From 19f2786e05573b4b3477204dd25a0ad4093a71ec Mon Sep 17 00:00:00 2001
From: nikitasinelnikov <nsinelnikov.work@gmail.com>
Date: Tue, 8 Sep 2020 23:13:43 +0300
Subject: [PATCH] - fixed security vulnerability;

---
 includes/admin/core/class-admin-notices.php |  6 +++---
 includes/core/class-form.php                | 15 +++++++++------
 readme.txt                                  |  6 ++++++
 ultimate-member.php                         |  2 +-
 4 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/includes/admin/core/class-admin-notices.php b/includes/admin/core/class-admin-notices.php
index c2be3f3f..653abdd9 100644
--- a/includes/admin/core/class-admin-notices.php
+++ b/includes/admin/core/class-admin-notices.php
@@ -655,9 +655,9 @@ if ( ! class_exists( 'um\admin\core\Admin_Notices' ) ) {
 			<?php $message = ob_get_clean();
 
 			$this->add_notice( 'reviews_notice', array(
-				'class'     => 'updated',
-				'message'   => $message,
-				'dismissible' => true
+				'class'         => 'updated',
+				'message'       => $message,
+				'dismissible'   => true
 			), 1 );
 		}
 
diff --git a/includes/core/class-form.php b/includes/core/class-form.php
index 80bed687..cddc9440 100644
--- a/includes/core/class-form.php
+++ b/includes/core/class-form.php
@@ -374,14 +374,14 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 
 					$this->post_form = array_merge( $this->form_data, $this->post_form );
 
-					if ( isset( $this->form_data['custom_fields'] )  && strstr( $this->form_data['custom_fields'], 'role_' )  ) {  // Secure selected role
+					if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) {  // Secure selected role
 
 						$custom_field_roles = $this->custom_field_roles( $this->form_data['custom_fields'] );
 
 						if ( ! empty( $_POST['role'] ) ) {
 							$role = $_POST['role'];
 
-							if( is_array( $_POST['role'] ) ){
+							if ( is_array( $_POST['role'] ) ) {
 								$role = current( $_POST['role'] );
 							}
 
@@ -392,8 +392,8 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 							$exclude_roles = array_diff( array_keys( $wp_roles->roles ), array_merge( $role_keys, array( 'subscriber' ) ) );
 
 							if ( ! empty( $role ) &&
-								( ! in_array( $role , $custom_field_roles ) || in_array( $role , $exclude_roles ) ) ) {
-								wp_die( __( 'This is not possible for security reasons.','ultimate-member') );
+								( ! in_array( $role, $custom_field_roles, true ) || in_array( $role, $exclude_roles ) ) ) {
+								wp_die( __( 'This is not possible for security reasons.', 'ultimate-member' ) );
 							}
 
 							$this->post_form['role'] = $role;
@@ -401,6 +401,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 						}
 
 					} elseif ( isset( $this->post_form['mode'] ) && $this->post_form['mode'] == 'register' ) {
+
 						$role = $this->assigned_role( $this->form_id );
 						$this->post_form['role'] = $role;
 						//fix for social login
@@ -587,14 +588,16 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 
 			$fields = maybe_unserialize( $custom_fields );
 
-			if ( ! is_array( $fields )  )
+			if ( ! is_array( $fields ) ) {
 				return false;
+			}
 
 			foreach ( $fields as $field_key => $field_settings ) {
 
 				if ( strstr( $field_key , 'role_' ) ) {
 					if ( is_array( $field_settings['options'] ) ) {
-						return array_keys( $field_settings['options'] );
+						$option_pairs = apply_filters( 'um_select_options_pair', null, $field_settings );
+						return ! empty( $option_pairs ) ? array_keys( $field_settings['options'] ) : array_values( $field_settings['options'] );
 					}
 				}
 
diff --git a/readme.txt b/readme.txt
index 9ee9cfd8..cdba0add 100644
--- a/readme.txt
+++ b/readme.txt
@@ -156,6 +156,12 @@ The plugin works with popular caching plugins by automatically excluding Ultimat
 * To learn more about version 2.1 please see this [docs](https://docs.ultimatemember.com/article/1512-upgrade-2-1-0)
 * UM2.1+ is a significant update to the Member Directories' code base from 2.0.x. Please make sure you take a full-site backup with restore point before updating the plugin
 
+= 2.1.9: September 9, 2020 =
+
+* Bugfixes:
+
+  - Fixed security vulnerability when user can change their role via Profile Form
+
 = 2.1.8: September 2, 2020 =
 
 * Enhancements:
diff --git a/ultimate-member.php b/ultimate-member.php
index 7c0896fb..7651f8b8 100644
--- a/ultimate-member.php
+++ b/ultimate-member.php
@@ -3,7 +3,7 @@
 Plugin Name: Ultimate Member
 Plugin URI: http://ultimatemember.com/
 Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
-Version: 2.1.8
+Version: 2.1.9-rc.1
 Author: Ultimate Member
 Author URI: http://ultimatemember.com/
 Text Domain: ultimate-member