10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

* fixed CVE-2024-12276;

Browse Source 
* reviewed using $wpdb and WPCS;
* set minimum required version to 6.2 due to using %i for $wpdb->prepare;
This commit is contained in:
Mykyta Synelnikov
2025-02-03 16:17:37 +02:00
parent 26c8aa21e1
commit 4adbe19cbe
19 changed files with 249 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files
includes/core/class-uploader.php
+12 -5
View File
@@ -1379,16 +1379,23 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
foreach ( $files as $file ) {
$str = basename( $file );
if ( strstr( $str, 'profile_photo' ) || strstr( $str, 'cover_photo' ) || preg_grep( '/' . $str . '/', $_array ) ) {
if ( false !== strpos( $str, 'profile_photo' ) || false !== strpos( $str, 'cover_photo' ) || preg_grep( '/' . $str . '/', $_array ) ) {
continue;
}
// Don't delete photo that belongs to the Social Activity post or Groups post
if ( strstr( $str, 'stream_photo' ) ) {
if ( false !== strpos( $str, 'stream_photo' ) ) {
global $wpdb;
$is_post_image = $wpdb->get_var( "
SELECT COUNT(*) FROM {$wpdb->postmeta}
WHERE `meta_key`='_photo' AND `meta_value`='{$str}';" );
$is_post_image = $wpdb->get_var(
$wpdb->prepare(
"SELECT COUNT(*)
FROM {$wpdb->postmeta}
WHERE meta_key = '_photo' AND
meta_value = %s",
$str
)
);
if ( $is_post_image ) {
continue;
}