Caldera Forms 1.6.0

An image of a beautiful Caldera full of crystal blue water

Caldera Forms 1.6 includes new features, bug fixes and fixes for minor security issues. Please note: Caldera Forms 1.6 begins a process of dropping support for PHP versions that no longer have security support. Details below.

New Features

  • Support for Caldera Forms Pro Enhanced Anti-spam
  • Support for multiple checkboxes to be selected by default, using a filter.
  • Caldera Forms Pro advanced anti-spam.
  • Freemius insights integration.
  • PHP Warnings

Bugs Fixed

  • Updated Parsely validation library to 2.8.1
  • Improved: Made reply-to/from labels in main mailer more accurately reflect how Caldera Forms Pro works, when Caldera Forms Pro is being used.
  • Fixed: Work around that was previously in place for WooCommerce nonce validation when items are in cart is now updated to work again.
  • Fixed: Breadcrumbs on multi-page forms disappeared when form was submitted, but did not complete the submission.
  • Fixed: Multi-page forms not advancing with empty, non-required number fields.
  • Fixed: Field sync was not recovering when fields were hidden by conditional logic.
  • Fixed: CC and BCC fields not passing to Caldera Forms Pro properly.
  • Fixed: Some cases where file fields caused errors during submissions.
  • Fixed: Wrong country code was used for Arkansas. Sorry Arkansas.

Supported PHP Versions

Caldera Forms 1.6 deprecates support for PHP 5.5 and below. Caldera Forms 1.7 will not work with out of date versions of PHP.


Security Disclosure


This update includes fixes for three minor security issues that create stored XSS vulnerabilities, they were discovered by Federico Scalco. We would like to thank Fedrico for finding these bugs and responsibly disclosing them. We will link to the relevant CVE, with full details when it is made public.

We have no evidence that any of these issues have been exploited.

Please note that we have created automated tests to ensure that the fix will prevent these vulnerabilities from being exploited, that future versions do not become vulnerable to the same issue again and that the fixes do not create unintended side effects. These tests will be a part of

What You Should Do

Short version: Update to Caldera Forms 1.6.

Here is more specific advice, to ensure your site, even if you can not update to the latest version right away:

  • If you are using magic tags in the success message shown after a form submits. Make sure to update to Caldera Forms 1.6 right away. If not possible, remove the magic tags from the success message.
  • If you have left the debug mailer option on, turn it off. This is a good idea in general as the debug mailer gets saved with the entry and that’s a lot of extra data. This issue is fixed in version 1.6.0.
  • There is now a “Trusted” option on the import form pop-up. You should only check this box if you created the export file. If not, do not check it and potentially unsafe data will be removed. Until you update, only use import files you created yourself.