10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1783 from ultimatemember/development/2.9.x

Browse Source 
Version 2.11.2
This commit is contained in:
Mykyta Synelnikov
2026-02-10 10:58:15 +02:00
committed by GitHub
parent c6f55bc831 42aa4ab169
commit 8441222228
24 changed files with 301 additions and 240 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.wordpress-org/blueprints/blueprint.json
+1 -1
View File
@@ -15,7 +15,7 @@
"step": "installPlugin",
"pluginZipFile": {
"resource": "url",
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.11.1.zip"
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.11.2.zip"
},
"options": {
"activate": true
README.md
+1 -1
View File
@@ -44,7 +44,7 @@ GNU Version 2 or Any Later Version
### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
[Official Release Version: 2.11.1](https://github.com/ultimatemember/ultimatemember/releases/tag/2.11.1).
[Official Release Version: 2.11.2](https://github.com/ultimatemember/ultimatemember/releases/tag/2.11.2).
## Changelog
assets/css/um-styles.css
+4 -4
View File
@@ -900,14 +900,14 @@ small.um-max-filesize span{
max-width: 300px;
}
.um-search-area .um-search-field {
.um .um-form.um-search-area .um-search-field {
width: 100%;
margin: 0;
padding-left: 25px;
padding-left: 25px !important;
}
.rtl .um-search-area .um-search-field {
padding-right: 25px;
.rtl .um .um-form.um-search-area .um-search-field {
padding-right: 25px !important;
padding-left: initial;
}
assets/css/um-styles.min.css
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-functions.js
+2 -2
View File
@@ -60,7 +60,7 @@ UM.dropdown = {
// profile photo
if ( $element.is('.um-profile-photo') ) {
var $imgBox = $element.find('.um-profile-photo-img');
if ( $element.closest('div.uimob500').length ) {
if ( $element.closest('div.uimob340,div.uimob500').length ) {
top_p = $element.outerHeight() - $imgBox.outerHeight() / 4;
} else {
left_p = ($imgBox.outerWidth() - menu_width) / 2;
@@ -71,7 +71,7 @@ UM.dropdown = {
// cover photo
if ( $element.is('.um-cover') ) {
var $imgBox = $element.find('.um-cover-e');
if ( $element.closest('div.uimob500').length ) {
if ( $element.closest('div.uimob340,div.uimob500').length ) {
left_p = ($imgBox.outerWidth() - menu_width) / 2;
top_p = $imgBox.outerHeight() / 2 + 24;
} else {
assets/js/um-functions.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-members.js
+5
View File
@@ -1670,6 +1670,11 @@ jQuery(document.body).ready( function() {
//history events when back/forward and change window.location.hash
window.addEventListener( "popstate", function(e) {
let ignorePopstate = wp.hooks.applyFilters( 'um_member_directory_popstate_ignore', false );
if ( false !== ignorePopstate ) {
return;
}
jQuery( '.um-directory' ).each( function() {
var directory = jQuery(this);
var hash = um_members_get_hash( directory );
assets/js/um-members.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
assets/js/um-scripts.js
+48 -45
View File
@@ -440,60 +440,63 @@ jQuery(document).ready(function() {
return false;
});
jQuery( document.body ).on('click', '#um-search-button', function() {
var action = jQuery(this).parents('.um-search-form').data('members_page');
jQuery( document.body ).on('click', '#um-search-button', function(e) {
e.preventDefault();
var search_keys = [];
jQuery(this).parents('.um-search-form').find('input[name="um-search-keys[]"]').each( function() {
search_keys.push( jQuery(this).val() );
});
var search = jQuery(this).parents('.um-search-form').find('.um-search-field').val();
var url;
if ( search === '' ) {
url = action;
} else {
var query = '?';
for ( var i = 0; i < search_keys.length; i++ ) {
query += search_keys[i] + '=' + search;
if ( i !== search_keys.length - 1 ) {
query += '&';
}
}
url = action + query;
let $btn = jQuery(this);
if ( $btn.hasClass( 'um-disabled' ) ) {
return;
}
window.location = url;
let $form = $btn.parents('.um-search-form');
let search = $form.find('.um-search-field').val();
let nonce = $form.data('nonce');
$btn.addClass('um-disabled');
wp.ajax.send( 'um_search_widget_request', {
data: {
search: search,
_wpnonce: nonce
},
success: function(response) {
$btn.removeClass('um-disabled');
window.location = response.url;
},
error: function(e) {
console.log(e);
$btn.removeClass('um-disabled');
}
});
});
//make search on Enter click
jQuery( document.body ).on( 'keypress', '.um-search-field', function(e) {
if ( e.which === 13 ) {
var action = jQuery(this).parents('.um-search-form').data('members_page');
let $field = jQuery(this);
let $form = $field.parents('.um-search-form');
var search_keys = [];
jQuery(this).parents('.um-search-form').find('input[name="um-search-keys[]"]').each( function() {
search_keys.push( jQuery(this).val() );
});
var search = jQuery(this).val();
var url;
if ( search === '' ) {
url = action;
} else {
var query = '?';
for ( var i = 0; i < search_keys.length; i++ ) {
query += search_keys[i] + '=' + search;
if ( i !== search_keys.length - 1 ) {
query += '&';
}
}
url = action + query;
let $btn = $form.find('#um-search-button');
if ( $btn.hasClass( 'um-disabled' ) ) {
return;
}
window.location = url;
let search = $field.val();
let nonce = $form.data('nonce');
$btn.addClass('um-disabled');
wp.ajax.send( 'um_search_widget_request', {
data: {
search: search,
_wpnonce: nonce
},
success: function(response) {
$btn.removeClass('um-disabled');
window.location = response.url;
},
error: function(e) {
console.log(e);
$btn.removeClass('um-disabled');
}
});
}
});
assets/js/um-scripts.min.js
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
changelog.txt
+66 -42
View File
@@ -1,5 +1,29 @@
== Changelog ==
= 2.11.2 February 10, 2026 =
* Enhancements:
- Added: Server-side validation when the Search Form is submitted.
- Added: Action hook `um_approve_user_on_email_confirmation` to natively approve the user after validating the email activation link.
- Added: JS filter wp.hook `um_member_directory_popstate_ignore` to stop window.pushSate in the member directory for 3rd-party integrations.
* Bugfixes:
- Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`.
- Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values.
- Fixed: Profile photo dropdown menu position for screens smaller than 340px.
- Fixed: Display of the saved value of the "Privacy Options" > "Allowed roles" setting for the member directory.
- Fixed: Information in Site-Health about the registration form's `Template` and `Role` settings.
- Fixed: Information in Site-Health about the login and profile form's `Template` settings.
* Templates Requiring Update:
- members.php
- searchform.php
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.11.1 December 16, 2025 =
* Enhancements:
@@ -14,7 +38,7 @@
- Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
- Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
* Templates required update:
* Templates Requiring Update:
- members.php
- members-grid.php
@@ -60,7 +84,7 @@
- Fixed: Integer validation for the 'start_of_week' WP native setting.
- Fixed: Dependencies with Action Scheduler library.
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.10.5 June 25, 2025 =
@@ -96,11 +120,11 @@
- Deprecated `UM()->user()->maybe_generate_password_reset_key( $userdata )` function. Use `UM()->common()->users()->maybe_generate_password_reset_key( $userdata )` instead.
- Deprecated `UM()->user()->set_last_login()` function. Use `UM()->common()->users()->set_last_login( $user_id )` instead.
* Templates required update:
* Templates Requiring Update:
- password-reset.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.10.4 May 15, 2025 =
@@ -127,7 +151,7 @@
- Fixed: Reset Password email notification's the {password_reset_link}` placeholder.
- Fixed: Changed "Turkey" to the current official term "Türkiye".
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.10.2 April 02, 2025 =
@@ -149,7 +173,7 @@
- Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
- Fixed: Profile photo metadata when Gravatar image is used.
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.10.0 February 18, 2025 =
@@ -174,12 +198,12 @@
- Fixed: The "Privacy Policy" field in the registration form. Disallowed HTML from the "Privacy Policy" content (like `<form>`) is filtered out by the `wp_kses()` function.
- Fixed: Password fields are now sanitized the WordPress native way, with `wp_unslash()` omitted post-submission.
* Templates required update:
* Templates Requiring Update:
- gdpr-register.php
- profile.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.9.2 January 14, 2025 =
@@ -210,11 +234,11 @@
- Fully deprecated `UM()->localize()` function
- Fully deprecated `um_language_textdomain` filter hook
* Templates required update:
* Templates Requiring Update:
- account.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.9.1 November 15, 2024 =
@@ -245,7 +269,7 @@
- Fixed: User status filter on wp-admin > Users on mobile devices
- Fixed: Extra unwrapping of the WP Editor field's value
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.8.9 October 14, 2024 =
@@ -266,7 +290,7 @@
- Fixed: Sending email notifications based on user status after registration
- Fixed: PHP error when meta `um_member_directory_data` has a wrong format
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.8.8 October 04, 2024 =
@@ -277,7 +301,7 @@
- Fixed: User registration if email activation or admin review are required
- Fixed: First installation errors
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.8.7 October 01, 2024 =
@@ -314,11 +338,11 @@
- Fixed: Parsing /modal/ templates and parsing templates on the Windows hosting
- Fixed: Validation `form_id` attribute in the `ultimatemember` shortcode
* Templates required update:
* Templates Requiring Update:
- login-to-view.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
* Deprecated:
@@ -362,12 +386,12 @@
- Fixed: PHP errors while uploading files
- Fixed: Parsing error on the license activation
* Templates required update:
* Templates Requiring Update:
- Renamed templates/modal/um_upload_single.php → templates/modal/upload-single.php
- Renamed templates/modal/um_view_photo.php → templates/modal/view-photo.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.8.5: April 9, 2024 =
@@ -386,7 +410,7 @@
- Fixed: Reset Password urlencoded username
- Fixed: Clear media JS in wp-admin settings
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.8.4: March 6, 2024 =
@@ -425,7 +449,7 @@
- Fixed: Default email notification body color
- Fixed: Ignore username slug when custom meta slug exists when parse user from query
* Templates required update:
* Templates Requiring Update:
- email/notification_deletion.php
- email/notification_new_user.php
@@ -433,7 +457,7 @@
- email/welcome_email.php
- password-change.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.8.2: January 15, 2024 =
@@ -457,11 +481,11 @@
- Fixed: Account styles
- Fixed: Saving `um_form_version` postmeta
* Templates required update:
* Templates Requiring Update:
- profile/posts-single.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.8.1: December 20, 2023 =
@@ -528,7 +552,7 @@
- `um-admin-clear` CSS class. It duplicates WordPress native `clear`. Using WordPress native instead.
- `um-admin-tipsy-{x}` classes to make Tipsy.JS initialization commonly for wp-admin and frontend by `um-tip-{x}` class.
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.7.0: October 11, 2023 =
@@ -562,7 +586,7 @@
- `UM()->admin()->enqueue()->suffix` property use `UM()->frontend()->enqueue()::get_suffix()`
- Changed directories for the fonts (fonticons + raty), and JS/CSS files related to libs `jquery-ui`, `raty`, `select2`, `tipsy`, `fonticons (FontAwesome + Ionicons)`
* Templates required update:
* Templates Requiring Update:
- account.php
- login.php
@@ -571,7 +595,7 @@
- register.php
- profile/posts-single.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.6.11: September 06, 2023 =
@@ -603,7 +627,7 @@
- Fixed: Performance for `um_get_form_fields` hook
- Fixed: Admin Modal JS library conflict with bootstrap.js
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.6.9: July 26, 2023 =
@@ -624,11 +648,11 @@
- Fixed: Maximum allowed words option for textarea where you may insert HTML tags. Ignore HTML tags symbols when count
- Fixed: Sanitize for fields (Min characters, Max characters, etc.) where can be empty string or absint value
* Templates required update:
* Templates Requiring Update:
- profile.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.6.8: July 19, 2023 =
@@ -662,7 +686,7 @@
- Deprecated: Unnecessary `um_multiselect_option_value` hook
* Templates required update:
* Templates Requiring Update:
- members.php
@@ -734,7 +758,7 @@
- Deprecated: `um_localize_permalink_filter`. Use `post_link` instead
* Templates required update:
* Templates Requiring Update:
- members.php
@@ -771,7 +795,7 @@
* All templates required update. Please add the version comments to your custom templates in themes
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.6.0: March 29, 2023 =
@@ -800,7 +824,7 @@
- Deprecated: VKontakte and Google+ predefined fields. VKontakte and Google+ fields validation changed to just URL validation.
* Templates required update:
* Templates Requiring Update:
- members.php
= 2.5.4: February 17, 2023 =
@@ -845,10 +869,10 @@
- Fixed: Multiple users approve
- Fixed: Using regular URL-type field for displaying
* Templates required update:
* Templates Requiring Update:
- members.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.5.1: October 26, 2022 =
@@ -895,11 +919,11 @@
- `UM()->user()->get_pending_users_count()`. Use `UM()->query()->get_pending_users_count()` instead. It's unused since 2.5.0. Will be removed since 2.7.0
- `UM()->user()->remove_cached_queue()` without alternativities. It's unused since 2.5.0. Will be removed since 2.7.0
* Templates required update:
* Templates Requiring Update:
- password-change.php
- password-reset.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.4.2: July 14, 2022 =
@@ -1010,12 +1034,12 @@
- Fixed: Canonical link of the user profile if WPML plugin is active.
- Fixed: Replacing placeholders in nav menus. Used an earlier hook for filtering items before generating HTML and avoided issues with raw, not-escaped HTML inside tags' attributes.
* Templates required update:
* Templates Requiring Update:
- members-grid.php
- members-list.php
- password-reset.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.2.5: September 22, 2021 =
@@ -1120,11 +1144,11 @@
- WordPress 5.8 compatibility. Widgets screen changes based on the new features with Legacy Widget block
* Templates required update:
* Templates Requiring Update:
- members.php
- password-reset.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.1.21: June 17, 2021 =
@@ -1137,12 +1161,12 @@
- Fixed: Displaying avatar on the logout page
- Fixed: Role meta sanitizing and related XSS vulnerability
* Templates required update:
* Templates Requiring Update:
- logout.php
- members.php
- members-list.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.1.20: May 7, 2021 =
composer.json
+1 -1
View File
@@ -33,7 +33,7 @@
"wp-coding-standards/wpcs": "*",
"symplify/phpstan-rules": "*",
"phpdocumentor/phpdocumentor": "3.8.*",
"sniccowp/php-scoper-wordpress-excludes": "6.8.*"
"sniccowp/php-scoper-wordpress-excludes": "6.9.*"
},
"scripts": {
"wordpress-excludes": [
includes/admin/class-site-health.php
+4 -4
View File
@@ -2130,11 +2130,11 @@ class Site_Health {
$debug_info[] = array(
'role' => array(
'label' => __( 'User registration role', 'ultimate-member' ),
'value' => 0 === absint( get_post_meta( $form_id, '_um_register_role', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_register_role', true ),
'value' => empty( get_post_meta( $form_id, '_um_register_role', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_register_role', true ),
),
'template' => array(
'label' => __( 'Template', 'ultimate-member' ),
'value' => 0 === absint( get_post_meta( $form_id, '_um_register_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_register_template', true ),
'value' => empty( get_post_meta( $form_id, '_um_register_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_register_template', true ),
),
'max_width' => array(
'label' => __( 'Max. Width (px)', 'ultimate-member' ),
@@ -2220,7 +2220,7 @@ class Site_Health {
$debug_info[] = array(
'template' => array(
'label' => __( 'Template', 'ultimate-member' ),
'value' => 0 === absint( get_post_meta( $form_id, '_um_login_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_login_template', true ),
'value' => empty( get_post_meta( $form_id, '_um_login_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_login_template', true ),
),
'max_width' => array(
'label' => __( 'Max. Width (px)', 'ultimate-member' ),
@@ -2292,7 +2292,7 @@ class Site_Health {
),
'template' => array(
'label' => __( 'Template', 'ultimate-member' ),
'value' => 0 === absint( get_post_meta( $form_id, '_um_profile_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_profile_template', true ),
'value' => empty( get_post_meta( $form_id, '_um_profile_template', true ) ) ? $labels['default'] : get_post_meta( $form_id, '_um_profile_template', true ),
),
'max_width' => array(
'label' => __( 'Max. Width (px)', 'ultimate-member' ),
includes/admin/templates/directory/privacy.php
+12 -1
View File
@@ -1,8 +1,19 @@
<?php
/**
* Metabox "Privacy Options" on wp-admin > Ultimate Member > Member Directories > Edit.
*
* @package um\admin\templates
*
* @var array $box
* @var WP_Post $object
*/
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
$_um_privacy_roles_value = get_post_meta( $object->ID, '_um_privacy_roles', true );
$fields = array(
array(
'id' => '_um_privacy',
@@ -26,7 +37,7 @@ $fields = array(
'options' => UM()->roles()->get_roles(),
'placeholder' => __( 'Choose user roles...', 'ultimate-member' ),
'conditional' => array( '_um_privacy', '=', '3' ),
'value' => UM()->query()->get_meta_value( '_um_privacy_roles', null, 'na' ),
'value' => empty( $_um_privacy_roles_value ) ? array() : (array) $_um_privacy_roles_value,
),
);
includes/ajax/class-pages.php
+57
View File
@@ -19,6 +19,9 @@ class Pages {
*/
public function __construct() {
add_action( 'wp_ajax_um_get_pages_list', array( $this, 'get_pages_list' ) );
add_action( 'wp_ajax_um_search_widget_request', array( $this, 'search_widget_request' ) );
add_action( 'wp_ajax_nopriv_um_search_widget_request', array( $this, 'search_widget_request' ) );
}
/**
@@ -98,4 +101,58 @@ class Pages {
wp_send_json( $return );
}
/**
* AJAX callback for getting search widget redirect to a proper member directory page.
*/
public function search_widget_request() {
check_ajax_referer( 'um_search_widget_request' );
if ( ! UM()->options()->get( 'members_page' ) ) {
wp_send_json_error( __( 'No members page enabled', 'ultimate-member' ) );
}
$member_directory_ids = array();
$page_id = UM()->config()->permalinks['members'];
if ( ! empty( $page_id ) ) {
$member_directory_ids = UM()->member_directory()->get_member_directory_id( $page_id );
}
if ( empty( $member_directory_ids ) ) {
wp_send_json_error( __( 'No members page enabled', 'ultimate-member' ) );
}
$url = um_get_predefined_page_url( 'members' );
$search = isset( $_POST['search'] ) ? sanitize_text_field( $_POST['search'] ) : '';
if ( empty( $search ) ) {
wp_send_json_success( array( 'url' => $url ) );
}
// Current user priority role
$priority_user_role = false;
if ( is_user_logged_in() ) {
$priority_user_role = UM()->roles()->get_priority_user_role( get_current_user_id() );
}
foreach ( $member_directory_ids as $directory_id ) {
$directory_data = UM()->query()->post_data( $directory_id );
if ( isset( $directory_data['roles_can_search'] ) ) {
$directory_data['roles_can_search'] = maybe_unserialize( $directory_data['roles_can_search'] );
}
$show_search = empty( $directory_data['roles_can_search'] ) || ( ! empty( $priority_user_role ) && in_array( $priority_user_role, $directory_data['roles_can_search'], true ) );
if ( empty( $directory_data['search'] ) || ! $show_search ) {
continue;
}
$hash = UM()->member_directory()->get_directory_hash( $directory_id );
$url = add_query_arg( array( 'search_' . $hash => $search ), $url );
}
wp_send_json_success( array( 'url' => $url ) );
}
}
includes/core/class-form.php
+7 -86
View File
@@ -822,6 +822,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
* @return array $form
*/
public function sanitize( $form ) {
$submission_input = $form;
if ( isset( $form['form_id'] ) ) {
if ( isset( $this->form_data['custom_fields'] ) ) {
$custom_fields = maybe_unserialize( $this->form_data['custom_fields'] );
@@ -843,26 +844,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) {
$form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content.
$form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field );
$allowed_html = UM()->get_allowed_html( 'templates' );
if ( empty( $allowed_html['iframe'] ) ) {
$allowed_html['iframe'] = array(
'allow' => true,
'frameborder' => true,
'loading' => true,
'name' => true,
'referrerpolicy' => true,
'sandbox' => true,
'src' => true,
'srcdoc' => true,
'title' => true,
'width' => true,
'height' => true,
'allowfullscreen' => true,
);
}
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), 'user_description' );
} else {
$form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) );
}
@@ -983,27 +965,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) {
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] );
$allowed_html = UM()->get_allowed_html( 'templates' );
if ( empty( $allowed_html['iframe'] ) ) {
$allowed_html['iframe'] = array(
'allow' => true,
'frameborder' => true,
'loading' => true,
'name' => true,
'referrerpolicy' => true,
'sandbox' => true,
'src' => true,
'srcdoc' => true,
'title' => true,
'width' => true,
'height' => true,
'allowfullscreen' => true,
);
}
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' );
} else {
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
}
@@ -1012,26 +974,9 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( ! $field_exists ) {
if ( $bio_html ) {
$allowed_html = UM()->get_allowed_html( 'templates' );
if ( empty( $allowed_html['iframe'] ) ) {
$allowed_html['iframe'] = array(
'allow' => true,
'frameborder' => true,
'loading' => true,
'name' => true,
'referrerpolicy' => true,
'sandbox' => true,
'src' => true,
'srcdoc' => true,
'title' => true,
'width' => true,
'height' => true,
'allowfullscreen' => true,
);
}
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], array() );
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' );
} else {
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
}
@@ -1039,31 +984,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
}
}
return $form;
}
public function wp_kses_user_desc( $tags, $context ) {
if ( 'user_description' === $context || 'pre_user_description' === $context ) {
$allowed_html = UM()->get_allowed_html( 'templates' );
if ( empty( $allowed_html['iframe'] ) ) {
$allowed_html['iframe'] = array(
'allow' => true,
'frameborder' => true,
'loading' => true,
'name' => true,
'referrerpolicy' => true,
'sandbox' => true,
'src' => true,
'srcdoc' => true,
'title' => true,
'width' => true,
'height' => true,
'allowfullscreen' => true,
);
}
$tags = $allowed_html;
}
return $tags;
return apply_filters( 'um_sanitize_form_submission', $form, $submission_input );
}
/**
includes/core/class-permalinks.php
+37 -7
View File
@@ -27,12 +27,14 @@ if ( ! class_exists( 'um\core\Permalinks' ) ) {
* Permalinks constructor.
*/
public function __construct() {
add_action( 'init', array( &$this, 'set_current_url' ), 0 );
add_action( 'init', array( &$this, 'set_current_url' ), 0 );
add_action( 'init', array( &$this, 'check_for_querystrings' ), 1 );
add_action( 'init', array( &$this, 'check_for_querystrings' ), 1 );
// don't use lower than 2 priority because there is sending email inside, but Action Scheduler is init on 1st priority.
add_action( 'init', array( &$this, 'activate_account_via_email_link' ), 2 );
add_action( 'init', array( &$this, 'activate_account_via_email_link' ), 2 );
// Approve the user after the activate account link is verified.
add_action( 'um_approve_user_on_email_confirmation', array( &$this, 'approve_user_on_email_confirmation' ) );
}
/**
@@ -135,9 +137,25 @@ if ( ! class_exists( 'um\core\Permalinks' ) ) {
}
// Activate account link is valid. Can be approved below.
um_fetch_user( $user_id ); // @todo maybe don't need to fetch.
UM()->common()->users()->approve( $user_id, true );
/**
* Fires for user activation after validation the link for email confirmation.
*
* Internal Ultimate Member callbacks (Priority -> Callback name -> Excerpt):
* 10 - `UM()->permalinks()->approve_user_on_email_confirmation()` Approve the user after the activate account link is verified.
*
* @hook um_approve_user_on_email_confirmation
*
* @param {int} $user_id The user ID.
*
* @since 2.11.2
*
* @example <caption>Doing some code just after native approve the $user_id on email confirmation.</caption>
* function my_approve_user_on_email_confirmation( $user_id ) {
* // your code here
* }
* add_action( 'um_approve_user_on_email_confirmation', 'my_approve_user_on_email_confirmation', 11 );
*/
do_action( 'um_approve_user_on_email_confirmation', $user_id );
$user_role = UM()->roles()->get_priority_user_role( $user_id );
$user_role_data = UM()->roles()->role_data( $user_role );
@@ -161,7 +179,7 @@ if ( ! class_exists( 'um\core\Permalinks' ) ) {
* function my_after_email_confirmation( $user_id ) {
* // your code here
* }
* add_filter( 'um_after_email_confirmation', 'my_after_email_confirmation' );
* add_action( 'um_after_email_confirmation', 'my_after_email_confirmation' );
*/
do_action( 'um_after_email_confirmation', $user_id );
@@ -200,6 +218,18 @@ if ( ! class_exists( 'um\core\Permalinks' ) ) {
}
}
/**
* Natively approve the user after validation of the email activation link.
*
* @param int $user_id
*
* @return void
*/
public function approve_user_on_email_confirmation( $user_id ) {
um_fetch_user( $user_id ); // @todo maybe don't need to fetch.
UM()->common()->users()->approve( $user_id, true );
}
/**
* Makes an activate link for any user
*
includes/core/class-shortcodes.php
+5 -8
View File
@@ -1370,12 +1370,10 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
}
/**
* @param array $args
* @param string $content
*
* @return string
*/
public function ultimatemember_searchform( $args = array(), $content = '' ) {
public function ultimatemember_searchform() {
if ( ! UM()->options()->get( 'members_page' ) ) {
return '';
}
@@ -1391,7 +1389,7 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
return '';
}
//current user priority role
// Current user priority role
$priority_user_role = false;
if ( is_user_logged_in() ) {
$priority_user_role = UM()->roles()->get_priority_user_role( get_current_user_id() );
@@ -1405,7 +1403,7 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
$directory_data['roles_can_search'] = maybe_unserialize( $directory_data['roles_can_search'] );
}
$show_search = empty( $directory_data['roles_can_search'] ) || ( ! empty( $priority_user_role ) && in_array( $priority_user_role, $directory_data['roles_can_search'] ) );
$show_search = empty( $directory_data['roles_can_search'] ) || ( ! empty( $priority_user_role ) && in_array( $priority_user_role, $directory_data['roles_can_search'], true ) );
if ( empty( $directory_data['search'] ) || ! $show_search ) {
continue;
}
@@ -1419,12 +1417,11 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
return '';
}
$query = array_filter( $query );
$search_value = array_values( $query );
$t_args = array(
'query' => $query,
'search_value' => $search_value[0],
'members_page' => um_get_core_page( 'members' ),
'search_value' => ! empty( $search_value ) ? $search_value[0] : '',
);
return UM()->get_template( 'searchform.php', '', $t_args );
}
includes/um-deprecated-functions.php
+1 -5
View File
@@ -462,11 +462,7 @@ function um_members( $argument ) {
function um_get_search_form() {
//um_deprecated_function( 'um_get_search_form', '2.1.0', 'do_shortcode( \'[ultimatemember_searchform]\' )' );
if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
return do_shortcode( '[ultimatemember_searchform]' );
} else {
return apply_shortcodes( '[ultimatemember_searchform]' );
}
return apply_shortcodes( '[ultimatemember_searchform]' );
}
includes/widgets/class-um-search-widget.php
+1 -6
View File
@@ -58,12 +58,7 @@ class UM_Search_Widget extends \WP_Widget {
}
// display the search form
if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
echo do_shortcode( '[ultimatemember_searchform /]' );
} else {
echo apply_shortcodes( '[ultimatemember_searchform /]' );
}
echo apply_shortcodes( '[ultimatemember_searchform /]' );
echo $args['after_widget'];
}
readme.txt
+29 -2
View File
@@ -6,7 +6,7 @@ Tags: community, member, membership, user-profile, user-registration
Requires PHP: 7.0
Requires at least: 6.2
Tested up to: 6.9
Stable tag: 2.11.0
Stable tag: 2.11.2
License: GPLv3
License URI: http://www.gnu.org/licenses/gpl-3.0.txt
@@ -167,6 +167,30 @@ No specific extensions are needed. But we highly recommended keep active these P
IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
= 2.11.2 2026-02-10 =
**Enhancements**
* Added: Server-side validation when the Search Form is submitted.
* Added: Action hook `um_approve_user_on_email_confirmation` to natively approve the user after validating the email activation link.
* Added: JS filter wp.hook `um_member_directory_popstate_ignore` to stop window.pushSate in the member directory for 3rd-party integrations.
**Bugfixes**
* Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`.
* Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values.
* Fixed: Profile photo dropdown menu position for screens smaller than 340px.
* Fixed: Display of the saved value of the "Privacy Options" > "Allowed roles" setting for the member directory.
* Fixed: Information in Site-Health about the registration form's `Template` and `Role` settings.
* Fixed: Information in Site-Health about the login and profile form's `Template` settings.
**Templates Requiring Update**
* members.php
* searchform.php
**Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade**
= 2.11.1 2025-12-16 =
**Enhancements**
@@ -181,7 +205,7 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
* Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
* Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
* Templates required update:
**Templates Requiring Update**
* members.php
* members-grid.php
@@ -209,6 +233,9 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
== Upgrade Notice ==
= 2.11.2 =
This version fixes a security related bug. Upgrade immediately.
= 2.11.1 =
This version fixes a security related bug. Upgrade immediately.
templates/members.php
+6 -6
View File
@@ -6,7 +6,7 @@
*
* Page: "Members"
*
* @version 2.11.1
* @version 2.11.2
*
* @var array $args
*/
@@ -343,13 +343,13 @@ $postid = ! empty( $post->ID ) ? $post->ID : '';
<# _.each( data.filters, function( filter, key, list ) { #>
<div class="um-members-filter-tag">
<# if ( filter.type == 'slider' ) { #>
{{{filter.value_label}}}
{{filter.value_label}}
<# } else { #>
<strong>{{{filter.label}}}</strong>: {{{filter.value_label}}}
<strong>{{filter.label}}</strong>: {{filter.value_label}}
<# } #>
<div class="um-members-filter-remove um-tip-n" data-name="{{{filter.name}}}"
data-value="{{{filter.value}}}" data-range="{{{filter.range}}}"
data-type="{{{filter.type}}}" title="<?php esc_attr_e( 'Remove filter', 'ultimate-member' ) ?>">&times;</div>
<div class="um-members-filter-remove um-tip-n" data-name="{{filter.name}}"
data-value="{{filter.value}}" data-range="{{filter.range}}"
data-type="{{filter.type}}" title="<?php esc_attr_e( 'Remove filter', 'ultimate-member' ) ?>">&times;</div>
</div>
<# }); #>
<# } #>
templates/searchform.php
+8 -13
View File
@@ -6,23 +6,18 @@
*
* Call: function ultimatemember_searchform()
*
* @version 2.6.1
* @version 2.11.2
*
* @var string $members_page
* @var string $search_value
* @var array $query
*/
if ( ! defined( 'ABSPATH' ) ) {
exit;
} ?>
<div class="search-form um-search-form" data-members_page="<?php echo esc_url( $members_page ); ?>">
<?php foreach ( array_keys( $query ) as $key ) { ?>
<input type="hidden" name="um-search-keys[]" value="<?php echo esc_attr( $key ) ?>" />
<?php } ?>
<div class="um-search-area">
<span class="screen-reader-text"><?php echo _x( 'Search for:', 'label' ); ?></span>
<input type="search" class="um-search-field search-field" placeholder="<?php echo esc_attr_x( 'Search &hellip;', 'placeholder' ); ?>" value="<?php echo esc_attr( $search_value ); ?>" name="search" title="<?php echo esc_attr_x( 'Search for:', 'label' ); ?>" />
<a href="javascript:void(0);" id="um-search-button" class="um-search-icon um-faicon um-faicon-search"></a>
}
?>
<div class="um search-form um-search-form" data-nonce="<?php echo esc_attr( wp_create_nonce( 'um_search_widget_request' ) ); ?>">
<div class="um-form um-search-area">
<span class="screen-reader-text"><?php echo esc_html_x( 'Search for:', 'label', 'ultimate-member' ); ?></span>
<input type="search" class="um-search-field search-field" placeholder="<?php echo esc_attr_x( 'Search &hellip;', 'placeholder', 'ultimate-member' ); ?>" value="<?php echo esc_attr( $search_value ); ?>" name="search" title="<?php echo esc_attr_x( 'Search for:', 'label', 'ultimate-member' ); ?>" />
<a href="#" id="um-search-button" class="um-search-icon um-faicon um-faicon-search"></a>
</div>
</div>
ultimate-member.php
+2 -2
View File
@@ -3,7 +3,7 @@
* Plugin Name: Ultimate Member
* Plugin URI: http://ultimatemember.com/
* Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
* Version: 2.11.1
* Version: 2.11.2
* Author: Ultimate Member
* Author URI: http://ultimatemember.com/
* License: GPLv3
@@ -34,7 +34,7 @@ define( 'UM_PATH', plugin_dir_path( __FILE__ ) );
define( 'UM_PLUGIN', plugin_basename( __FILE__ ) );
define( 'UM_VERSION', $plugin_data['Version'] );
define( 'UM_PLUGIN_NAME', $plugin_data['Name'] );
define( 'UM_WP_FUNCTIONS_VERSION', '6.8.0' ); // Updates every major WordPress release.
define( 'UM_WP_FUNCTIONS_VERSION', '6.9.0' ); // Updates every major WordPress release.
define( 'UM_LICENSE_REQUEST_DEBUG', false ); // Set true then need to debug the license request.
define( 'UM_UPDATER_DEBUG', false ); // Set true then need to debug the upgrade packages.
// define( 'UM_DEV_MODE', true );