From 57ab92ab707493b2bada8e460b01b2de6a5524fe Mon Sep 17 00:00:00 2001 From: Mykyta Synelnikov Date: Mon, 9 Feb 2026 11:19:11 +0200 Subject: [PATCH] Fix security vulnerabilities, enhance validation, and update logic Addressed several security issues including CVE-2025-15064 and CVE-2026-1404. Added server-side validation for forms and introduced hooks for email confirmation. Adjusted template handling, resolved mobile display issues, and updated Site Health debug information. --- changelog.txt | 105 ++++++++++++++++----------- includes/admin/class-site-health.php | 4 +- readme.txt | 17 +++-- 3 files changed, 75 insertions(+), 51 deletions(-) diff --git a/changelog.txt b/changelog.txt index 8b0d1c9d..36a987b2 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,10 +1,27 @@ == Changelog == -= 2.11.2 January xx, 2026 = += 2.11.2 February 09, 2026 = + +* Enhancements: + + - Added: Server-side validation when the Search Form is submitted. + - Added: Action hook `um_approve_user_on_email_confirmation` to natively approve the user after validating the email activation link. * Bugfixes: - - Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description. + - Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`. + - Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values. + - Fixed: Profile photo dropdown menu position for screens smaller than 340px. + - Fixed: Display of the saved value of the "Privacy Options" > "Allowed roles" setting for the member directory. + - Fixed: Information in Site-Health about the registration form's `Template` and `Role` settings. + - Fixed: Information in Site-Health about the login and profile form's `Template` settings. + +* Templates Requiring Update: + + - members.php + - searchform.php + +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.11.1 December 16, 2025 = @@ -20,7 +37,7 @@ - Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission. - Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting. -* Templates required update: +* Templates Requiring Update: - members.php - members-grid.php @@ -66,7 +83,7 @@ - Fixed: Integer validation for the 'start_of_week' WP native setting. - Fixed: Dependencies with Action Scheduler library. -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade * +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.10.5 June 25, 2025 = @@ -102,11 +119,11 @@ - Deprecated `UM()->user()->maybe_generate_password_reset_key( $userdata )` function. Use `UM()->common()->users()->maybe_generate_password_reset_key( $userdata )` instead. - Deprecated `UM()->user()->set_last_login()` function. Use `UM()->common()->users()->set_last_login( $user_id )` instead. -* Templates required update: +* Templates Requiring Update: - password-reset.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade * +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.10.4 May 15, 2025 = @@ -133,7 +150,7 @@ - Fixed: Reset Password email notification's the {password_reset_link}` placeholder. - Fixed: Changed "Turkey" to the current official term "Türkiye". -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade * +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.10.2 April 02, 2025 = @@ -155,7 +172,7 @@ - Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime. - Fixed: Profile photo metadata when Gravatar image is used. -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade * +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.10.0 February 18, 2025 = @@ -180,12 +197,12 @@ - Fixed: The "Privacy Policy" field in the registration form. Disallowed HTML from the "Privacy Policy" content (like `
`) is filtered out by the `wp_kses()` function. - Fixed: Password fields are now sanitized the WordPress native way, with `wp_unslash()` omitted post-submission. -* Templates required update: +* Templates Requiring Update: - gdpr-register.php - profile.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade * +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.9.2 January 14, 2025 = @@ -216,11 +233,11 @@ - Fully deprecated `UM()->localize()` function - Fully deprecated `um_language_textdomain` filter hook -* Templates required update: +* Templates Requiring Update: - account.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.9.1 November 15, 2024 = @@ -251,7 +268,7 @@ - Fixed: User status filter on wp-admin > Users on mobile devices - Fixed: Extra unwrapping of the WP Editor field's value -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.8.9 October 14, 2024 = @@ -272,7 +289,7 @@ - Fixed: Sending email notifications based on user status after registration - Fixed: PHP error when meta `um_member_directory_data` has a wrong format -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.8.8 October 04, 2024 = @@ -283,7 +300,7 @@ - Fixed: User registration if email activation or admin review are required - Fixed: First installation errors -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.8.7 October 01, 2024 = @@ -320,11 +337,11 @@ - Fixed: Parsing /modal/ templates and parsing templates on the Windows hosting - Fixed: Validation `form_id` attribute in the `ultimatemember` shortcode -* Templates required update: +* Templates Requiring Update: - login-to-view.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * * Deprecated: @@ -368,12 +385,12 @@ - Fixed: PHP errors while uploading files - Fixed: Parsing error on the license activation -* Templates required update: +* Templates Requiring Update: - Renamed templates/modal/um_upload_single.php → templates/modal/upload-single.php - Renamed templates/modal/um_view_photo.php → templates/modal/view-photo.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.8.5: April 9, 2024 = @@ -392,7 +409,7 @@ - Fixed: Reset Password urlencoded username - Fixed: Clear media JS in wp-admin settings -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.8.4: March 6, 2024 = @@ -431,7 +448,7 @@ - Fixed: Default email notification body color - Fixed: Ignore username slug when custom meta slug exists when parse user from query -* Templates required update: +* Templates Requiring Update: - email/notification_deletion.php - email/notification_new_user.php @@ -439,7 +456,7 @@ - email/welcome_email.php - password-change.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.8.2: January 15, 2024 = @@ -463,11 +480,11 @@ - Fixed: Account styles - Fixed: Saving `um_form_version` postmeta -* Templates required update: +* Templates Requiring Update: - profile/posts-single.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.8.1: December 20, 2023 = @@ -534,7 +551,7 @@ - `um-admin-clear` CSS class. It duplicates WordPress native `clear`. Using WordPress native instead. - `um-admin-tipsy-{x}` classes to make Tipsy.JS initialization commonly for wp-admin and frontend by `um-tip-{x}` class. -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.7.0: October 11, 2023 = @@ -568,7 +585,7 @@ - `UM()->admin()->enqueue()->suffix` property use `UM()->frontend()->enqueue()::get_suffix()` - Changed directories for the fonts (fonticons + raty), and JS/CSS files related to libs `jquery-ui`, `raty`, `select2`, `tipsy`, `fonticons (FontAwesome + Ionicons)` -* Templates required update: +* Templates Requiring Update: - account.php - login.php @@ -577,7 +594,7 @@ - register.php - profile/posts-single.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.6.11: September 06, 2023 = @@ -609,7 +626,7 @@ - Fixed: Performance for `um_get_form_fields` hook - Fixed: Admin Modal JS library conflict with bootstrap.js -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.6.9: July 26, 2023 = @@ -630,11 +647,11 @@ - Fixed: Maximum allowed words option for textarea where you may insert HTML tags. Ignore HTML tags symbols when count - Fixed: Sanitize for fields (Min characters, Max characters, etc.) where can be empty string or absint value -* Templates required update: +* Templates Requiring Update: - profile.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.6.8: July 19, 2023 = @@ -668,7 +685,7 @@ - Deprecated: Unnecessary `um_multiselect_option_value` hook -* Templates required update: +* Templates Requiring Update: - members.php @@ -740,7 +757,7 @@ - Deprecated: `um_localize_permalink_filter`. Use `post_link` instead -* Templates required update: +* Templates Requiring Update: - members.php @@ -777,7 +794,7 @@ * All templates required update. Please add the version comments to your custom templates in themes -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.6.0: March 29, 2023 = @@ -806,7 +823,7 @@ - Deprecated: VKontakte and Google+ predefined fields. VKontakte and Google+ fields validation changed to just URL validation. -* Templates required update: +* Templates Requiring Update: - members.php = 2.5.4: February 17, 2023 = @@ -851,10 +868,10 @@ - Fixed: Multiple users approve - Fixed: Using regular URL-type field for displaying -* Templates required update: +* Templates Requiring Update: - members.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.5.1: October 26, 2022 = @@ -901,11 +918,11 @@ - `UM()->user()->get_pending_users_count()`. Use `UM()->query()->get_pending_users_count()` instead. It's unused since 2.5.0. Will be removed since 2.7.0 - `UM()->user()->remove_cached_queue()` without alternativities. It's unused since 2.5.0. Will be removed since 2.7.0 -* Templates required update: +* Templates Requiring Update: - password-change.php - password-reset.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.4.2: July 14, 2022 = @@ -1016,12 +1033,12 @@ - Fixed: Canonical link of the user profile if WPML plugin is active. - Fixed: Replacing placeholders in nav menus. Used an earlier hook for filtering items before generating HTML and avoided issues with raw, not-escaped HTML inside tags' attributes. -* Templates required update: +* Templates Requiring Update: - members-grid.php - members-list.php - password-reset.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.2.5: September 22, 2021 = @@ -1126,11 +1143,11 @@ - WordPress 5.8 compatibility. Widgets screen changes based on the new features with Legacy Widget block -* Templates required update: +* Templates Requiring Update: - members.php - password-reset.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.1.21: June 17, 2021 = @@ -1143,12 +1160,12 @@ - Fixed: Displaying avatar on the logout page - Fixed: Role meta sanitizing and related XSS vulnerability -* Templates required update: +* Templates Requiring Update: - logout.php - members.php - members-list.php -* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade +* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade * = 2.1.20: May 7, 2021 = diff --git a/includes/admin/class-site-health.php b/includes/admin/class-site-health.php index b0ecdf1e..e6285654 100644 --- a/includes/admin/class-site-health.php +++ b/includes/admin/class-site-health.php @@ -2220,7 +2220,7 @@ class Site_Health { $debug_info[] = array( 'template' => array( 'label' => __( 'Template', 'ultimate-member' ), - 'value' => 0 === absint( get_post_meta( $form_id, '_um_login_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_login_template', true ), + 'value' => empty( get_post_meta( $form_id, '_um_login_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_login_template', true ), ), 'max_width' => array( 'label' => __( 'Max. Width (px)', 'ultimate-member' ), @@ -2292,7 +2292,7 @@ class Site_Health { ), 'template' => array( 'label' => __( 'Template', 'ultimate-member' ), - 'value' => 0 === absint( get_post_meta( $form_id, '_um_profile_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_profile_template', true ), + 'value' => empty( get_post_meta( $form_id, '_um_profile_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_profile_template', true ), ), 'max_width' => array( 'label' => __( 'Max. Width (px)', 'ultimate-member' ), diff --git a/readme.txt b/readme.txt index 3fb1af4f..ea574ada 100644 --- a/readme.txt +++ b/readme.txt @@ -171,18 +171,25 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI **Enhancements** -* Added: Server side validation when Searching Form is submitted. +* Added: Server-side validation when the Search Form is submitted. +* Added: Action hook `um_approve_user_on_email_confirmation` to natively approve the user after validating the email activation link. **Bugfixes** -* Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`. -* Fixed: Security issue CVE ID: CVE-2026-1404. Changed template items formatting to avoid using HTML symbols in the filter values. +* Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`. +* Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values. +* Fixed: Profile photo dropdown menu position for screens smaller than 340px. +* Fixed: Display of the saved value of the "Privacy Options" > "Allowed roles" setting for the member directory. +* Fixed: Information in Site-Health about the registration form's `Template` and `Role` settings. +* Fixed: Information in Site-Health about the login and profile form's `Template` settings. -* Templates required update: +**Templates Requiring Update** * members.php * searchform.php +**Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade** + = 2.11.1 2025-12-16 = **Enhancements** @@ -197,7 +204,7 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI * Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission. * Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting. -* Templates required update: +**Templates Requiring Update** * members.php * members-grid.php