10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

Fix critical security vulnerability in Ultimate Member plugin

Browse Source 
Resolved CVE-2025-15064 by deprecating HTML usage in user descriptions. Updated plugin version to 2.11.2 across files and documentation, ensuring users are informed and prompted to upgrade immediately.
This commit is contained in:
Mykyta Synelnikov
2025-12-30 11:12:01 +02:00
parent cc92e91aa7
commit 690154b42f
6 changed files with 28 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.wordpress-org/blueprints/blueprint.json
+1 -1
View File
@@ -15,7 +15,7 @@
"step": "installPlugin", "step": "installPlugin",
"pluginZipFile": { "pluginZipFile": {
"resource": "url", "resource": "url",
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.11.1.zip" "url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.11.2.zip"
}, },
"options": { "options": {
"activate": true "activate": true
README.md
+1 -1
View File
@@ -44,7 +44,7 @@ GNU Version 2 or Any Later Version
### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION ### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
[Official Release Version: 2.11.1](https://github.com/ultimatemember/ultimatemember/releases/tag/2.11.1). [Official Release Version: 2.11.2](https://github.com/ultimatemember/ultimatemember/releases/tag/2.11.2).
## Changelog ## Changelog
changelog.txt
+6
View File
@@ -1,5 +1,11 @@
== Changelog == == Changelog ==
= 2.11.2 January xx, 2026 =
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description.
= 2.11.1 December 16, 2025 = = 2.11.1 December 16, 2025 =
* Enhancements: * Enhancements:
includes/core/class-form.php
+5 -85
View File
@@ -843,26 +843,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) { if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) {
$form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content. $form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content.
$form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field ); $form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field );
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), UM()->get_allowed_html( 'templates' ) );
$allowed_html = UM()->get_allowed_html( 'templates' );
if ( empty( $allowed_html['iframe'] ) ) {
$allowed_html['iframe'] = array(
'allow' => true,
'frameborder' => true,
'loading' => true,
'name' => true,
'referrerpolicy' => true,
'sandbox' => true,
'src' => true,
'srcdoc' => true,
'title' => true,
'width' => true,
'height' => true,
'allowfullscreen' => true,
);
}
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
} else { } else {
$form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) ); $form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) );
} }
@@ -983,27 +964,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) { if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) {
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content. $form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] ); $form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] );
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), UM()->get_allowed_html( 'templates' ) );
$allowed_html = UM()->get_allowed_html( 'templates' );
if ( empty( $allowed_html['iframe'] ) ) {
$allowed_html['iframe'] = array(
'allow' => true,
'frameborder' => true,
'loading' => true,
'name' => true,
'referrerpolicy' => true,
'sandbox' => true,
'src' => true,
'srcdoc' => true,
'title' => true,
'width' => true,
'height' => true,
'allowfullscreen' => true,
);
}
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
} else { } else {
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) ); $form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
} }
@@ -1012,26 +973,9 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( ! $field_exists ) { if ( ! $field_exists ) {
if ( $bio_html ) { if ( $bio_html ) {
$allowed_html = UM()->get_allowed_html( 'templates' ); $form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
if ( empty( $allowed_html['iframe'] ) ) { $form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], array() );
$allowed_html['iframe'] = array( $form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), UM()->get_allowed_html( 'templates' ) );
'allow' => true,
'frameborder' => true,
'loading' => true,
'name' => true,
'referrerpolicy' => true,
'sandbox' => true,
'src' => true,
'srcdoc' => true,
'title' => true,
'width' => true,
'height' => true,
'allowfullscreen' => true,
);
}
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
} else { } else {
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) ); $form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
} }
@@ -1042,30 +986,6 @@ if ( ! class_exists( 'um\core\Form' ) ) {
return $form; return $form;
} }
public function wp_kses_user_desc( $tags, $context ) {
if ( 'user_description' === $context || 'pre_user_description' === $context ) {
$allowed_html = UM()->get_allowed_html( 'templates' );
if ( empty( $allowed_html['iframe'] ) ) {
$allowed_html['iframe'] = array(
'allow' => true,
'frameborder' => true,
'loading' => true,
'name' => true,
'referrerpolicy' => true,
'sandbox' => true,
'src' => true,
'srcdoc' => true,
'title' => true,
'width' => true,
'height' => true,
'allowfullscreen' => true,
);
}
$tags = $allowed_html;
}
return $tags;
}
/** /**
* Display form type as Title * Display form type as Title
* @param string $mode * @param string $mode
readme.txt
+10 -1
View File
@@ -6,7 +6,7 @@ Tags: community, member, membership, user-profile, user-registration
Requires PHP: 7.0 Requires PHP: 7.0
Requires at least: 6.2 Requires at least: 6.2
Tested up to: 6.9 Tested up to: 6.9
Stable tag: 2.11.1 Stable tag: 2.11.2
License: GPLv3 License: GPLv3
License URI: http://www.gnu.org/licenses/gpl-3.0.txt License URI: http://www.gnu.org/licenses/gpl-3.0.txt
@@ -167,6 +167,12 @@ No specific extensions are needed. But we highly recommended keep active these P
IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
= 2.11.2 2026-01-xx =
**Bugfixes**
* Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description.
= 2.11.1 2025-12-16 = = 2.11.1 2025-12-16 =
**Enhancements** **Enhancements**
@@ -209,6 +215,9 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
== Upgrade Notice == == Upgrade Notice ==
= 2.11.2 =
This version fixes a security related bug. Upgrade immediately.
= 2.11.1 = = 2.11.1 =
This version fixes a security related bug. Upgrade immediately. This version fixes a security related bug. Upgrade immediately.
ultimate-member.php
+5 -1
View File
@@ -3,7 +3,7 @@
* Plugin Name: Ultimate Member * Plugin Name: Ultimate Member
* Plugin URI: http://ultimatemember.com/ * Plugin URI: http://ultimatemember.com/
* Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress * Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
* Version: 2.11.1 * Version: 2.11.2
* Author: Ultimate Member * Author: Ultimate Member
* Author URI: http://ultimatemember.com/ * Author URI: http://ultimatemember.com/
* License: GPLv3 * License: GPLv3
@@ -41,3 +41,7 @@ define( 'UM_UPDATER_DEBUG', false ); // Set true then need to debug the upgrade
require_once 'includes/class-functions.php'; require_once 'includes/class-functions.php';
require_once 'includes/class-init.php'; require_once 'includes/class-init.php';
//
//echo wp_kses( '<a href="javascript:alert(1)"></a>', UM()->get_allowed_html( 'templates' ) );
//echo wp_kses( '<img onerror="alert(1)" />', UM()->get_allowed_html( 'templates' ) );
//exit;