10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Address CVE-2025-13217 and improve input sanitization

Browse Source 
Resolved CVE-2025-13217 by implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds. This update ensures safer handling of user-provided links to mitigate potential security vulnerabilities.
This commit is contained in:
Mykyta Synelnikov
2025-12-05 17:56:45 +02:00
parent b75a2145dd
commit 302731f252
3 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
includes/core/um-filters-fields.php
+6 -5
View File
@@ -76,15 +76,15 @@ function um_profile_field_filter_hook__youtube_video( $value, $data ) {
}
$value = ( strstr( $value, 'http' ) || strstr( $value, '://' ) ) ? um_youtube_id_from_url( $value ) : $value;
if ( false !== $value ) {
$value = 'https://www.youtube.com/embed/' . $value;
$value = '<div class="um-youtube">'
. '<iframe width="600" height="450" src="https://www.youtube.com/embed/' . $value . '" frameborder="0" allowfullscreen></iframe>'
. '<iframe width="600" height="450" src="' . esc_url( $value ) . '" frameborder="0" allowfullscreen></iframe>'
. '</div>';
}
return $value;
}
add_filter( 'um_profile_field_filter_hook__youtube_video', 'um_profile_field_filter_hook__youtube_video', 99, 2 );
/**
* Outputs a spotify iframe
*
@@ -127,8 +127,9 @@ function um_profile_field_filter_hook__vimeo_video( $value, $data ) {
}
$value = ! is_numeric( $value ) ? (int) substr( parse_url( $value, PHP_URL_PATH ), 1 ) : $value;
$value = 'https://player.vimeo.com/video/' . $value;
$value = '<div class="um-vimeo">
<iframe src="https://player.vimeo.com/video/' . $value . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
<iframe src="' . esc_url( $value ) . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
</div>';
return $value;
}
@@ -199,14 +200,14 @@ function um_profile_field_filter_hook__googlemap( $value, $data ) {
if ( ! $value ) {
return '';
}
$value = 'https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed';
$value = '<div class="um-googlemap">
<iframe width="600" height="450" frameborder="0" style="border:0" src="https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed"></iframe>
<iframe width="600" height="450" frameborder="0" style="border:0" src="' . esc_url( $value ) . '"></iframe>
</div>';
return $value;
}
add_filter( 'um_profile_field_filter_hook__googlemap', 'um_profile_field_filter_hook__googlemap', 99, 2 );
/**
* User's registration date
*