- fixed CVE ID: CVE-2024-8519

- WPCS;

includes/core/class-shortcodes.php

@@ -392,21 +392,18 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
 			return $classes;
 		}
 
-
 		/**
 		 * Logged-in only content
 		 *
-		 * @param array $args
+		 * @param array  $args
 		 * @param string $content
 		 *
 		 * @return string
 		 */
-		function um_loggedin( $args = array(), $content = "" ) {
-			ob_start();
-
+		public function um_loggedin( $args = array(), $content = '' ) {
 			$args = shortcode_atts(
 				array(
-					'lock_text' => __( 'This content has been restricted to logged in users only. Please <a href="{login_referrer}">login</a> to view this content.', 'ultimate-member' ),
+					'lock_text' => __( 'This content has been restricted to logged-in users only. Please <a href="{login_referrer}">login</a> to view this content.', 'ultimate-member' ),
 					'show_lock' => 'yes',
 				),
 				$args,
@@ -414,50 +411,32 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
 			);
 
 			if ( ! is_user_logged_in() ) {
+				// Hide content for not logged-in users. Maybe display locked content notice.
 				if ( 'no' === $args['show_lock'] ) {
-					echo '';
-				} else {
-					$args['lock_text'] = $this->convert_locker_tags( $args['lock_text'] );
-					UM()->get_template( 'login-to-view.php', '', $args, true );
-				}
-			} else {
-				if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
-					echo do_shortcode( $this->convert_locker_tags( wpautop( $content ) ) );
-				} else {
-					echo apply_shortcodes( $this->convert_locker_tags( wpautop( $content ) ) );
+					return '';
 				}
+
+				$args['lock_text'] = $this->convert_locker_tags( $args['lock_text'] );
+				return UM()->get_template( 'login-to-view.php', '', $args );
 			}
 
-			$output = ob_get_clean();
-
-			return htmlspecialchars_decode( $output, ENT_NOQUOTES );
+			return apply_shortcodes( $this->convert_locker_tags( wpautop( $content ) ) );
 		}
 
-
 		/**
 		 * Logged-out only content
 		 *
-		 * @param array $args
+		 * @param array  $args
 		 * @param string $content
 		 *
 		 * @return string
 		 */
-		function um_loggedout( $args = array(), $content = '' ) {
-			ob_start();
-
-			// Hide for logged in users
+		public function um_loggedout( $args = array(), $content = '' ) {
 			if ( is_user_logged_in() ) {
-				echo '';
-			} else {
-				if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
-					echo do_shortcode( wpautop( $content ) );
-				} else {
-					echo apply_shortcodes( wpautop( $content ) );
-				}
+				// Hide for logged-in users
+				return '';
 			}
-
-			$output = ob_get_clean();
-			return $output;
+			return apply_shortcodes( $this->convert_locker_tags( wpautop( $content ) ) );
 		}
 
 		/**
@@ -1192,9 +1171,9 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
 		 *
 		 * @return mixed|string
 		 */
-		function convert_locker_tags( $str ) {
-			add_filter( 'um_template_tags_patterns_hook', array( &$this, 'add_placeholder' ), 10, 1 );
-			add_filter( 'um_template_tags_replaces_hook', array( &$this, 'add_replace_placeholder' ), 10, 1 );
+		public function convert_locker_tags( $str ) {
+			add_filter( 'um_template_tags_patterns_hook', array( &$this, 'add_placeholder' ) );
+			add_filter( 'um_template_tags_replaces_hook', array( &$this, 'add_replace_placeholder' ) );
 			return um_convert_tags( $str, array(), false );
 		}
 
@@ -1319,18 +1298,22 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
 		 * @param  string $content
 		 * @return string
 		 */
-		function um_shortcode_show_content_for_role( $atts = array() , $content = '' ) {
+		public function um_shortcode_show_content_for_role( $atts = array(), $content = '' ) {
 			global $user_ID;
 
 			if ( ! is_user_logged_in() ) {
-				return;
+				return '';
 			}
 
-			$a = shortcode_atts( array(
-				'roles' => '',
-				'not' => '',
-				'is_profile' => false,
-			), $atts );
+			$a = shortcode_atts(
+				array(
+					'roles'      => '',
+					'not'        => '',
+					'is_profile' => false,
+				),
+				$atts,
+				'um_show_content'
+			);
 
 			if ( $a['is_profile'] ) {
 				um_fetch_user( um_profile_id() );
@@ -1341,39 +1324,26 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
 			$current_user_roles = um_user( 'roles' );
 
 			if ( ! empty( $a['not'] ) && ! empty( $a['roles'] ) ) {
-				if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
-					return do_shortcode( $this->convert_locker_tags( $content ) );
-				} else {
-					return apply_shortcodes( $this->convert_locker_tags( $content ) );
-				}
+				return apply_shortcodes( $this->convert_locker_tags( $content ) );
 			}
 
 			if ( ! empty( $a['not'] ) ) {
-				$not_in_roles = explode( ",", $a['not'] );
+				$not_in_roles = explode( ',', $a['not'] );
 
 				if ( is_array( $not_in_roles ) && ( empty( $current_user_roles ) || count( array_intersect( $current_user_roles, $not_in_roles ) ) <= 0 ) ) {
-					if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
-						return do_shortcode( $this->convert_locker_tags( $content ) );
-					} else {
-						return apply_shortcodes( $this->convert_locker_tags( $content ) );
-					}
+					return apply_shortcodes( $this->convert_locker_tags( $content ) );
 				}
 			} else {
-				$roles = explode( ",", $a['roles'] );
+				$roles = explode( ',', $a['roles'] );
 
 				if ( ! empty( $current_user_roles ) && is_array( $roles ) && count( array_intersect( $current_user_roles, $roles ) ) > 0 ) {
-					if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
-						return do_shortcode( $this->convert_locker_tags( $content ) );
-					} else {
-						return apply_shortcodes( $this->convert_locker_tags( $content ) );
-					}
+					return apply_shortcodes( $this->convert_locker_tags( $content ) );
 				}
 			}
 
 			return '';
 		}
 
-
 		/**
 		 * @param array $args
 		 * @param string $content
@@ -1426,36 +1396,36 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
 
 			$search_value = array_values( $query );
 
-			$template = UM()->get_template( 'searchform.php', '', array( 'query' => $query, 'search_value' => $search_value[0], 'members_page' => um_get_core_page( 'members' ) ) );
-
-			return $template;
+			$t_args = array(
+				'query'        => $query,
+				'search_value' => $search_value[0],
+				'members_page' => um_get_core_page( 'members' ),
+			);
+			return UM()->get_template( 'searchform.php', '', $t_args );
 		}
 
-
 		/**
 		 * UM Placeholders for login referrer
 		 *
-		 * @param $placeholders
+		 * @param array $placeholders
 		 *
 		 * @return array
 		 */
-		function add_placeholder( $placeholders ) {
+		public function add_placeholder( $placeholders ) {
 			$placeholders[] = '{login_referrer}';
 			return $placeholders;
 		}
 
-
 		/**
 		 * UM Replace Placeholders for login referrer
 		 *
-		 * @param $replace_placeholders
+		 * @param array $replace_placeholders
 		 *
 		 * @return array
 		 */
-		function add_replace_placeholder( $replace_placeholders ) {
+		public function add_replace_placeholder( $replace_placeholders ) {
 			$replace_placeholders[] = um_dynamic_login_page_redirect();
 			return $replace_placeholders;
 		}
-
 	}
 }

includes/um-short-functions.php

@@ -120,7 +120,6 @@ function um_replace_placeholders() {
 		'{user_account_link}',
 	);
 
-
 	/**
 	 * UM hook
 	 *

templates/account.php

@@ -2,7 +2,7 @@
 /**
  * Template for the account page
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/account.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/account.php
  *
  * Page: "Account"
  *

templates/gdpr-register.php

@@ -2,7 +2,7 @@
 /**
  * Template for the GDPR checkbox in register form
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/gdpr-register.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/gdpr-register.php
  *
  * Page: "Register"
  * Call: function display_option()

templates/login-to-view.php

@@ -2,20 +2,18 @@
 /**
  * Template for the login only content, locked message
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/login-to-view.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/login-to-view.php
  *
  * Call: function um_loggedin()
  *
- * @version 2.6.1
+ * @version 2.8.7
  *
  * @var string $lock_text
  */
 if ( ! defined( 'ABSPATH' ) ) {
 	exit;
-} ?>
-
+}
+?>
 <div class="um-locked-content">
-
-	<div class="um-locked-content-msg"><?php echo htmlspecialchars_decode( $lock_text ); ?></div>
-
+	<div class="um-locked-content-msg"><?php echo wp_kses( $lock_text, UM()->get_allowed_html( 'templates' ) ); ?></div>
 </div>

templates/login.php

@@ -2,7 +2,7 @@
 /**
  * Template for the login form
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/login.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/login.php
  *
  * Page: "Login"
  *

templates/logout.php

@@ -2,7 +2,7 @@
 /**
  * Template for the logout
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/logout.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/logout.php
  *
  * Page: "Logout"
  *

templates/members-grid.php

@@ -2,7 +2,7 @@
 /**
  * Template for the members directory grid
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/members-grid.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/members-grid.php
  *
  * Page: "Members"
  *

templates/members-header.php

@@ -2,7 +2,7 @@
 /**
  * Template for the members directory header JS-template
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/members-header.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/members-header.php
  *
  * Page: "Members"
  *

templates/members-list.php

@@ -2,7 +2,7 @@
 /**
  * Template for the members directory list
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/members-list.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/members-list.php
  *
  * Page: "Members"
  *

templates/members-pagination.php

@@ -2,7 +2,7 @@
 /**
  * Template for the members directory pagination JS template
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/members-pagination.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/members-pagination.php
  *
  * Page: "Members"
  *

templates/members.php

@@ -2,7 +2,7 @@
 /**
  * Template for the members directory
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/members.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/members.php
  *
  * Page: "Members"
  *

templates/message.php

@@ -2,7 +2,7 @@
 /**
  * Template for the message after registration process
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/message.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/message.php
  *
  * Call: function parse_shortcode_args()
  *

templates/modal/upload-single.php

@@ -2,7 +2,7 @@
 /**
  * Template for the modal form
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/modal/upload-single.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/modal/upload-single.php
  *
  * @version 2.8.6
  */

templates/modal/view-photo.php

@@ -2,7 +2,7 @@
 /**
  * Template for the modal photo
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/modal/view-photo.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/modal/view-photo.php
  *
  * @version 2.8.6
  */

templates/password-change.php

@@ -2,7 +2,7 @@
 /**
  * Template for the password change
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/password-change.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/password-change.php
  *
  * Call: function ultimatemember_password()
  *

templates/password-reset.php

@@ -2,7 +2,7 @@
 /**
  * Template for the password reset
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/password-reset.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/password-reset.php
  *
  * Call: function ultimatemember_password()
  *

templates/profile.php

@@ -2,7 +2,7 @@
 /**
  * Template for the profile page
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/profile.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/profile.php
  *
  * Page: "Profile"
  *

templates/profile/comments-single.php

@@ -2,7 +2,7 @@
 /**
  * Template for the profile single comments
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/profile/comments-single.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/profile/comments-single.php
  *
  * Page: "Profile"
  *

templates/profile/comments.php

@@ -2,7 +2,7 @@
 /**
  * Template for the profile comments
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/profile/comments.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/profile/comments.php
  *
  * Page: "Profile"
  * Call: function add_comments(), function load_comments()

templates/profile/posts-single.php

@@ -2,7 +2,7 @@
 /**
  * Template for the profile single post
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/profile/posts-single.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/profile/posts-single.php
  *
  * Page: "Profile"
  *

templates/profile/posts.php

@@ -2,7 +2,7 @@
 /**
  * Template for the profile posts
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/profile/posts.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/profile/posts.php
  *
  * Page: "Profile"
  *

templates/register.php

@@ -2,7 +2,7 @@
 /**
  * Template for the register page
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/templates/register.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/templates/register.php
  *
  * Page: "Register"
  *

templates/restricted-blog.php

@@ -2,7 +2,7 @@
 /**
  * Template for the blog restricted message
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/restricted-blog.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/restricted-blog.php
  *
  * Call: function blog_message()
  *

templates/restricted-taxonomy.php

@@ -2,7 +2,7 @@
 /**
  * Template for the taxonomy restricted message
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/restricted-taxonomy.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/restricted-taxonomy.php
  *
  * Call: function taxonomy_message()
  *

templates/searchform.php

@@ -2,7 +2,7 @@
 /**
  * Template for the search form
  *
- * This template can be overridden by copying it to yourtheme/ultimate-member/searchform.php
+ * This template can be overridden by copying it to your-theme/ultimate-member/searchform.php
  *
  * Call: function ultimatemember_searchform()
  *