diff --git a/README.md b/README.md index 4eef64bc..3a8a3db0 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Ultimate Member is the #1 user profile & membership plugin for WordPress. The pl | Latest Version |Requires at least|Stable Tag| | :------------: |:------------:|:------------:| -| 2.0.32 | WordPress 4.9 or higher| 2.0.32 | +| 2.0.33 | WordPress 4.9 or higher| 2.0.33 | Features of the plugin include: @@ -48,7 +48,7 @@ GNU Version 2 or Any Later Version Releases ==================== -[Official Release Version: 2.0.32](https://github.com/ultimatemember/ultimatemember/releases/tag/2.0.32). +[Official Release Version: 2.0.33](https://github.com/ultimatemember/ultimatemember/releases/tag/2.0.33). Changelog ==================== diff --git a/assets/js/um-modal.js b/assets/js/um-modal.js index f1a480c9..12c96fd6 100644 --- a/assets/js/um-modal.js +++ b/assets/js/um-modal.js @@ -34,7 +34,8 @@ jQuery(document).ready(function() { type: 'post', data: { action: 'um_remove_file', - src: src + src: src, + nonce: um_scripts.nonce } }); @@ -64,7 +65,8 @@ jQuery(document).ready(function() { type: 'post', data: { action: 'um_remove_file', - src: src + src: src, + nonce: um_scripts.nonce } }); @@ -115,7 +117,8 @@ jQuery(document).ready(function() { src : src, coord : coord, user_id : user_id, - key: key + key: key, + nonce: um_scripts.nonce }, success: function( response ){ diff --git a/assets/js/um-modal.min.js b/assets/js/um-modal.min.js index abe282d2..8c591bbd 100644 --- a/assets/js/um-modal.min.js +++ b/assets/js/um-modal.min.js @@ -1 +1 @@ -jQuery(document).ready(function(){jQuery(document).on("click",".um-popup-overlay",function(){remove_Modal()}),jQuery(document).on("click",'.um-modal-overlay, a[data-action="um_remove_modal"]',function(){um_remove_modal()}),jQuery(document).on("click",'a[data-modal^="um_"], span[data-modal^="um_"], .um-modal a',function(e){return e.preventDefault(),!1}),jQuery(document).on("click",".um-modal .um-single-file-preview a.cancel",function(e){e.preventDefault();var a=jQuery(this).parents(".um-modal-body"),t=jQuery(this).parents(".um-modal-body").find(".um-single-fileinfo a").attr("href");return a.find(".um-single-file-preview").hide(),a.find(".ajax-upload-dragdrop").show(),a.find(".um-modal-btn.um-finish-upload").addClass("disabled"),um_modal_responsive(),jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_remove_file",src:t}}),!1}),jQuery(document).on("click",".um-modal .um-single-image-preview a.cancel",function(e){e.preventDefault();var a=jQuery(this).parents(".um-modal-body"),t=jQuery(this).parents(".um-modal-body").find(".um-single-image-preview img").attr("src");return jQuery("img.cropper-hidden").cropper("destroy"),a.find(".um-single-image-preview img").attr("src",""),a.find(".um-single-image-preview").hide(),a.find(".ajax-upload-dragdrop").show(),a.find(".um-modal-btn.um-finish-upload").addClass("disabled"),um_modal_responsive(),jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_remove_file",src:t}}),!1}),jQuery(document).on("click",".um-finish-upload.file:not(.disabled)",function(){var e=jQuery(this).attr("data-key"),a=jQuery(this).parents(".um-modal-body").find(".um-single-file-preview").html();um_remove_modal(),jQuery(".um-single-file-preview[data-key="+e+"]").fadeIn().html(a);var t=jQuery(".um-field[data-key="+e+"]").find(".um-single-fileinfo a").data("file");jQuery(".um-single-file-preview[data-key="+e+"]").parents(".um-field").find(".um-btn-auto-width").html(jQuery(this).attr("data-change")),jQuery(".um-single-file-preview[data-key="+e+"]").parents(".um-field").find('input[type="hidden"]').val(t)}),jQuery(document).on("click",".um-finish-upload.image:not(.disabled)",function(){var a=jQuery(this),t=jQuery(this).attr("data-key"),e=jQuery(this).parents(".um-modal-body").find(".um-single-image-preview"),i=e.find("img").attr("src"),r=e.attr("data-coord"),u=e.find("img").data("file"),m=0;jQuery(this).parents("#um_upload_single").data("user_id")&&(m=jQuery(this).parents("#um_upload_single").data("user_id")),r?(jQuery(this).html(jQuery(this).attr("data-processing")).addClass("disabled"),jQuery.ajax({url:wp.ajax.settings.url,type:"POST",dataType:"json",data:{action:"um_resize_image",src:i,coord:r,user_id:m,key:t},success:function(e){1==e.success&&(d=new Date,"profile_photo"==t&&jQuery(".um-profile-photo-img img").attr("src",e.data.image.source_url+"?"+d.getTime()),"cover_photo"==t&&(jQuery(".um-cover-e").empty().html(''),jQuery(".um").hasClass("um-editing")&&jQuery(".um-cover-overlay").show()),jQuery(".um-single-image-preview[data-key="+t+"]").fadeIn().find("img").attr("src",e.data.image.source_url+"?"+d.getTime()),um_remove_modal(),jQuery(".um-single-image-preview[data-key="+t+"]").parents(".um-field").find(".um-btn-auto-width").html(a.attr("data-change")),jQuery(".um-single-image-preview[data-key="+t+"]").parents(".um-field").find('input[type="hidden"]').val(e.data.image.filename))}})):(d=new Date,jQuery(".um-single-image-preview[data-key="+t+"]").fadeIn().find("img").attr("src",i+"?"+d.getTime()),um_remove_modal(),jQuery(".um-single-image-preview[data-key="+t+"]").parents(".um-field").find(".um-btn-auto-width").html(a.attr("data-change")),jQuery(".um-single-image-preview[data-key="+t+"]").parents(".um-field").find("input[type=hidden]").val(u))}),jQuery(document).on("click",'a[data-modal^="um_"], span[data-modal^="um_"]',function(e){var a=jQuery(this).attr("data-modal"),t="normal";if(jQuery(this).data("modal-size"))t=jQuery(this).data("modal-size");jQuery(this).data("modal-copy")&&(jQuery("#"+a).html(jQuery(this).parents(".um-field").find(".um-modal-hidden-content").html()),jQuery(this).parents(".um-profile-photo").attr("data-user_id")&&jQuery("#"+a).attr("data-user_id",jQuery(this).parents(".um-profile-photo").attr("data-user_id")),jQuery(this).parents(".um-cover").attr("data-ratio")&&jQuery("#"+a).attr("data-ratio",jQuery(this).parents(".um-cover").attr("data-ratio")),jQuery(this).parents(".um-cover").attr("data-user_id")&&jQuery("#"+a).attr("data-user_id",jQuery(this).parents(".um-cover").attr("data-user_id")),0'),jQuery(".um").hasClass("um-editing")&&jQuery(".um-cover-overlay").show()),jQuery(".um-single-image-preview[data-key="+t+"]").fadeIn().find("img").attr("src",e.data.image.source_url+"?"+d.getTime()),um_remove_modal(),jQuery(".um-single-image-preview[data-key="+t+"]").parents(".um-field").find(".um-btn-auto-width").html(a.attr("data-change")),jQuery(".um-single-image-preview[data-key="+t+"]").parents(".um-field").find('input[type="hidden"]').val(e.data.image.filename))}})):(d=new Date,jQuery(".um-single-image-preview[data-key="+t+"]").fadeIn().find("img").attr("src",i+"?"+d.getTime()),um_remove_modal(),jQuery(".um-single-image-preview[data-key="+t+"]").parents(".um-field").find(".um-btn-auto-width").html(a.attr("data-change")),jQuery(".um-single-image-preview[data-key="+t+"]").parents(".um-field").find("input[type=hidden]").val(u))}),jQuery(document).on("click",'a[data-modal^="um_"], span[data-modal^="um_"]',function(e){var a=jQuery(this).attr("data-modal"),t="normal";if(jQuery(this).data("modal-size"))t=jQuery(this).data("modal-size");jQuery(this).data("modal-copy")&&(jQuery("#"+a).html(jQuery(this).parents(".um-field").find(".um-modal-hidden-content").html()),jQuery(this).parents(".um-profile-photo").attr("data-user_id")&&jQuery("#"+a).attr("data-user_id",jQuery(this).parents(".um-profile-photo").attr("data-user_id")),jQuery(this).parents(".um-cover").attr("data-ratio")&&jQuery("#"+a).attr("data-ratio",jQuery(this).parents(".um-cover").attr("data-ratio")),jQuery(this).parents(".um-cover").attr("data-user_id")&&jQuery("#"+a).attr("data-user_id",jQuery(this).parents(".um-cover").attr("data-user_id")),0'),jQuery(".um-dropdown").hide(),um_responsive(),user_id=jQuery(this).attr("data-user_id"),metakey="cover_photo",jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_delete_cover_photo",metakey:metakey,user_id:user_id},success:function(e){t.hide()}})}),e(),jQuery("textarea[id=um-meta-bio]").change(e),jQuery("textarea[id=um-meta-bio]").keyup(e),jQuery(".um-profile-edit a.um_delete-item").click(function(e){if(e.preventDefault(),!confirm("Are you sure that you want to delete this user?"))return!1})}); \ No newline at end of file +jQuery(document).ready(function(){function e(){if(void 0!==jQuery("textarea[id=um-meta-bio]").val()){var e=jQuery("textarea[id=um-meta-bio]").attr("data-character-limit")-jQuery("textarea[id=um-meta-bio]").val().length;jQuery("span.um-meta-bio-character span.um-bio-limit").text(e),e<5?jQuery("span.um-meta-bio-character").css("color","red"):jQuery("span.um-meta-bio-character").css("color","")}}jQuery(".um-profile.um-viewing .um-profile-body .um-row").each(function(){var e=jQuery(this);0==e.find(".um-field").length&&(e.prev(".um-row-heading").remove(),e.remove())}),jQuery(".um-profile.um-viewing .um-profile-body").length&&0==jQuery(".um-profile.um-viewing .um-profile-body").find(".um-field").length&&(jQuery(".um-row-heading,.um-row").remove(),jQuery(".um-profile-note").show()),jQuery(document).on("click",".um-profile-save",function(e){return e.preventDefault(),jQuery(this).parents(".um").find("form").submit(),!1}),jQuery(document).on("click",".um-profile-edit-a",function(e){jQuery(this).addClass("active")}),jQuery(document).on("click",".um-cover a.um-cover-add, .um-photo a",function(e){return e.preventDefault(),!1}),jQuery(document).on("click",".um-photo-modal",function(e){e.preventDefault();var t=jQuery(this).attr("data-src");return um_new_modal("um_view_photo","fit",!0,t),!1}),jQuery(document).on("click",".um-reset-profile-photo",function(e){jQuery(".um-profile-photo-img img").attr("src",jQuery(this).attr("data-default_src")),user_id=jQuery(this).attr("data-user_id"),metakey="profile_photo",jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_delete_profile_photo",metakey:metakey,user_id:user_id,nonce:um_scripts.nonce}})}),jQuery(document).on("click",".um-reset-cover-photo",function(e){var t=jQuery(this);jQuery(".um-cover-overlay").hide(),jQuery(".um-cover-e").html(''),jQuery(".um-dropdown").hide(),um_responsive(),user_id=jQuery(this).attr("data-user_id"),metakey="cover_photo",jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_delete_cover_photo",metakey:metakey,user_id:user_id,nonce:um_scripts.nonce},success:function(e){t.hide()}})}),e(),jQuery("textarea[id=um-meta-bio]").change(e),jQuery("textarea[id=um-meta-bio]").keyup(e),jQuery(".um-profile-edit a.um_delete-item").click(function(e){if(e.preventDefault(),!confirm("Are you sure that you want to delete this user?"))return!1})}); \ No newline at end of file diff --git a/assets/js/um-scripts.js b/assets/js/um-scripts.js index 8d7f1289..4a62c2dc 100644 --- a/assets/js/um-scripts.js +++ b/assets/js/um-scripts.js @@ -155,7 +155,8 @@ jQuery(document).ready(function() { type: 'post', data: { action: 'um_remove_file', - src: src + src: src, + nonce: um_scripts.nonce } }); @@ -175,7 +176,8 @@ jQuery(document).ready(function() { type: 'post', data: { action: 'um_remove_file', - src: src + src: src, + nonce: um_scripts.nonce } }); @@ -260,7 +262,8 @@ jQuery(document).ready(function() { data: { action: 'um_ajax_paginate_posts', author: jQuery(this).data('author'), - page: next_page + page: next_page, + nonce: um_scripts.nonce }, complete: function() { parent.removeClass( 'loading' ); @@ -284,7 +287,8 @@ jQuery(document).ready(function() { data: { action: 'um_ajax_paginate', hook: hook, - args: args + args: args, + nonce: um_scripts.nonce }, complete: function() { parent.removeClass( 'loading' ); @@ -315,7 +319,8 @@ jQuery(document).ready(function() { action: 'um_muted_action', hook: hook, user_id: user_id, - arguments: arguments + arguments: arguments, + nonce: um_scripts.nonce }, success: function(data){ @@ -370,7 +375,8 @@ jQuery(document).ready(function() { child_callback: um_ajax_source, child_name: me.attr('name'), members_directory: me.attr('data-mebers-directory'), - form_id: form_id + form_id: form_id, + nonce: um_scripts.nonce }, success: function( data ){ if( data.status == 'success' && parent.val() != '' ){ diff --git a/assets/js/um-scripts.min.js b/assets/js/um-scripts.min.js index b72941b1..dce1d28c 100644 --- a/assets/js/um-scripts.min.js +++ b/assets/js/um-scripts.min.js @@ -1 +1 @@ -jQuery(document).ready(function(){jQuery(document).on("click",".um-dropdown a",function(e){return!1}),jQuery(document).on("click",".um-dropdown a.real_url",function(e){window.location=jQuery(this).attr("href")}),jQuery(document).on("click",".um-trigger-menu-on-click",function(e){return jQuery(".um-dropdown").hide(),menu=jQuery(this).find(".um-dropdown"),menu.show(),!1}),jQuery(document).on("click",".um-dropdown-hide",function(e){UM_hide_menus()}),jQuery(document).on("click","a.um-manual-trigger",function(){var e=jQuery(this).attr("data-child"),t=jQuery(this).attr("data-parent");jQuery(this).parents(t).find(e).trigger("click")}),jQuery(".um-tip-n").tipsy({gravity:"n",opacity:1,live:"a.live",offset:3}),jQuery(".um-tip-w").tipsy({gravity:"w",opacity:1,live:"a.live",offset:3}),jQuery(".um-tip-e").tipsy({gravity:"e",opacity:1,live:"a.live",offset:3}),jQuery(".um-tip-s").tipsy({gravity:"s",opacity:1,live:"a.live",offset:3}),jQuery(document).on("change",".um-field-area input[type=radio]",function(){var e=jQuery(this).parents(".um-field-area"),t=jQuery(this).parents("label");e.find(".um-field-radio").removeClass("active"),e.find(".um-field-radio").find("i").removeAttr("class").addClass("um-icon-android-radio-button-off"),t.addClass("active"),t.find("i").removeAttr("class").addClass("um-icon-android-radio-button-on")}),jQuery(document).on("change",".um-field-area input[type=checkbox]",function(){jQuery(this).parents(".um-field-area");var e=jQuery(this).parents("label");e.hasClass("active")?(e.removeClass("active"),e.find("i").removeAttr("class").addClass("um-icon-android-checkbox-outline-blank")):(e.addClass("active"),e.find("i").removeAttr("class").addClass("um-icon-android-checkbox-outline"))}),jQuery(".um-datepicker").each(function(){if(elem=jQuery(this),""!=elem.attr("data-disabled_weekdays"))var e=JSON.parse(elem.attr("data-disabled_weekdays"));else e=!1;var t=elem.attr("data-years"),a=elem.attr("data-date_min"),i=elem.attr("data-date_max"),r=a.split(","),n=i.split(","),u=r.length?new Date(r):null,o=r.length?new Date(n):null;if(u&&"Invalid Date"==u.toString()&&3==r.length){var d=r[1]+"/"+r[2]+"/"+r[0];u=new Date(Date.parse(d))}if(o&&"Invalid Date"==o.toString()&&3==n.length){var s=n[1]+"/"+n[2]+"/"+n[0];o=new Date(Date.parse(s))}elem.pickadate({selectYears:t,min:u,max:o,disable:e,format:elem.attr("data-format"),formatSubmit:"yyyy/mm/dd",hiddenName:!0,onOpen:function(){elem.blur()},onClose:function(){elem.blur()}})}),jQuery(".um-timepicker").each(function(){elem=jQuery(this),elem.pickatime({format:elem.attr("data-format"),interval:parseInt(elem.attr("data-intervals")),formatSubmit:"HH:i",hiddenName:!0,onOpen:function(){elem.blur()},onClose:function(){elem.blur()}})}),jQuery(".um-rating").um_raty({half:!1,starType:"i",number:function(){return jQuery(this).attr("data-number")},score:function(){return jQuery(this).attr("data-score")},scoreName:function(){return jQuery(this).attr("data-key")},hints:!1,click:function(e,t){live_field=this.id,live_value=e,um_apply_conditions(jQuery(this),!1)}}),jQuery(".um-rating-readonly").um_raty({half:!1,starType:"i",number:function(){return jQuery(this).attr("data-number")},score:function(){return jQuery(this).attr("data-score")},scoreName:function(){return jQuery(this).attr("data-key")},hints:!1,readOnly:!0}),jQuery(document).on("click",".um .um-single-image-preview a.cancel",function(e){e.preventDefault();var t=jQuery(this).parents(".um-field"),a=jQuery(this).parents(".um-field").find(".um-single-image-preview img").attr("src");return t.find(".um-single-image-preview img").attr("src",""),t.find(".um-single-image-preview").hide(),t.find(".um-btn-auto-width").html("Upload"),t.find("input[type=hidden]").val("empty_file"),jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_remove_file",src:a}}),!1}),jQuery(document).on("click",".um .um-single-file-preview a.cancel",function(e){e.preventDefault();var t=jQuery(this).parents(".um-field"),a=jQuery(this).parents(".um-field").find(".um-single-fileinfo a").attr("href");return t.find(".um-single-file-preview").hide(),t.find(".um-btn-auto-width").html("Upload"),t.find("input[type=hidden]").val("empty_file"),jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_remove_file",src:a}}),!1}),jQuery(".um-s1,.um-s2").css({display:"block"}),jQuery(".um-s1").select2({allowClear:!0}),jQuery(".um-s2").select2({allowClear:!1,minimumResultsForSearch:10}),jQuery(document).on("click",".um-field-group-head:not(.disabled)",function(){var e=jQuery(this).parents(".um-field-group"),t=e.data("max_entries");e.find(".um-field-group-body").is(":hidden")?e.find(".um-field-group-body").show():e.find(".um-field-group-body:first").clone().appendTo(e),increase_id=0,e.find(".um-field-group-body").each(function(){increase_id++,jQuery(this).find("input").each(function(){var e=jQuery(this);e.attr("id",e.data("key")+"-"+increase_id),e.attr("name",e.data("key")+"-"+increase_id),e.parent().parent().find("label").attr("for",e.data("key")+"-"+increase_id)})}),0admin()->check_ajax_nonce(); if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) { - die( 'Please login as administrator' ); + wp_send_json_error( __( 'Please login as administrator', 'ultimate-member' ) ); } extract( $_POST ); @@ -605,8 +606,11 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) { * */ function update_field() { - if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) - die( __('Please login as administrator','ultimate-member') ); + UM()->admin()->check_ajax_nonce(); + + if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( __( 'Please login as administrator', 'ultimate-member' ) ); + } $output['error'] = null; @@ -757,12 +761,14 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) { * */ function dynamic_modal_content() { - $metabox = UM()->metabox(); + UM()->admin()->check_ajax_nonce(); if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) { - die( __( 'Please login as administrator', 'ultimate-member' ) ); + wp_send_json_error( __( 'Please login as administrator', 'ultimate-member' ) ); } + $metabox = UM()->metabox(); + /** * @var $act_id * @var $arg1 @@ -1131,12 +1137,14 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) { * Retrieves dropdown/multi-select options from a callback function */ function populate_dropdown_options() { - $arr_options = array(); + UM()->admin()->check_ajax_nonce(); - if ( ! current_user_can('manage_options') ) { - wp_die( __( 'This is not possible for security reasons.', 'ultimate-member' ) ); + if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( __( 'This is not possible for security reasons.', 'ultimate-member' ) ); } + $arr_options = array(); + $um_callback_func = $_POST['um_option_callback']; if ( empty( $um_callback_func ) ) { $arr_options['status'] = 'empty'; @@ -1145,7 +1153,6 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) { } $arr_options['data'] = array(); - if ( function_exists( $um_callback_func ) ) { $arr_options['data'] = call_user_func( $um_callback_func ); } diff --git a/includes/admin/core/class-admin-dragdrop.php b/includes/admin/core/class-admin-dragdrop.php index 8c37b64a..56b2dbd5 100644 --- a/includes/admin/core/class-admin-dragdrop.php +++ b/includes/admin/core/class-admin-dragdrop.php @@ -26,9 +26,11 @@ if ( ! class_exists( 'um\admin\core\Admin_DragDrop' ) ) { * Update order of fields */ function update_order() { + UM()->admin()->check_ajax_nonce(); - if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) - die( 'Please login as administrator' ); + if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( __( 'Please login as administrator', 'ultimate-member' ) ); + } /** * @var $form_id @@ -43,8 +45,8 @@ if ( ! class_exists( 'um\admin\core\Admin_DragDrop' ) ) { if ( ! empty( $fields ) ) { foreach ( $fields as $key => $array ) { if ( $array['type'] == 'row' ) { - $this->row_data[$key] = $array; - unset( $fields[$key] ); + $this->row_data[ $key ] = $array; + unset( $fields[ $key ] ); } } } else { @@ -217,6 +219,7 @@ if ( ! class_exists( 'um\admin\core\Admin_DragDrop' ) ) { +
diff --git a/includes/admin/core/class-admin-enqueue.php b/includes/admin/core/class-admin-enqueue.php index 46ca9f81..bf934363 100644 --- a/includes/admin/core/class-admin-enqueue.php +++ b/includes/admin/core/class-admin-enqueue.php @@ -332,9 +332,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Enqueue' ) ) { * } * ?> */ - $localize_data = apply_filters('um_admin_enqueue_localize_data', array( - 'ajaxurl' => admin_url( 'admin-ajax.php' ), - 'nonce' => wp_create_nonce( "um-admin-nonce" ) + $localize_data = apply_filters( 'um_admin_enqueue_localize_data', array( + 'nonce' => wp_create_nonce( "um-admin-nonce" ) ) ); diff --git a/includes/admin/core/class-admin-menu.php b/includes/admin/core/class-admin-menu.php index e0f17f4a..88abb645 100644 --- a/includes/admin/core/class-admin-menu.php +++ b/includes/admin/core/class-admin-menu.php @@ -76,7 +76,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Menu' ) ) { url: wp.ajax.settings.url, type: 'post', data: { - action: 'um_rated' + action: 'um_rated', + nonce: um_admin_scripts.nonce }, success: function(){ @@ -98,8 +99,14 @@ if ( ! class_exists( 'um\admin\core\Admin_Menu' ) ) { * When user clicks the review link in backend */ function ultimatemember_rated() { + UM()->admin()->check_ajax_nonce(); + + if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( __( 'Please login as administrator', 'ultimate-member' ) ); + } + update_option( 'um_admin_footer_text_rated', 1 ); - die(); + wp_send_json_success(); } @@ -109,8 +116,9 @@ if ( ! class_exists( 'um\admin\core\Admin_Menu' ) ) { public function menu_order_count() { global $menu, $submenu; - if ( ! current_user_can( 'list_users' ) ) + if ( ! current_user_can( 'list_users' ) ) { return; + } $count = UM()->user()->get_pending_users_count(); if ( is_array( $menu ) ) { diff --git a/includes/admin/core/class-admin-notices.php b/includes/admin/core/class-admin-notices.php index 1419932a..50aede4a 100644 --- a/includes/admin/core/class-admin-notices.php +++ b/includes/admin/core/class-admin-notices.php @@ -666,11 +666,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Notices' ) ) { function dismiss_notice() { - $nonce = isset( $_POST["nonce"] ) ? $_POST["nonce"] : ""; - if ( ! wp_verify_nonce( $nonce, "um-admin-nonce" ) ) { - wp_send_json_error( esc_js( __( "Wrong Nonce", 'ultimate-member' ) ) ); - } - + UM()->admin()->check_ajax_nonce(); if ( empty( $_POST['key'] ) ) { wp_send_json_error( __( 'Wrong Data', 'ultimate-member' ) ); diff --git a/includes/admin/core/class-admin-upgrade.php b/includes/admin/core/class-admin-upgrade.php index 86237bfc..da806aa5 100644 --- a/includes/admin/core/class-admin-upgrade.php +++ b/includes/admin/core/class-admin-upgrade.php @@ -260,7 +260,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Upgrade' ) ) { type: 'POST', dataType: 'json', data: { - action: 'um_get_packages' + action: 'um_get_packages', + nonce: um_admin_scripts.nonce }, success: function( response ) { um_packages = response.data.packages; @@ -290,7 +291,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Upgrade' ) ) { dataType: 'html', data: { action: 'um_run_package', - pack: pack + pack: pack, + nonce: um_admin_scripts.nonce }, success: function( html ) { um_add_upgrade_log( 'Package "' + pack + '" is ready. Start the execution...' ); @@ -334,6 +336,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Upgrade' ) ) { function ajax_run_package() { + UM()->admin()->check_ajax_nonce(); + if ( empty( $_POST['pack'] ) ) { exit(''); } else { @@ -346,6 +350,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Upgrade' ) ) { function ajax_get_packages() { + UM()->admin()->check_ajax_nonce(); + $update_versions = $this->need_run_upgrades(); wp_send_json_success( array( 'packages' => $update_versions ) ); } diff --git a/includes/admin/core/packages/1.3.39/functions.php b/includes/admin/core/packages/1.3.39/functions.php index 9a0ba7d1..a9f2c5da 100644 --- a/includes/admin/core/packages/1.3.39/functions.php +++ b/includes/admin/core/packages/1.3.39/functions.php @@ -1,5 +1,7 @@ admin()->check_ajax_nonce(); + include 'usermeta_query.php'; update_option( 'um_last_version_upgrade', '1.3.39' ); diff --git a/includes/admin/core/packages/1.3.39/init.php b/includes/admin/core/packages/1.3.39/init.php index 3781024d..ec96f373 100644 --- a/includes/admin/core/packages/1.3.39/init.php +++ b/includes/admin/core/packages/1.3.39/init.php @@ -5,11 +5,12 @@ um_add_upgrade_log( 'Upgrade Usermeta...' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_usermetaquery1339' + action: 'um_usermetaquery1339', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { diff --git a/includes/admin/core/packages/2.0-beta1/functions.php b/includes/admin/core/packages/2.0-beta1/functions.php index 52adba1f..e177d80c 100644 --- a/includes/admin/core/packages/2.0-beta1/functions.php +++ b/includes/admin/core/packages/2.0-beta1/functions.php @@ -1,5 +1,7 @@ admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'styles.php'; @@ -8,6 +10,8 @@ function um_upgrade_styles20beta1() { function um_upgrade_user_roles20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); /** * @var $response_roles_data @@ -19,7 +23,10 @@ function um_upgrade_user_roles20beta1() { function um_upgrade_get_users_per_role20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); + if ( ! empty( $_POST['key_in_meta'] ) ) { $args = array( 'meta_query' => array( @@ -43,6 +50,8 @@ function um_upgrade_get_users_per_role20beta1() { function um_upgrade_update_users_per_page20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); if ( ! empty( $_POST['key_in_meta'] ) && ! empty( $_POST['role_key'] ) && ! empty( $_POST['page'] ) ) { $users_per_page = 100; @@ -85,6 +94,8 @@ function um_upgrade_update_users_per_page20beta1() { function um_upgrade_content_restriction20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'content_restriction.php'; @@ -94,6 +105,8 @@ function um_upgrade_content_restriction20beta1() { function um_upgrade_settings20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'settings.php'; @@ -102,6 +115,8 @@ function um_upgrade_settings20beta1() { function um_upgrade_menus20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'menus.php'; @@ -110,6 +125,8 @@ function um_upgrade_menus20beta1() { function um_upgrade_mc_lists20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'mc_lists.php'; @@ -118,6 +135,8 @@ function um_upgrade_mc_lists20beta1() { function um_upgrade_social_login20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'social_login.php'; @@ -126,6 +145,8 @@ function um_upgrade_social_login20beta1() { function um_upgrade_cpt20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'um_cpt.php'; @@ -134,6 +155,8 @@ function um_upgrade_cpt20beta1() { function um_upgrade_get_forums20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); remove_all_actions( 'pre_get_posts' ); @@ -149,6 +172,8 @@ function um_upgrade_get_forums20beta1() { function um_upgrade_update_forum_per_page20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); if ( ! empty( $_POST['page'] ) ) { @@ -205,6 +230,8 @@ function um_upgrade_update_forum_per_page20beta1() { function um_upgrade_get_products20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); $wc_products = get_posts( array( @@ -218,6 +245,8 @@ function um_upgrade_get_products20beta1() { function um_upgrade_update_products_per_page20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); if ( ! empty( $_POST['page'] ) ) { @@ -296,6 +325,8 @@ function um_upgrade_update_products_per_page20beta1() { function um_upgrade_email_templates20beta1() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'email_templates.php'; diff --git a/includes/admin/core/packages/2.0-beta1/init.php b/includes/admin/core/packages/2.0-beta1/init.php index 08587a21..1e4799fd 100644 --- a/includes/admin/core/packages/2.0-beta1/init.php +++ b/includes/admin/core/packages/2.0-beta1/init.php @@ -13,11 +13,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_styles20beta1' + action: 'um_styles20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -36,11 +37,12 @@ function upgrade_roles() { um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_user_roles20beta1' + action: 'um_user_roles20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -70,12 +72,13 @@ var role = um_roles_data.shift(); um_add_upgrade_log( '"' + role.role_key + '"' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { action: 'um_get_users_per_role20beta1', - key_in_meta: role.key_in_meta + key_in_meta: role.key_in_meta, + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data.count != 'undefined' ) { @@ -103,14 +106,15 @@ function update_user_per_page( role_key, key_in_meta ) { if ( current_page <= users_pages ) { jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { action: 'um_update_users_per_page20beta1', role_key: role_key, key_in_meta: key_in_meta, - page: current_page + page: current_page, + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -135,11 +139,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_content_restriction20beta1' + action: 'um_content_restriction20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -160,11 +165,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_settings20beta1' + action: 'um_settings20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -185,11 +191,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_menus20beta1' + action: 'um_menus20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -210,11 +217,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_mc_lists20beta1' + action: 'um_mc_lists20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -235,11 +243,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_social_login20beta1' + action: 'um_social_login20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -260,11 +269,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_cpt20beta1' + action: 'um_cpt20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -286,11 +296,12 @@ um_add_upgrade_log( '' ); current_page = 1; jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_get_forums20beta1' + action: 'um_get_forums20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -313,12 +324,13 @@ function update_forums_per_page() { if ( current_page <= forums_pages ) { jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { action: 'um_update_forum_per_page20beta1', - page: current_page + page: current_page, + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -346,11 +358,12 @@ current_page = 1; jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_get_products20beta1' + action: 'um_get_products20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -373,12 +386,13 @@ function update_products_per_page() { if ( current_page <= products_pages ) { jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { action: 'um_update_products_per_page20beta1', - page: current_page + page: current_page, + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -402,11 +416,12 @@ function upgrade_email_templates() { um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_email_templates20beta1' + action: 'um_email_templates20beta1', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { diff --git a/includes/admin/core/packages/2.0.10/functions.php b/includes/admin/core/packages/2.0.10/functions.php index be32d0b3..0a12b32d 100644 --- a/includes/admin/core/packages/2.0.10/functions.php +++ b/includes/admin/core/packages/2.0.10/functions.php @@ -1,5 +1,7 @@ admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); include 'styles.php'; @@ -8,6 +10,8 @@ function um_upgrade_styles2010() { function um_upgrade_cache2010() { + UM()->admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); UM()->user()->remove_cache_all_users(); diff --git a/includes/admin/core/packages/2.0.10/init.php b/includes/admin/core/packages/2.0.10/init.php index c5b4d295..7ba29977 100644 --- a/includes/admin/core/packages/2.0.10/init.php +++ b/includes/admin/core/packages/2.0.10/init.php @@ -6,11 +6,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_styles2010' + action: 'um_styles2010', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { @@ -30,11 +31,12 @@ function um_clear_cache2010() { um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_cache2010' + action: 'um_cache2010', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { diff --git a/includes/admin/core/packages/2.0.24/functions.php b/includes/admin/core/packages/2.0.24/functions.php index b379280a..ada9df2e 100644 --- a/includes/admin/core/packages/2.0.24/functions.php +++ b/includes/admin/core/packages/2.0.24/functions.php @@ -1,5 +1,7 @@ admin()->check_ajax_nonce(); + um_maybe_unset_time_limit(); UM()->files()->remove_dir( UM()->files()->upload_temp ); diff --git a/includes/admin/core/packages/2.0.24/init.php b/includes/admin/core/packages/2.0.24/init.php index 8d97f6be..e40b5c6d 100644 --- a/includes/admin/core/packages/2.0.24/init.php +++ b/includes/admin/core/packages/2.0.24/init.php @@ -6,11 +6,12 @@ um_add_upgrade_log( '' ); jQuery.ajax({ - url: '', + url: wp.ajax.settings.url, type: 'POST', dataType: 'json', data: { - action: 'um_tempfolder2024' + action: 'um_tempfolder2024', + nonce: um_admin_scripts.nonce }, success: function( response ) { if ( typeof response.data != 'undefined' ) { diff --git a/includes/admin/templates/modal/dynamic_edit_field.php b/includes/admin/templates/modal/dynamic_edit_field.php index daf838b4..779f994d 100644 --- a/includes/admin/templates/modal/dynamic_edit_field.php +++ b/includes/admin/templates/modal/dynamic_edit_field.php @@ -11,6 +11,7 @@
+
diff --git a/includes/admin/templates/modal/dynamic_edit_row.php b/includes/admin/templates/modal/dynamic_edit_row.php index 806c26ac..c00b530a 100644 --- a/includes/admin/templates/modal/dynamic_edit_row.php +++ b/includes/admin/templates/modal/dynamic_edit_row.php @@ -11,6 +11,7 @@
+
diff --git a/includes/admin/templates/modal/dynamic_new_divider.php b/includes/admin/templates/modal/dynamic_new_divider.php index f9c9b10a..18484216 100644 --- a/includes/admin/templates/modal/dynamic_new_divider.php +++ b/includes/admin/templates/modal/dynamic_new_divider.php @@ -11,6 +11,7 @@
+
diff --git a/includes/admin/templates/modal/dynamic_new_field.php b/includes/admin/templates/modal/dynamic_new_field.php index 9b3f64c6..9d4c587c 100644 --- a/includes/admin/templates/modal/dynamic_new_field.php +++ b/includes/admin/templates/modal/dynamic_new_field.php @@ -11,6 +11,7 @@
+
diff --git a/includes/admin/templates/modal/dynamic_new_group.php b/includes/admin/templates/modal/dynamic_new_group.php index 2f061007..d9a3cddd 100644 --- a/includes/admin/templates/modal/dynamic_new_group.php +++ b/includes/admin/templates/modal/dynamic_new_group.php @@ -11,6 +11,7 @@
+
diff --git a/includes/class-functions.php b/includes/class-functions.php index b40141cc..f2969d30 100644 --- a/includes/class-functions.php +++ b/includes/class-functions.php @@ -16,6 +16,21 @@ if ( ! class_exists( 'UM_Functions' ) ) { } + /** + * Check frontend nonce + * + * @param bool $action + */ + function check_ajax_nonce( $action = false ) { + $nonce = isset( $_POST['nonce'] ) ? $_POST['nonce'] : ''; + $action = empty( $action ) ? 'um-frontend-nonce' : $action; + + if ( ! wp_verify_nonce( $nonce, $action ) ) { + wp_send_json_error( esc_js( __( 'Wrong Nonce', 'ultimate-member' ) ) ); + } + } + + /** * What type of request is this? * diff --git a/includes/core/class-enqueue.php b/includes/core/class-enqueue.php index f1a778f7..d8fadb14 100644 --- a/includes/core/class-enqueue.php +++ b/includes/core/class-enqueue.php @@ -129,7 +129,9 @@ if ( ! class_exists( 'um\core\Enqueue' ) ) { * } * ?> */ - $localize_data = apply_filters( 'um_enqueue_localize_data', array() ); + $localize_data = apply_filters( 'um_enqueue_localize_data', array( + 'nonce' => wp_create_nonce( "um-frontend-nonce" ), + ) ); wp_localize_script( 'um_scripts', 'um_scripts', $localize_data ); wp_register_script('um_members', $this->js_baseurl . 'um-members' . $this->suffix . '.js', array( 'jquery' ), ultimatemember_version, true ); diff --git a/includes/core/class-fields.php b/includes/core/class-fields.php index 56dbe7b8..683d2e2f 100644 --- a/includes/core/class-fields.php +++ b/includes/core/class-fields.php @@ -4059,21 +4059,25 @@ if ( ! class_exists( 'um\core\Fields' ) ) { * */ function do_ajax_action() { - if (!is_user_logged_in() || !current_user_can( 'manage_options' )) die( __( 'Please login as administrator', 'ultimate-member' ) ); + UM()->admin()->check_ajax_nonce(); + + if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( __( 'Please login as administrator', 'ultimate-member' ) ); + } extract( $_POST ); $output = null; $position = array(); - if (!empty( $in_column )) { + if ( ! empty( $in_column ) ) { $position['in_row'] = '_um_row_' . ( (int)$in_row + 1 ); $position['in_sub_row'] = $in_sub_row; $position['in_column'] = $in_column; $position['in_group'] = $in_group; } - switch ($act_id) { + switch ( $act_id ) { case 'um_admin_duplicate_field': $this->duplicate_field( $arg1, $arg2 ); diff --git a/includes/core/class-files.php b/includes/core/class-files.php index f875f5fb..06974e16 100644 --- a/includes/core/class-files.php +++ b/includes/core/class-files.php @@ -241,6 +241,8 @@ if ( ! class_exists( 'um\core\Files' ) ) { * Remove file by AJAX */ function ajax_remove_file() { + UM()->check_ajax_nonce(); + /** * @var $src */ @@ -255,6 +257,8 @@ if ( ! class_exists( 'um\core\Files' ) ) { * Resize image AJAX handler */ function ajax_resize_image() { + UM()->check_ajax_nonce(); + /** * @var $key * @var $src diff --git a/includes/core/class-form.php b/includes/core/class-form.php index ccebba66..59c5d8e7 100644 --- a/includes/core/class-form.php +++ b/includes/core/class-form.php @@ -50,6 +50,8 @@ if ( ! class_exists( 'um\core\Form' ) ) { * */ function ajax_muted_action() { + UM()->check_ajax_nonce(); + extract( $_REQUEST ); if ( ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) @@ -86,7 +88,7 @@ if ( ! class_exists( 'um\core\Form' ) ) { * */ function ajax_select_options() { - + UM()->check_ajax_nonce(); $arr_options = array(); $arr_options['status'] = 'success'; diff --git a/includes/core/class-profile.php b/includes/core/class-profile.php index 3ea8e577..4ce8f126 100644 --- a/includes/core/class-profile.php +++ b/includes/core/class-profile.php @@ -45,6 +45,8 @@ if ( ! class_exists( 'um\core\Profile' ) ) { * Delete profile avatar AJAX handler */ function ajax_delete_profile_photo() { + UM()->check_ajax_nonce(); + /** * @var $user_id */ @@ -61,6 +63,8 @@ if ( ! class_exists( 'um\core\Profile' ) ) { * Delete cover photo AJAX handler */ function ajax_delete_cover_photo() { + UM()->check_ajax_nonce(); + /** * @var $user_id */ diff --git a/includes/core/class-query.php b/includes/core/class-query.php index 1c4dbe64..dfd13ddb 100644 --- a/includes/core/class-query.php +++ b/includes/core/class-query.php @@ -39,6 +39,8 @@ if ( ! class_exists( 'um\core\Query' ) ) { * Ajax pagination for posts */ function ajax_paginate() { + UM()->check_ajax_nonce(); + /** * @var $hook * @var $args diff --git a/includes/core/class-user-posts.php b/includes/core/class-user-posts.php index 24ec6f76..76a75229 100644 --- a/includes/core/class-user-posts.php +++ b/includes/core/class-user-posts.php @@ -82,6 +82,8 @@ if ( ! class_exists( 'um\core\User_posts' ) ) { * */ function load_posts() { + UM()->check_ajax_nonce(); + $author = ! empty( $_POST['author'] ) ? $_POST['author'] : get_current_user_id(); $page = ! empty( $_POST['page'] ) ? $_POST['page'] : 0; diff --git a/includes/core/class-user.php b/includes/core/class-user.php index 30ab7290..24f709b1 100644 --- a/includes/core/class-user.php +++ b/includes/core/class-user.php @@ -87,8 +87,11 @@ if ( ! class_exists( 'um\core\User' ) ) { add_action( 'init', array( &$this, 'check_membership' ), 10 ); - add_action( 'delete_user', array( &$this, 'delete_user_handler' ), 10, 1 ); - add_action( 'wpmu_delete_user', array( &$this, 'delete_user_handler' ), 10, 1 ); + if ( is_multisite() ) { + add_action( 'delete_user', array( &$this, 'delete_user_handler' ), 10, 1 ); + } else { + add_action( 'wpmu_delete_user', array( &$this, 'delete_user_handler' ), 10, 1 ); + } } @@ -96,6 +99,8 @@ if ( ! class_exists( 'um\core\User' ) ) { * @param $user_id */ function delete_user_handler( $user_id ) { + error_log( '----------------' ); + error_log( $user_id ); um_fetch_user( $user_id ); diff --git a/includes/core/um-actions-ajax.php b/includes/core/um-actions-ajax.php index 7647e352..d8d82ba7 100644 --- a/includes/core/um-actions-ajax.php +++ b/includes/core/um-actions-ajax.php @@ -8,6 +8,8 @@ if ( ! defined( 'ABSPATH' ) ) exit; * @return boolean */ function ultimatemember_check_username_exists() { + UM()->check_ajax_nonce(); + $username = isset($_REQUEST['username']) ? $_REQUEST['username'] : ''; $exists = username_exists( $username ); diff --git a/languages/ultimate-member-en_US.po b/languages/ultimate-member-en_US.po index fb83d9fa..9663b185 100644 --- a/languages/ultimate-member-en_US.po +++ b/languages/ultimate-member-en_US.po @@ -1,8 +1,8 @@ msgid "" msgstr "" "Project-Id-Version: Ultimate Member\n" -"POT-Creation-Date: 2018-11-20 13:57+0200\n" -"PO-Revision-Date: 2018-11-20 13:57+0200\n" +"POT-Creation-Date: 2018-11-21 11:52+0200\n" +"PO-Revision-Date: 2018-11-21 11:52+0200\n" "Last-Translator: \n" "Language-Team: \n" "Language: en_US\n" @@ -21,6 +21,10 @@ msgstr "" "X-Poedit-SearchPath-0: .\n" "X-Poedit-SearchPathExcluded-0: *.js\n" +#: includes/admin/class-admin-functions.php:35 includes/class-functions.php:29 +msgid "Wrong Nonce" +msgstr "" + #: includes/admin/class-admin.php:181 #, php-format msgid "Duplicate of %s" @@ -94,63 +98,66 @@ msgstr "" msgid "Reset all rules" msgstr "" -#: includes/admin/core/class-admin-builder.php:401 -#: includes/admin/core/class-admin-builder.php:471 -#: includes/admin/core/class-admin-dragdrop.php:161 -msgid "Add Row" +#: includes/admin/core/class-admin-builder.php:298 +#: includes/admin/core/class-admin-builder.php:612 +#: includes/admin/core/class-admin-builder.php:767 +#: includes/admin/core/class-admin-dragdrop.php:32 +#: includes/admin/core/class-admin-menu.php:105 +#: includes/core/class-fields.php:4065 +msgid "Please login as administrator" msgstr "" #: includes/admin/core/class-admin-builder.php:402 #: includes/admin/core/class-admin-builder.php:472 -#: includes/admin/core/class-admin-dragdrop.php:162 +#: includes/admin/core/class-admin-dragdrop.php:163 +msgid "Add Row" +msgstr "" + +#: includes/admin/core/class-admin-builder.php:403 +#: includes/admin/core/class-admin-builder.php:473 +#: includes/admin/core/class-admin-dragdrop.php:164 msgid "Edit Row" msgstr "" -#: includes/admin/core/class-admin-builder.php:475 -#: includes/admin/core/class-admin-dragdrop.php:164 -#: includes/admin/core/class-admin-dragdrop.php:178 -#: includes/admin/core/class-admin-dragdrop.php:203 +#: includes/admin/core/class-admin-builder.php:476 +#: includes/admin/core/class-admin-dragdrop.php:166 +#: includes/admin/core/class-admin-dragdrop.php:180 +#: includes/admin/core/class-admin-dragdrop.php:205 msgid "Delete Row" msgstr "" -#: includes/admin/core/class-admin-builder.php:609 -#: includes/admin/core/class-admin-builder.php:763 -#: includes/core/class-fields.php:4062 -msgid "Please login as administrator" -msgstr "" - -#: includes/admin/core/class-admin-builder.php:827 +#: includes/admin/core/class-admin-builder.php:833 msgid "Search Icons..." msgstr "" -#: includes/admin/core/class-admin-builder.php:847 +#: includes/admin/core/class-admin-builder.php:853 msgid "Setup New Field" msgstr "" -#: includes/admin/core/class-admin-builder.php:863 +#: includes/admin/core/class-admin-builder.php:869 msgid "Predefined Fields" msgstr "" -#: includes/admin/core/class-admin-builder.php:874 +#: includes/admin/core/class-admin-builder.php:880 #: includes/core/class-builtin.php:1308 msgid "None" msgstr "" -#: includes/admin/core/class-admin-builder.php:878 +#: includes/admin/core/class-admin-builder.php:884 msgid "Custom Fields" msgstr "" -#: includes/admin/core/class-admin-builder.php:889 +#: includes/admin/core/class-admin-builder.php:895 msgid "You did not create any custom fields" msgstr "" -#: includes/admin/core/class-admin-builder.php:920 -#: includes/admin/core/class-admin-builder.php:992 +#: includes/admin/core/class-admin-builder.php:926 +#: includes/admin/core/class-admin-builder.php:998 msgid "This field type is not setup correcty." msgstr "" -#: includes/admin/core/class-admin-builder.php:1137 -#: includes/core/class-form.php:153 includes/core/class-form.php:326 +#: includes/admin/core/class-admin-builder.php:1143 +#: includes/core/class-form.php:155 includes/core/class-form.php:328 #: includes/core/class-password.php:518 msgid "This is not possible for security reasons." msgstr "" @@ -371,65 +378,65 @@ msgid "" "help us to grow the plugin and make it more popular. Thank you." msgstr "" -#: includes/admin/core/class-admin-menu.php:118 +#: includes/admin/core/class-admin-menu.php:126 msgctxt "Admin menu name" msgid "Users" msgstr "" -#: includes/admin/core/class-admin-menu.php:126 +#: includes/admin/core/class-admin-menu.php:134 msgctxt "Admin menu name" msgid "All Users" msgstr "" #. Plugin Name of the plugin/theme #. Author of the plugin/theme -#: includes/admin/core/class-admin-menu.php:138 -#: includes/core/class-user.php:552 +#: includes/admin/core/class-admin-menu.php:146 +#: includes/core/class-user.php:557 msgid "Ultimate Member" msgstr "" -#: includes/admin/core/class-admin-menu.php:142 +#: includes/admin/core/class-admin-menu.php:150 msgid "Dashboard" msgstr "" -#: includes/admin/core/class-admin-menu.php:150 +#: includes/admin/core/class-admin-menu.php:158 #: includes/admin/templates/gdpr.php:7 includes/core/class-common.php:56 msgid "Forms" msgstr "" -#: includes/admin/core/class-admin-menu.php:152 +#: includes/admin/core/class-admin-menu.php:160 #: includes/admin/core/list-tables/roles-list-table.php:477 #: includes/admin/core/packages/2.0-beta1/user_roles.php:12 msgid "User Roles" msgstr "" -#: includes/admin/core/class-admin-menu.php:155 +#: includes/admin/core/class-admin-menu.php:163 #: includes/core/class-common.php:85 msgid "Member Directories" msgstr "" -#: includes/admin/core/class-admin-menu.php:197 +#: includes/admin/core/class-admin-menu.php:205 #: includes/admin/core/class-admin-settings.php:1007 msgid "Extensions" msgstr "" -#: includes/admin/core/class-admin-menu.php:210 +#: includes/admin/core/class-admin-menu.php:218 msgid "Users Overview" msgstr "" -#: includes/admin/core/class-admin-menu.php:212 +#: includes/admin/core/class-admin-menu.php:220 msgid "Latest from our blog" msgstr "" -#: includes/admin/core/class-admin-menu.php:214 +#: includes/admin/core/class-admin-menu.php:222 msgid "Purge Temp Files" msgstr "" -#: includes/admin/core/class-admin-menu.php:216 +#: includes/admin/core/class-admin-menu.php:224 msgid "User Cache" msgstr "" -#: includes/admin/core/class-admin-menu.php:221 +#: includes/admin/core/class-admin-menu.php:229 msgid "Upgrade's Manual Request" msgstr "" @@ -1305,11 +1312,7 @@ msgid "" "target=\"_blank\">here" msgstr "" -#: includes/admin/core/class-admin-notices.php:671 -msgid "Wrong Nonce" -msgstr "" - -#: includes/admin/core/class-admin-notices.php:676 +#: includes/admin/core/class-admin-notices.php:672 msgid "Wrong Data" msgstr "" @@ -2549,7 +2552,7 @@ msgstr "" #: includes/admin/core/class-admin-users.php:305 #: includes/admin/templates/dashboard/users.php:11 -#: includes/core/class-user.php:816 +#: includes/core/class-user.php:821 msgid "Approved" msgstr "" @@ -2672,59 +2675,59 @@ msgstr "" msgid "User Role Deleted Successfully." msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:6 -#: includes/admin/core/packages/2.0.10/functions.php:6 +#: includes/admin/core/packages/2.0-beta1/functions.php:8 +#: includes/admin/core/packages/2.0.10/functions.php:8 msgid "Styles was upgraded successfully" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:17 +#: includes/admin/core/packages/2.0-beta1/functions.php:21 msgid "User Roles was upgraded successfully" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:80 +#: includes/admin/core/packages/2.0-beta1/functions.php:89 #, php-format msgid "Users from %s to %s was upgraded successfully..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:100 +#: includes/admin/core/packages/2.0-beta1/functions.php:113 msgid "Settings was upgraded successfully" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:108 +#: includes/admin/core/packages/2.0-beta1/functions.php:123 msgid "Menus settings was upgraded successfully" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:116 +#: includes/admin/core/packages/2.0-beta1/functions.php:133 msgid "Mailchimp Lists was upgraded successfully" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:124 +#: includes/admin/core/packages/2.0-beta1/functions.php:143 msgid "Social login forms was upgraded successfully" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:132 +#: includes/admin/core/packages/2.0-beta1/functions.php:153 msgid "UM Custom Posts was upgraded successfully" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:147 +#: includes/admin/core/packages/2.0-beta1/functions.php:170 msgid "Forums are ready for upgrade" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:200 +#: includes/admin/core/packages/2.0-beta1/functions.php:225 #, php-format msgid "Forums from %s to %s was upgraded successfully..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:216 +#: includes/admin/core/packages/2.0-beta1/functions.php:243 msgid "Woocommerce Products are ready for upgrade" msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:290 +#: includes/admin/core/packages/2.0-beta1/functions.php:319 #, php-format msgid "Woocommerce Products from %s to %s was upgraded successfully..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/functions.php:306 +#: includes/admin/core/packages/2.0-beta1/functions.php:337 msgid "Email Templates was upgraded successfully" msgstr "" @@ -2733,72 +2736,72 @@ msgstr "" msgid "Upgrade Styles..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:37 +#: includes/admin/core/packages/2.0-beta1/init.php:38 msgid "Upgrade Roles..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:50 +#: includes/admin/core/packages/2.0-beta1/init.php:52 msgid "Upgrade Users..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:71 +#: includes/admin/core/packages/2.0-beta1/init.php:73 msgid "Getting " msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:71 -#: includes/admin/core/packages/2.0-beta1/init.php:82 +#: includes/admin/core/packages/2.0-beta1/init.php:73 +#: includes/admin/core/packages/2.0-beta1/init.php:85 msgid " users..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:82 +#: includes/admin/core/packages/2.0-beta1/init.php:85 msgid "There are " msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:83 +#: includes/admin/core/packages/2.0-beta1/init.php:86 msgid "Start users upgrading..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:135 +#: includes/admin/core/packages/2.0-beta1/init.php:139 msgid "Upgrade Content Restriction Settings..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:160 +#: includes/admin/core/packages/2.0-beta1/init.php:165 msgid "Upgrade Settings..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:185 +#: includes/admin/core/packages/2.0-beta1/init.php:191 msgid "Upgrade Menu Items..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:210 +#: includes/admin/core/packages/2.0-beta1/init.php:217 msgid "Upgrade Mailchimp Lists..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:235 +#: includes/admin/core/packages/2.0-beta1/init.php:243 msgid "Upgrade Social Login Forms..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:260 +#: includes/admin/core/packages/2.0-beta1/init.php:269 msgid "Upgrade UM Custom Post Types..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:285 +#: includes/admin/core/packages/2.0-beta1/init.php:295 msgid "Upgrade bbPress Forums..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:286 +#: includes/admin/core/packages/2.0-beta1/init.php:296 msgid "Get bbPress Forums count..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:343 +#: includes/admin/core/packages/2.0-beta1/init.php:355 msgid "Upgrade Woocommerce Products..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:344 +#: includes/admin/core/packages/2.0-beta1/init.php:356 msgid "Get all Products..." msgstr "" -#: includes/admin/core/packages/2.0-beta1/init.php:403 +#: includes/admin/core/packages/2.0-beta1/init.php:417 msgid "Upgrade Email Templates..." msgstr "" @@ -2827,15 +2830,15 @@ msgstr "" msgid "Search User Roles" msgstr "" -#: includes/admin/core/packages/2.0.10/functions.php:17 +#: includes/admin/core/packages/2.0.10/functions.php:21 msgid "Users cache was cleared successfully" msgstr "" -#: includes/admin/core/packages/2.0.10/init.php:31 +#: includes/admin/core/packages/2.0.10/init.php:32 msgid "Clear Users Cache..." msgstr "" -#: includes/admin/core/packages/2.0.24/functions.php:9 +#: includes/admin/core/packages/2.0.24/functions.php:11 msgid "Temporary dir was purged successfully" msgstr "" @@ -2856,18 +2859,6 @@ msgstr "" msgid "Latest From Ultimate Member" msgstr "" -#: includes/admin/templates/dashboard/language-contrib.php:2 -#, php-format -msgid "" -"Ultimate Member is not yet available in your language: %1$s." -msgstr "" - -#: includes/admin/templates/dashboard/language-contrib.php:6 -msgid "" -"If you want to contribute this translation to the plugin, please add it on " -"our community forum." -msgstr "" - #: includes/admin/templates/dashboard/purge.php:4 #, php-format msgid "" @@ -2896,12 +2887,12 @@ msgid "Get latest versions" msgstr "" #: includes/admin/templates/dashboard/users.php:27 -#: includes/core/class-user.php:824 +#: includes/core/class-user.php:829 msgid "Pending Review" msgstr "" #: includes/admin/templates/dashboard/users.php:32 -#: includes/core/class-user.php:820 +#: includes/core/class-user.php:825 msgid "Awaiting E-mail Confirmation" msgstr "" @@ -3485,11 +3476,11 @@ msgstr "" msgid "Update" msgstr "" -#: includes/admin/templates/modal/dynamic_edit_field.php:14 -#: includes/admin/templates/modal/dynamic_edit_row.php:14 -#: includes/admin/templates/modal/dynamic_new_divider.php:14 -#: includes/admin/templates/modal/dynamic_new_field.php:14 -#: includes/admin/templates/modal/dynamic_new_group.php:14 +#: includes/admin/templates/modal/dynamic_edit_field.php:15 +#: includes/admin/templates/modal/dynamic_edit_row.php:15 +#: includes/admin/templates/modal/dynamic_new_divider.php:15 +#: includes/admin/templates/modal/dynamic_new_field.php:15 +#: includes/admin/templates/modal/dynamic_new_group.php:15 #: includes/admin/templates/modal/fonticons.php:11 #: includes/admin/templates/role/publish.php:24 #: includes/core/class-fields.php:2301 includes/core/class-fields.php:2398 @@ -4131,7 +4122,7 @@ msgstr "" msgid "You must add a shortcode to the content area" msgstr "" -#: includes/core/class-builtin.php:663 includes/core/class-user.php:1538 +#: includes/core/class-builtin.php:663 includes/core/class-user.php:1543 msgid "Only me" msgstr "" @@ -6290,40 +6281,40 @@ msgstr "" msgid "This user has not added any information to their profile yet." msgstr "" -#: includes/core/class-files.php:267 +#: includes/core/class-files.php:271 msgid "Invalid parameters" msgstr "" -#: includes/core/class-files.php:272 +#: includes/core/class-files.php:276 msgid "Invalid coordinates" msgstr "" -#: includes/core/class-files.php:277 +#: includes/core/class-files.php:281 msgid "Invalid file ownership" msgstr "" -#: includes/core/class-files.php:330 +#: includes/core/class-files.php:334 msgid "Invalid nonce" msgstr "" -#: includes/core/class-files.php:350 includes/core/class-files.php:435 +#: includes/core/class-files.php:354 includes/core/class-files.php:439 msgid "A theme or plugin compatibility issue" msgstr "" -#: includes/core/class-files.php:978 +#: includes/core/class-files.php:982 msgid "Ultimate Member: Not a valid temp file" msgstr "" -#: includes/core/class-files.php:1106 +#: includes/core/class-files.php:1110 msgid "Invalid user ID: " msgstr "" -#: includes/core/class-files.php:1115 includes/core/class-files.php:1143 +#: includes/core/class-files.php:1119 includes/core/class-files.php:1147 msgid "Unauthorized to do this attempt." msgstr "" -#: includes/core/class-form.php:56 includes/core/class-profile.php:54 -#: includes/core/class-profile.php:70 +#: includes/core/class-form.php:58 includes/core/class-profile.php:56 +#: includes/core/class-profile.php:74 msgid "You can not edit this user" msgstr "" @@ -6385,15 +6376,15 @@ msgstr "" msgid "https://wordpress.org/support/" msgstr "" -#: includes/core/class-profile.php:106 +#: includes/core/class-profile.php:110 msgid "About" msgstr "" -#: includes/core/class-profile.php:110 +#: includes/core/class-profile.php:114 msgid "Posts" msgstr "" -#: includes/core/class-profile.php:114 +#: includes/core/class-profile.php:118 msgid "Comments" msgstr "" @@ -6518,19 +6509,19 @@ msgstr "" msgid "Maximum file size allowed: %s" msgstr "" -#: includes/core/class-user.php:610 +#: includes/core/class-user.php:615 msgid "Ultimate Member Role" msgstr "" -#: includes/core/class-user.php:613 +#: includes/core/class-user.php:618 msgid "— No role for Ultimate Member —" msgstr "" -#: includes/core/class-user.php:828 +#: includes/core/class-user.php:833 msgid "Membership Rejected" msgstr "" -#: includes/core/class-user.php:832 +#: includes/core/class-user.php:837 msgid "Membership Inactive" msgstr "" diff --git a/readme.txt b/readme.txt index 3db242eb..4ea68126 100644 --- a/readme.txt +++ b/readme.txt @@ -6,7 +6,7 @@ Donate link: Tags: community, member, membership, user-profile, user-registration Requires at least: 4.7 Tested up to: 4.9 -Stable tag: 2.0.32 +Stable tag: 2.0.33 License: GNU Version 2 or Any Later Version License URI: http://www.gnu.org/licenses/gpl-3.0.txt @@ -137,6 +137,13 @@ The plugin works with popular caching plugins by automatically excluding Ultimat = Important: UM2.0+ is a significant update to the code base from 1.3.88. Please make sure you take a full-site backup with restore point before updating the plugin = += 2.0.33: November 21, 2018 = + +* Bugfixes: + - Fixed AJAX vulnerabilities + - Fixed delete user email notification + - Fixed profile tabs displaying + = 2.0.32: November 20, 2018 = * Bugfixes: diff --git a/ultimate-member.php b/ultimate-member.php index c4892f6f..d0a901f5 100644 --- a/ultimate-member.php +++ b/ultimate-member.php @@ -3,7 +3,7 @@ Plugin Name: Ultimate Member Plugin URI: http://ultimatemember.com/ Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress -Version: 2.0.32 +Version: 2.0.33 Author: Ultimate Member Author URI: http://ultimatemember.com/ Text Domain: ultimate-member