10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

- fixed security vulnerability;

Browse Source
This commit is contained in:
nikitasinelnikov
2020-09-08 23:13:43 +03:00
parent 1e6267b5c0
commit 19f2786e05
4 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
includes/admin/core/class-admin-notices.php
+3 -3
View File
@@ -655,9 +655,9 @@ if ( ! class_exists( 'um\admin\core\Admin_Notices' ) ) {
<?php $message = ob_get_clean();
$this->add_notice( 'reviews_notice', array(
'class' => 'updated',
'message' => $message,
'dismissible' => true
'class' => 'updated',
'message' => $message,
'dismissible' => true
), 1 );
}
includes/core/class-form.php
+9 -6
View File
@@ -374,14 +374,14 @@ if ( ! class_exists( 'um\core\Form' ) ) {
$this->post_form = array_merge( $this->form_data, $this->post_form );
if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) { // Secure selected role
if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) { // Secure selected role
$custom_field_roles = $this->custom_field_roles( $this->form_data['custom_fields'] );
if ( ! empty( $_POST['role'] ) ) {
$role = $_POST['role'];
if( is_array( $_POST['role'] ) ){
if ( is_array( $_POST['role'] ) ) {
$role = current( $_POST['role'] );
}
@@ -392,8 +392,8 @@ if ( ! class_exists( 'um\core\Form' ) ) {
$exclude_roles = array_diff( array_keys( $wp_roles->roles ), array_merge( $role_keys, array( 'subscriber' ) ) );
if ( ! empty( $role ) &&
( ! in_array( $role , $custom_field_roles ) || in_array( $role , $exclude_roles ) ) ) {
wp_die( __( 'This is not possible for security reasons.','ultimate-member') );
( ! in_array( $role, $custom_field_roles, true ) || in_array( $role, $exclude_roles ) ) ) {
wp_die( __( 'This is not possible for security reasons.', 'ultimate-member' ) );
}
$this->post_form['role'] = $role;
@@ -401,6 +401,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
}
} elseif ( isset( $this->post_form['mode'] ) && $this->post_form['mode'] == 'register' ) {
$role = $this->assigned_role( $this->form_id );
$this->post_form['role'] = $role;
//fix for social login
@@ -587,14 +588,16 @@ if ( ! class_exists( 'um\core\Form' ) ) {
$fields = maybe_unserialize( $custom_fields );
if ( ! is_array( $fields ) )
if ( ! is_array( $fields ) ) {
return false;
}
foreach ( $fields as $field_key => $field_settings ) {
if ( strstr( $field_key , 'role_' ) ) {
if ( is_array( $field_settings['options'] ) ) {
return array_keys( $field_settings['options'] );
$option_pairs = apply_filters( 'um_select_options_pair', null, $field_settings );
return ! empty( $option_pairs ) ? array_keys( $field_settings['options'] ) : array_values( $field_settings['options'] );
}
}
readme.txt
+6
View File
@@ -156,6 +156,12 @@ The plugin works with popular caching plugins by automatically excluding Ultimat
* To learn more about version 2.1 please see this [docs](https://docs.ultimatemember.com/article/1512-upgrade-2-1-0)
* UM2.1+ is a significant update to the Member Directories' code base from 2.0.x. Please make sure you take a full-site backup with restore point before updating the plugin
= 2.1.9: September 9, 2020 =
* Bugfixes:
- Fixed security vulnerability when user can change their role via Profile Form
= 2.1.8: September 2, 2020 =
* Enhancements:
ultimate-member.php
+1 -1
View File
@@ -3,7 +3,7 @@
Plugin Name: Ultimate Member
Plugin URI: http://ultimatemember.com/
Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
Version: 2.1.8
Version: 2.1.9-rc.1
Author: Ultimate Member
Author URI: http://ultimatemember.com/
Text Domain: ultimate-member