                const formId = typeof chimpmaticLite !== 'undefined' ? chimpmaticLite.formId : 0;
+                if (!formId) {
+                    console.warn('ChimpMatic: No form ID available');
+                    return;
+                }
+
+                try {
+                    eye.style.opacity = '0.5';
+                    const response = await fetch(
+                        `${chimpmaticLite.restUrl}api-key/${formId}`,
+                        {
+                            method: 'GET',
+                            headers: {
+                                'X-WP-Nonce': chimpmaticLite.restNonce,
+                                'Content-Type': 'application/json'
+                            }
+                        }
+                    );
+
+                    if (!response.ok) {
+                        throw new Error('Failed to fetch API key');
+                    }
+
+                    const data = await response.json();
+                    cachedRealKey = data.api_key || '';
+                } catch (err) {
+                    console.error('ChimpMatic: Error fetching API key', err);
+                    eye.style.opacity = '1';
+                    return;
+                }
+                eye.style.opacity = '1';
+            }
+
+            input.value = cachedRealKey;
             input.dataset.isMasked = '0';
             icon.classList.remove('dashicons-visibility');
             icon.classList.add('dashicons-hidden');
         } else {
+            // Hide key - show masked version.
             input.value = input.dataset.maskedKey;
             input.dataset.isMasked = '1';
@@ -1330 +1415 @@
     const form = input.closest('form');
     if (form) {
-        form.addEventListener('submit', function() {
+        form.addEventListener('submit', async function(e) {
             const isMasked = input.dataset.isMasked === '1';
-            if (isMasked && input.dataset.realKey) {
-                input.value = input.dataset.realKey;
+            const hasKey = input.dataset.hasKey === '1';
+
+            // If masked and has existing key, restore real key for submission.
+            if (isMasked && hasKey) {
+                if (cachedRealKey) {
+                    input.value = cachedRealKey;
+                } else {
+                    // Need to fetch synchronously for form submit.
+                    const formId = typeof chimpmaticLite !== 'undefined' ? chimpmaticLite.formId : 0;
+                    if (formId) {
+                        e.preventDefault();
+                        try {
+                            const response = await fetch(
+                                `${chimpmaticLite.restUrl}api-key/${formId}`,
+                                {
+                                    method: 'GET',
+                                    headers: {
+                                        'X-WP-Nonce': chimpmaticLite.restNonce,
+                                        'Content-Type': 'application/json'
+                                    }
+                                }
+                            );
+
+                            if (response.ok) {
+                                const data = await response.json();
+                                cachedRealKey = data.api_key || '';
+                                input.value = cachedRealKey;
+                            }
+                        } catch (err) {
+                            console.error('ChimpMatic: Error fetching API key for submit', err);
+                        }
+                        // Re-submit the form.
+                        form.submit();
+                    }
+                }
             }
         });

contact-form-7-mailchimp-extension/trunk/assets/js/chimpmatic.js

@@ -97 +97 @@
 }
 
-function getApiKey() {
+/**
+ * Securely get the API key - fetches from REST endpoint if masked.
+ * CVE-2025-68989 fix: API key no longer stored in data-real-key attribute.
+ * @returns {Promise<string>} The API key.
+ */
+async function getApiKey() {
     const apiInput = document.getElementById('cmatic-api');
     if (!apiInput) return '';
+
     const isMasked = apiInput.dataset.isMasked === '1';
-    return (isMasked && apiInput.dataset.realKey)
-        ? apiInput.dataset.realKey
-        : apiInput.value;
+    const hasKey = apiInput.dataset.hasKey === '1';
+    const inputValue = apiInput.value.trim();
+
+    // If not masked, the input contains the real key (user just typed/pasted it).
+    if (!isMasked) {
+        return inputValue;
+    }
+
+    // If masked but no key exists in DB, return empty.
+    if (!hasKey) {
+        return '';
+    }
+
+    // Masked with existing key - fetch the real key from secure endpoint.
+    const formId = getFormId();
+    if (!formId) return '';
+
+    try {
+        // Use Lite endpoint (works for both Lite and PRO).
+        const restUrl = typeof chimpmaticLite !== 'undefined'
+            ? chimpmaticLite.restUrl
+            : getRestUrl().replace('chimpmatic/v1/', 'chimpmatic-lite/v1/');
+        const nonce = typeof chimpmaticLite !== 'undefined'
+            ? chimpmaticLite.restNonce
+            : (typeof wpApiSettings !== 'undefined' ? wpApiSettings.nonce : '');
+
+        const response = await fetch(
+            `${restUrl}api-key/${formId}`,
+            {
+                method: 'GET',
+                headers: {
+                    'X-WP-Nonce': nonce,
+                    'Content-Type': 'application/json'
+                }
+            }
+        );
+
+        if (!response.ok) {
+            console.error('ChimpMatic: Failed to fetch API key');
+            return '';
+        }
+
+        const data = await response.json();
+        return data.api_key || '';
+    } catch (err) {
+        console.error('ChimpMatic: Error fetching API key', err);
+        return '';
+    }
 }
 
@@ -335 +386 @@
 
 // Fetch Your Fields and Groups
-document.addEventListener('click', function(event) {
+document.addEventListener('click', async function(event) {
     if (event.target && (event.target.id === 'chm_selgetcampos' || event.target.id === 'mce_fetch_fields')) {
         event.preventDefault();
@@ -346 +397 @@
             chm_idformxx: getFormId(),
             chm_listid: document.getElementById('wpcf7-mailchimp-list')?.value || '',
-            chimpapi: getApiKey()
+            chimpapi: await getApiKey()
         };
 
@@ -409 +460 @@
 
 // Load Groups
-document.addEventListener('click', function(event) {
+document.addEventListener('click', async function(event) {
     if (event.target && event.target.id === 'chm_activagroups') {
         event.preventDefault();
@@ -417 +468 @@
             chm_idformxx: getFormId(),
             chm_listid: document.getElementById('wpcf7-mailchimp-list')?.value || '',
-            chimpapi: getApiKey()
+            chimpapi: await getApiKey()
         };
 
@@ -444 +495 @@
 
 // Export Users
-document.addEventListener('click', function(event) {
+document.addEventListener('click', async function(event) {
     if (event.target && event.target.id === 'chm_userexport') {
         event.preventDefault();
@@ -463 +514 @@
             tool_key: document.getElementById('wpcf7-mailchimp-tool_key')?.value || '',
             chm_idformxx: getFormId(),
-            chimpapi: getApiKey(),
+            chimpapi: await getApiKey(),
             cadseluser: valuesChecked
         };
@@ -481 +532 @@
 
 // Get Interest (Groups - Arbitrary)
-document.addEventListener('change', function(event) {
+document.addEventListener('change', async function(event) {
     if (event.target && event.target.classList.contains('chimp-gg-arbirary')) {
         event.preventDefault();
@@ -494 +545 @@
             chm_idformxx: getFormId(),
             chm_listid: document.getElementById('wpcf7-mailchimp-list')?.value || '',
-            chimpapi: getApiKey(),
+            chimpapi: await getApiKey(),
             indtag: itag,
             ggid: ggKeyInput ? ggKeyInput.value : ''

contact-form-7-mailchimp-extension/trunk/lib/activate.php

@@ -201 +201 @@
         if ( $file === 'contact-form-7-mailchimp-extension/chimpmatic-lite.php' ) {
 
-            $links[] = '<a href="' . MCE_URL . '" target="_blank" title="Chimpmatic Lite Documentation">Chimpmatic Documentation</a>';
+            $links[] = '<a href="' . esc_url( Cmatic_Pursuit::docs( '', 'plugin_row_meta' ) ) . '" target="_blank" title="Chimpmatic Lite Documentation">Chimpmatic Documentation</a>';
         }
         return $links;

contact-form-7-mailchimp-extension/trunk/lib/class-cmatic-api-panel.php

@@ -9 +9 @@
 
 class Cmatic_Api_Panel {
-
-    /** @var string Help URL for API key instructions. */
-    const HELP_URL = '//chimpmatic.com/help/how-to-get-your-mailchimp-api-key';
 
     /** Mask an API key for display. */
@@ -33 +30 @@
         $btn_class = 'button';
 
-        $help_url = class_exists( 'Pursuit' )
-            ? Cmatic_Pursuit::docs( 'how-to-get-your-mailchimp-api-key', 'api_panel_help' )
-            : self::HELP_URL;
+        $help_url = Cmatic_Pursuit::docs( 'how-to-get-your-mailchimp-api-key', 'api_panel_help' );
 
         ?>
@@ -48 +43 @@
                 placeholder="<?php echo esc_attr__( 'Enter Your Mailchimp API key Here', 'chimpmatic-lite' ); ?>"
                 value="<?php echo esc_attr( $is_masked ? $masked_key : $api_key ); ?>"
-                data-real-key="<?php echo esc_attr( $api_key ); ?>"
                 data-masked-key="<?php echo esc_attr( $masked_key ); ?>"
                 data-is-masked="<?php echo $is_masked ? '1' : '0'; ?>"
+                data-has-key="<?php echo ! empty( $api_key ) ? '1' : '0'; ?>"
             />
             <button type="button" class="cmatic-eye" title="<?php echo esc_attr__( 'Show/Hide', 'chimpmatic-lite' ); ?>">

contact-form-7-mailchimp-extension/trunk/lib/class-cmatic-audiences.php

@@ -10 +10 @@
 class Cmatic_Audiences {
 
-    /** @var string Help URL for list ID instructions. */
-    const HELP_URL = '//chimpmatic.com/help/how-to-get-your-mailchimp-api-key';
-
     /** Render the audiences panel. */
     public static function render( string $apivalid, ?array $listdata, array $cf7_mch ): void {
@@ -18 +15 @@
         $count = isset( $listdata['lists'] ) && is_array( $listdata['lists'] ) ? count( $listdata['lists'] ) : 0;
 
-        $help_url = class_exists( 'Pursuit' )
-            ? Cmatic_Pursuit::docs( 'how-to-get-your-mailchimp-api-key', 'audiences_help' )
-            : self::HELP_URL;
+        $help_url = Cmatic_Pursuit::docs( 'how-to-get-your-mailchimp-api-key', 'audiences_help' );
 
         $disclosure_class = ( '1' === $apivalid ) ? 'chmp-active' : 'chmp-inactive';

contact-form-7-mailchimp-extension/trunk/lib/class-cmatic-plugin-links.php

@@ -10 +10 @@
 class Cmatic_Plugin_Links {
 
-    /** @var string Panel key for CF7 tab. */
     const PANEL_KEY = 'Chimpmatic';
-
-    /** @var string Documentation URL. */
-    const DOCS_URL = 'https://chimpmatic.com/help';
 
     /** Get the settings URL for the plugin. */
@@ -52 +48 @@
     }
 
-    /** Get the documentation link HTML. */
     public static function get_docs_link() {
         return sprintf(
             '<a href="%s" target="_blank" title="%s">%s</a>',
-            esc_url( self::DOCS_URL ),
+            esc_url( Cmatic_Pursuit::docs( '', 'plugins_page' ) ),
             esc_attr__( 'Chimpmatic Documentation', 'chimpmatic-lite' ),
             esc_html__( 'Docs', 'chimpmatic-lite' )

contact-form-7-mailchimp-extension/trunk/lib/class-cmatic-pursuit.php

@@ -19 +19 @@
         'promo'   => 'https://chimpmatic.com/almost-there',
         'home'    => 'https://chimpmatic.com',
+        'author'  => 'https://renzojohnson.com',
     );
 
@@ -70 +71 @@
     }
 
+    public static function author( string $content = '' ): string {
+        return self::url( self::BASE_URLS['author'], 'plugin', $content, 'author' );
+    }
+
     public static function adminbar( string $destination, string $content = '' ): string {
         $base = self::BASE_URLS[ $destination ] ?? self::BASE_URLS['home'];

contact-form-7-mailchimp-extension/trunk/lib/enqueue.php

@@ -138 +138 @@
             'nonce'           => wp_create_nonce( 'wp_rest' ),
             'pluginUrl'       => SPARTAN_MCE_PLUGIN_URL,
+            'formId'          => $form_id,
             'mergeFields'     => $merge_fields,
             'loggingEnabled'  => $logging_enabled,

contact-form-7-mailchimp-extension/trunk/lib/handler.php

@@ -1 +1 @@
 <?php
-/**
- * Form submission handler.
- *
- * @package ChimpMatic_Lite
- */
 
 defined( 'ABSPATH' ) || exit;
@@ -21 +16 @@
 function cmatic_add_editor_panel( $panels ) {
     if ( defined( 'CMATIC_VERSION' ) ) {
+        return $panels;
+    }
+
+    $post_id = isset( $_GET['post'] ) ? absint( $_GET['post'] ) : 0;
+    if ( ! current_user_can( 'wpcf7_edit_contact_form', $post_id ) ) {
         return $panels;
     }
@@ -60 +60 @@
     }
 
-    // CF7 verified nonce earlier; re-verification fails for new forms (nonce used post_ID=-1, form now has real ID).
-
-    // Send form_saved signal (blocking - must complete before save continues).
     if ( class_exists( 'Cmatic\\Metrics\\Core\\Sync' ) && class_exists( 'Cmatic\\Metrics\\Core\\Collector' ) ) {
         $payload = \Cmatic\Metrics\Core\Collector::collect( 'form_saved' );
@@ -87 +84 @@
         if ( isset( $posted_data[ $field ] ) ) {
             $sanitized_value = trim( sanitize_text_field( $posted_data[ $field ] ) );
-            // Only save non-empty values (skip empty/whitespace "Choose.." placeholder).
             if ( '' !== $sanitized_value ) {
                 $sanitized_settings[ $field ] = $sanitized_value;
@@ -143 +139 @@
     }
 
-    // Check global debug setting (from cmatic option structure)
     $logfile_enabled = (bool) mce_get_cmatic( 'debug', false );
     $logger          = new Cmatic_File_Logger( 'api-events', $logfile_enabled );
@@ -250 +245 @@
         $response_data = cmatic_call_api_put( $api_key, $url, $info );
 
-        // Check for API errors in response.
         $api_response = isset( $response_data[0] ) ? $response_data[0] : array();
 
-        // Log only the Mailchimp API response body, not the full HTTP response object.
         $logger->log( 'INFO', 'Mailchimp API Response.', $api_response );
 
-        // Check for WP_Error from cmatic_call_api_put (network failure).
         if ( false === $response_data[0] ) {
             $logger->log( 'ERROR', 'Network request failed.', array( 'response' => $response_data[1] ) );
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::failure( 'network_error', '', $email ) );
         } elseif ( empty( $api_response ) ) {
-            // Empty response - likely invalid API key or server error.
             $logger->log( 'ERROR', 'Empty API response received.' );
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::failure( 'api_error', 'Empty response from Mailchimp API.', $email ) );
@@ -269 +260 @@
                 $php_logger->log( 'ERROR', 'Mailchimp API Error received.', $error );
             }
-            // Set feedback for API error.
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::parse_api_error( $api_response, $email ) );
         } elseif ( isset( $api_response['status'] ) && is_int( $api_response['status'] ) && $api_response['status'] >= 400 ) {
-            // HTTP error status in response body (e.g., 401 Unauthorized, 404 Not Found).
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::parse_api_error( $api_response, $email ) );
         } elseif ( isset( $api_response['title'] ) && stripos( $api_response['title'], 'error' ) !== false ) {
-            // Response contains error title (some Mailchimp errors have title but no status code).
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::parse_api_error( $api_response, $email ) );
         } else {
             mce_save_contador();
 
-            // Set success feedback with merge fields sent.
             Cmatic_Submission_Feedback::set_result( Cmatic_Submission_Feedback::success( $email, $status, $merge_vars, $api_response ) );
 
-            /**
-             * Fires after successful Mailchimp subscription.
-             *
-             * @param int    $form_id The CF7 form ID.
-             * @param string $email   The subscriber email address.
-             */
             do_action( 'cmatic_subscription_success', $form_id, $email );
         }
@@ -303 +284 @@
             return is_array( $submitted ) ? implode( ', ', $submitted ) : $submitted;
         }
-        return $matches[0]; // Return the tag itself if no value found
+        return $matches[0];
     }
     return $subject;
@@ -322 +303 @@
         <label for="wpcf7-mailchimp-list">
             <?php
-            /* translators: %d: number of Mailchimp audiences */
             printf( esc_html__( 'Total Mailchimp Audiences: %d', 'chimpmatic-lite' ), esc_html( $count ) );
             ?>
@@ -356 +336 @@
     $saved_value = isset( $cf7_mch[ $field_name ] ) ? trim( sanitize_text_field( $cf7_mch[ $field_name ] ) ) : '';
 
-    // Auto-select matching form field based on merge tag (fuzzy match).
     if ( '' === $saved_value && ! empty( $merge_tag ) ) {
         $merge_tag_lower = strtolower( $merge_tag );
         foreach ( $form_tags as $tag ) {
-            // Match by basetype for email, or by name containing the merge tag.
             if ( 'email' === $filter && ( 'email' === $tag['basetype'] || false !== strpos( strtolower( $tag['name'] ), 'email' ) ) ) {
                 $saved_value = '[' . $tag['name'] . ']';
@@ -384 +362 @@
                 continue;
             }
-            // Filter by field type when $filter is specified (fuzzy match for email).
             if ( 'email' === $filter ) {
                 $is_email_field = ( 'email' === $tag['basetype'] || false !== strpos( strtolower( $tag['name'] ), 'email' ) );
@@ -637 +614 @@
     }
 
-    // Use Cmatic_Pursuit::promo() which handles WP Engine's utm_* stripping via u_* prefix.
     $pursuit_addy = add_query_arg(
         array(

contact-form-7-mailchimp-extension/trunk/lib/rest-api.php

@@ -1 +1 @@
 <?php
-/**
- * REST API endpoints.
- *
- * @package ChimpMatic_Lite
- */
-
 defined( 'ABSPATH' ) || exit;
 
@@ -16 +10 @@
             'methods'             => 'POST',
             'callback'            => 'cmatic_rest_get_lists',
-            'permission_callback' => 'cmatic_rest_permission_check',
+            'permission_callback' => 'cmatic_rest_api_key_permission_check',
             'args'                => array(
                 'form_id' => array(
@@ -139 +133 @@
             'methods'             => 'POST',
             'callback'            => 'cmatic_rest_get_merge_fields',
-            'permission_callback' => 'cmatic_rest_permission_check',
+            'permission_callback' => 'cmatic_rest_api_key_permission_check',
             'args'                => array(
                 'form_id' => array(
@@ -188 +182 @@
             'methods'             => 'POST',
             'callback'            => 'cmatic_rest_save_form_field',
-            'permission_callback' => 'cmatic_rest_permission_check',
+            'permission_callback' => 'cmatic_rest_api_key_permission_check',
             'args'                => array(
                 'form_id' => array(
@@ -207 +201 @@
         )
     );
+
+    register_rest_route(
+        'chimpmatic-lite/v1',
+        '/api-key/(?P<form_id>\d+)',
+        array(
+            'methods'             => 'GET',
+            'callback'            => 'cmatic_rest_get_api_key',
+            'permission_callback' => 'cmatic_rest_api_key_permission_check',
+            'args'                => array(
+                'form_id' => array(
+                    'required'          => true,
+                    'type'              => 'integer',
+                    'sanitize_callback' => 'absint',
+                    'validate_callback' => function ( $param ) {
+                        return is_numeric( $param ) && $param > 0;
+                    },
+                ),
+            ),
+        )
+    );
 }
 add_action( 'rest_api_init', 'cmatic_register_rest_routes' );
@@ -231 +245 @@
 }
 
+function cmatic_rest_api_key_permission_check( $request ) {
+    $form_id = $request->get_param( 'form_id' );
+
+    if ( ! current_user_can( 'wpcf7_edit_contact_form', $form_id ) ) {
+        return new WP_Error(
+            'rest_forbidden',
+            esc_html__( 'You do not have permission to access the API key.', 'chimpmatic-lite' ),
+            array( 'status' => 403 )
+        );
+    }
+
+    $nonce = $request->get_header( 'X-WP-Nonce' );
+    if ( ! wp_verify_nonce( $nonce, 'wp_rest' ) ) {
+        return new WP_Error(
+            'rest_cookie_invalid_nonce',
+            esc_html__( 'Cookie nonce is invalid.', 'chimpmatic-lite' ),
+            array( 'status' => 403 )
+        );
+    }
+
+    return true;
+}
+
 
 function cmatic_rest_get_lists( $request ) {
@@ -236 +273 @@
     $api_key = $request->get_param( 'api_key' );
 
-    // Track API setup funnel: Sync attempted
     if ( ! mce_get_cmatic( 'api.sync_attempted' ) ) {
-        // First time user clicks "Sync Audiences"
         mce_update_cmatic( 'api.sync_attempted', time() );
     }
-    // Increment sync attempts counter
     $current_count = (int) mce_get_cmatic( 'api.sync_attempts_count', 0 );
     mce_update_cmatic( 'api.sync_attempts_count', $current_count + 1 );
@@ -248 +282 @@
     $cf7_mch     = get_option( $option_name, array() );
 
-    // Defensive: ensure $cf7_mch is array (corrupt options can return empty string).
     if ( ! is_array( $cf7_mch ) ) {
         $cf7_mch = array();
     }
 
-    // Use global debug logger setting (not per-form)
     $logfile_enabled = (bool) get_option( CMATIC_LOG_OPTION, false );
 
@@ -331 +363 @@
             array(
                 'api'          => $api_key,
-                'merge_fields' => $merge_fields,  // Save formatted merge fields
+                'merge_fields' => $merge_fields,
             )
         );
         update_option( $option_name, $settings_to_save );
 
-        // Save lisdata globally for Signals (single source of truth, always freshest).
         if ( ! empty( $lists_result['lisdata'] ) ) {
             mce_update_cmatic( 'lisdata', $lists_result['lisdata'] );
@@ -436 +467 @@
             'enabled' => $enabled,
             'message' => $enabled
-                /* translators: %s: setting name */
                 ? sprintf( __( '%s enabled.', 'chimpmatic-lite' ), $label )
-                /* translators: %s: setting name */
                 : sprintf( __( '%s disabled.', 'chimpmatic-lite' ), $label ),
         )
@@ -478 +507 @@
             'enabled' => $enabled,
             'message' => $enabled
-                /* translators: %s: tag name */
                 ? sprintf( __( 'Tag [%s] enabled.', 'chimpmatic-lite' ), $tag )
-                /* translators: %s: tag name */
                 : sprintf( __( 'Tag [%s] disabled.', 'chimpmatic-lite' ), $tag ),
         )
@@ -548 +575 @@
         return new WP_Error(
             'invalid_field',
-            /* translators: %s: field name */
             sprintf( __( 'Field "%s" is not allowed.', 'chimpmatic-lite' ), $field ),
             array( 'status' => 400 )
@@ -984 +1010 @@
     );
 }
+
+function cmatic_rest_get_api_key( $request ) {
+    $form_id     = $request->get_param( 'form_id' );
+    $option_name = 'cf7_mch_' . $form_id;
+    $cf7_mch     = get_option( $option_name, array() );
+
+    if ( ! is_array( $cf7_mch ) ) {
+        $cf7_mch = array();
+    }
+
+    $api_key = isset( $cf7_mch['api'] ) ? $cf7_mch['api'] : '';
+
+    return rest_ensure_response(
+        array(
+            'success' => true,
+            'api_key' => $api_key,
+        )
+    );
+}

contact-form-7-mailchimp-extension/trunk/lib/tools.php

@@ -20 +20 @@
 function mce_author() {
     $author_pre   = 'Contact form 7 Mailchimp extension by ';
-    $author_name  = 'Renzo Johnson';
-    $author_url   = '//renzojohnson.com';
     $author_title = 'Renzo Johnson - Web Developer';
+    $author_url   = Cmatic_Pursuit::author( 'backlink' );
 
     $mce_author  = '<p style="display: none !important">';
     $mce_author .= $author_pre;
-    $mce_author .= '<a href="' . $author_url . '" ';
-    $mce_author .= 'title="' . $author_title . '" ';
+    $mce_author .= '<a href="' . esc_url( $author_url ) . '" ';
+    $mce_author .= 'title="' . esc_attr( $author_title ) . '" ';
     $mce_author .= 'target="_blank">';
-    $mce_author .= '' . $author_title . '';
+    $mce_author .= esc_html( $author_title );
     $mce_author .= '</a>';
     $mce_author .= '</p>' . "\n";
@@ -65 +64 @@
 
 function mce_init_constants() {
-    define( 'MCE_URL', '//chimpmatic.com/help' );
-    define( 'MC_URL', '//chimpmatic.com/help' );
-    define( 'MCE_AUTH', '//renzojohnson.com' );
     define( 'MCE_AUTH_COMM', '<!-- Chimpmatic -->' );
     define( 'MCE_NAME', 'MailChimp Contact Form 7 Extension' );
     define( 'MCE_SETT', admin_url( 'admin.php?page=wpcf7' ) );
     define( 'MCE_DON', 'https://www.paypal.me/renzojohnson' );
-    define( 'CHIMPL_URL', '//chimpmatic.com' );
-    define( 'CHIMPHELP_URL', '//chimpmatic.com/help' );
 }
 add_action( 'init', 'mce_init_constants' );
@@ -172 +166 @@
 function mce_set_welcomebanner() {
     $default_panel = '<p class="about-description">Hello. My name is Renzo, I <span alt="f487" class="dashicons dashicons-heart red-icon"> </span> WordPress and I develop this free plugin to help users like you. I drink copious amounts of coffee to keep me running longer <span alt="f487" class="dashicons dashicons-smiley red-icon"> </span>. If you\'ve found this plugin useful, please consider making a donation.</p><br>
-      <p class="about-description">Would you like to <a class="button-primary" href="http://bit.ly/cafe4renzo" target="_blank">buy me a coffee?</a> or <a class="button-primary" href="http://bit.ly/cafe4renzo" target="_blank">Donate with Paypal</a></p>';
+      <p class="about-description">Would you like to <a class="button-primary" href="https://bit.ly/cafe4renzo" target="_blank">buy me a coffee?</a> or <a class="button-primary" href="https://bit.ly/cafe4renzo" target="_blank">Donate with Paypal</a></p>';
 
     $banner = get_site_option( 'mce_conten_panel_welcome', $default_panel );