Fix security vulnerabilities, enhance validation, and update logic

Addressed several security issues including CVE-2025-15064 and CVE-2026-1404. Added server-side validation for forms and introduced hooks for email confirmation. Adjusted template handling, resolved mobile display issues, and updated Site Health debug information.
2026-06-05 15:09:37 +09:00 · 2026-02-09 11:19:11 +02:00
parent 8038c93567
commit 57ab92ab70
3 changed files with 75 additions and 51 deletions
@@ -1,10 +1,27 @@
 == Changelog ==

-= 2.11.2 January xx, 2026 =
+= 2.11.2 February 09, 2026 =
+
+* Enhancements:
+
+  - Added: Server-side validation when the Search Form is submitted.
+  - Added: Action hook `um_approve_user_on_email_confirmation` to natively approve the user after validating the email activation link.

 * Bugfixes:

-  - Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description.
+  - Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`.
+  - Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values.
+  - Fixed: Profile photo dropdown menu position for screens smaller than 340px.
+  - Fixed: Display of the saved value of the "Privacy Options" > "Allowed roles" setting for the member directory.
+  - Fixed: Information in Site-Health about the registration form's `Template` and `Role` settings.
+  - Fixed: Information in Site-Health about the login and profile form's `Template` settings.
+
+* Templates Requiring Update:
+
+  - members.php
+  - searchform.php
+
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.11.1 December 16, 2025 =

@@ -20,7 +37,7 @@
  - Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
  - Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.

-* Templates required update:
+* Templates Requiring Update:

  - members.php
  - members-grid.php
@@ -66,7 +83,7 @@
  - Fixed: Integer validation for the 'start_of_week' WP native setting.
  - Fixed: Dependencies with Action Scheduler library.

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.10.5 June 25, 2025 =

@@ -102,11 +119,11 @@
  - Deprecated `UM()->user()->maybe_generate_password_reset_key( $userdata )` function. Use `UM()->common()->users()->maybe_generate_password_reset_key( $userdata )` instead.
  - Deprecated `UM()->user()->set_last_login()` function. Use `UM()->common()->users()->set_last_login( $user_id )` instead.

-* Templates required update:
+* Templates Requiring Update:

  - password-reset.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.10.4 May 15, 2025 =

@@ -133,7 +150,7 @@
  - Fixed: Reset Password email notification's the {password_reset_link}` placeholder.
  - Fixed: Changed "Turkey" to the current official term "Türkiye".

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.10.2 April 02, 2025 =

@@ -155,7 +172,7 @@
  - Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
  - Fixed: Profile photo metadata when Gravatar image is used.

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.10.0 February 18, 2025 =

@@ -180,12 +197,12 @@
  - Fixed: The "Privacy Policy" field in the registration form. Disallowed HTML from the "Privacy Policy" content (like `<form>`) is filtered out by the `wp_kses()` function.
  - Fixed: Password fields are now sanitized the WordPress native way, with `wp_unslash()` omitted post-submission.

-* Templates required update:
+* Templates Requiring Update:

  - gdpr-register.php
  - profile.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.9.2 January 14, 2025 =

@@ -216,11 +233,11 @@
  - Fully deprecated `UM()->localize()` function
  - Fully deprecated `um_language_textdomain` filter hook

-* Templates required update:
+* Templates Requiring Update:

  - account.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.9.1 November 15, 2024 =

@@ -251,7 +268,7 @@
  - Fixed: User status filter on wp-admin > Users on mobile devices
  - Fixed: Extra unwrapping of the WP Editor field's value

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.8.9 October 14, 2024 =

@@ -272,7 +289,7 @@
  - Fixed: Sending email notifications based on user status after registration
  - Fixed: PHP error when meta `um_member_directory_data` has a wrong format

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.8.8 October 04, 2024 =

@@ -283,7 +300,7 @@
  - Fixed: User registration if email activation or admin review are required
  - Fixed: First installation errors

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.8.7 October 01, 2024 =

@@ -320,11 +337,11 @@
  - Fixed: Parsing /modal/ templates and parsing templates on the Windows hosting
  - Fixed: Validation `form_id` attribute in the `ultimatemember` shortcode

-* Templates required update:
+* Templates Requiring Update:

  - login-to-view.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 * Deprecated:

@@ -368,12 +385,12 @@
  - Fixed: PHP errors while uploading files
  - Fixed: Parsing error on the license activation

-* Templates required update:
+* Templates Requiring Update:

  - Renamed templates/modal/um_upload_single.php → templates/modal/upload-single.php
  - Renamed templates/modal/um_view_photo.php → templates/modal/view-photo.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.8.5: April 9, 2024 =

@@ -392,7 +409,7 @@
  - Fixed: Reset Password urlencoded username
  - Fixed: Clear media JS in wp-admin settings

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.8.4: March 6, 2024 =

@@ -431,7 +448,7 @@
  - Fixed: Default email notification body color
  - Fixed: Ignore username slug when custom meta slug exists when parse user from query

-* Templates required update:
+* Templates Requiring Update:

  - email/notification_deletion.php
  - email/notification_new_user.php
@@ -439,7 +456,7 @@
  - email/welcome_email.php
  - password-change.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.8.2: January 15, 2024 =

@@ -463,11 +480,11 @@
  - Fixed: Account styles
  - Fixed: Saving `um_form_version` postmeta

-* Templates required update:
+* Templates Requiring Update:

  - profile/posts-single.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.8.1: December 20, 2023 =

@@ -534,7 +551,7 @@
  - `um-admin-clear` CSS class. It duplicates WordPress native `clear`. Using WordPress native instead.
  - `um-admin-tipsy-{x}` classes to make Tipsy.JS initialization commonly for wp-admin and frontend by `um-tip-{x}` class.

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.7.0: October 11, 2023 =

@@ -568,7 +585,7 @@
  - `UM()->admin()->enqueue()->suffix` property use `UM()->frontend()->enqueue()::get_suffix()`
  - Changed directories for the fonts (fonticons + raty), and JS/CSS files related to libs `jquery-ui`, `raty`, `select2`, `tipsy`, `fonticons (FontAwesome + Ionicons)`

-* Templates required update:
+* Templates Requiring Update:

  - account.php
  - login.php
@@ -577,7 +594,7 @@
  - register.php
  - profile/posts-single.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.6.11: September 06, 2023 =

@@ -609,7 +626,7 @@
  - Fixed: Performance for `um_get_form_fields` hook
  - Fixed: Admin Modal JS library conflict with bootstrap.js

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.6.9: July 26, 2023 =

@@ -630,11 +647,11 @@
  - Fixed: Maximum allowed words option for textarea where you may insert HTML tags. Ignore HTML tags symbols when count
  - Fixed: Sanitize for fields (Min characters, Max characters, etc.) where can be empty string or absint value

-* Templates required update:
+* Templates Requiring Update:

  - profile.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.6.8: July 19, 2023 =

@@ -668,7 +685,7 @@

  - Deprecated: Unnecessary `um_multiselect_option_value` hook

-* Templates required update:
+* Templates Requiring Update:

  - members.php

@@ -740,7 +757,7 @@

  - Deprecated: `um_localize_permalink_filter`. Use `post_link` instead

-* Templates required update:
+* Templates Requiring Update:

  - members.php

@@ -777,7 +794,7 @@

 * All templates required update. Please add the version comments to your custom templates in themes

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.6.0: March 29, 2023 =

@@ -806,7 +823,7 @@

  - Deprecated: VKontakte and Google+ predefined fields. VKontakte and Google+ fields validation changed to just URL validation.

-* Templates required update:
+* Templates Requiring Update:
  - members.php

 = 2.5.4: February 17, 2023 =
@@ -851,10 +868,10 @@
  - Fixed: Multiple users approve
  - Fixed: Using regular URL-type field for displaying

-* Templates required update:
+* Templates Requiring Update:
  - members.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.5.1: October 26, 2022 =

@@ -901,11 +918,11 @@
  - `UM()->user()->get_pending_users_count()`. Use `UM()->query()->get_pending_users_count()` instead. It's unused since 2.5.0. Will be removed since 2.7.0
  - `UM()->user()->remove_cached_queue()` without alternativities. It's unused since 2.5.0. Will be removed since 2.7.0

-* Templates required update:
+* Templates Requiring Update:
  - password-change.php
  - password-reset.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.4.2: July 14, 2022 =

@@ -1016,12 +1033,12 @@
  - Fixed: Canonical link of the user profile if WPML plugin is active.
  - Fixed: Replacing placeholders in nav menus. Used an earlier hook for filtering items before generating HTML and avoided issues with raw, not-escaped HTML inside tags' attributes.

-* Templates required update:
+* Templates Requiring Update:
  - members-grid.php
  - members-list.php
  - password-reset.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.2.5: September 22, 2021 =

@@ -1126,11 +1143,11 @@

  - WordPress 5.8 compatibility. Widgets screen changes based on the new features with Legacy Widget block

-* Templates required update:
+* Templates Requiring Update:
  - members.php
  - password-reset.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.1.21: June 17, 2021 =

@@ -1143,12 +1160,12 @@
  - Fixed: Displaying avatar on the logout page
  - Fixed: Role meta sanitizing and related XSS vulnerability

-* Templates required update:
+* Templates Requiring Update:
  - logout.php
  - members.php
  - members-list.php

-* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
+* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *

 = 2.1.20: May 7, 2021 =

@@ -2220,7 +2220,7 @@ class Site_Health {
 						$debug_info[] = array(
 							'template'         => array(
 								'label' => __( 'Template', 'ultimate-member' ),
-								'value' => 0 === absint( get_post_meta( $form_id, '_um_login_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_login_template', true ),
+								'value' => empty( get_post_meta( $form_id, '_um_login_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_login_template', true ),
 							),
 							'max_width'        => array(
 								'label' => __( 'Max. Width (px)', 'ultimate-member' ),
@@ -2292,7 +2292,7 @@ class Site_Health {
 							),
 							'template'         => array(
 								'label' => __( 'Template', 'ultimate-member' ),
-								'value' => 0 === absint( get_post_meta( $form_id, '_um_profile_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_profile_template', true ),
+								'value' => empty( get_post_meta( $form_id, '_um_profile_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_profile_template', true ),
 							),
 							'max_width'        => array(
 								'label' => __( 'Max. Width (px)', 'ultimate-member' ),
@@ -171,18 +171,25 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI

 **Enhancements**

-* Added: Server side validation when Searching Form is submitted.
+* Added: Server-side validation when the Search Form is submitted.
+* Added: Action hook `um_approve_user_on_email_confirmation` to natively approve the user after validating the email activation link.

 **Bugfixes**

-* Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`.
-* Fixed: Security issue CVE ID: CVE-2026-1404. Changed template items formatting to avoid using HTML symbols in the filter values.
+* Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`.
+* Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values.
+* Fixed: Profile photo dropdown menu position for screens smaller than 340px.
+* Fixed: Display of the saved value of the "Privacy Options" > "Allowed roles" setting for the member directory.
+* Fixed: Information in Site-Health about the registration form's `Template` and `Role` settings.
+* Fixed: Information in Site-Health about the login and profile form's `Template` settings.

-* Templates required update:
+**Templates Requiring Update**

 * members.php
 * searchform.php

+**Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade**
+
 = 2.11.1 2025-12-16 =

 **Enhancements**
@@ -197,7 +204,7 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
 * Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
 * Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.

-* Templates required update:
+**Templates Requiring Update**

 * members.php
 * members-grid.php