From 617bc3389cf5cf8d21d7133126d3690b06c93d68 Mon Sep 17 00:00:00 2001
From: Champ Camba <champsupertramp@users.noreply.github.com>
Date: Tue, 11 Jul 2023 22:52:03 +0800
Subject: [PATCH] Add diagnostic for custom assigned roles to Register forms

---
 includes/ajax/class-secure.php | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/includes/ajax/class-secure.php b/includes/ajax/class-secure.php
index 99599c9b..322c32bd 100644
--- a/includes/ajax/class-secure.php
+++ b/includes/ajax/class-secure.php
@@ -146,6 +146,7 @@ class Secure {
 
 		$all_plugins    = get_plugins();
 		$active_plugins = apply_filters( 'active_plugins', get_option( 'active_plugins' ) );
+		$um_forms       = get_posts( 'post_type=um_form&numberposts=-1&fields=ids' );
 
 		$content = '-----' . $br . $br;
 
@@ -329,6 +330,32 @@ class Secure {
 			$content .= $br . $check . 'The default WordPress Register form is disabled.' . $br;
 		}
 
+		$content .= $br . '<strong>Secure Register Forms</strong>';
+		$content .= $br . 'We\'ve removed the assignment of administrative roles for Register forms due to vulnerabilities in previous versions of the plugin. If your Register forms still have Administrative roles, we recommend that you assign a non-admin roles to secure the forms.' . $br;
+		foreach ( $um_forms as $fid ) {
+			switch ( get_post_meta( $fid, '_um_mode', true ) ) {
+				case 'register':
+					$is_customized   = absint( get_post_meta( $fid, '_um_register_use_custom_settings', true ) );
+					$arr_banned_caps = UM()->options()->get( 'banned_capabilities' );
+					$role            = get_post_meta( $fid, '_um_register_role', true );
+					$caps            = get_role( $role )->capabilities;
+					$has_banned_cap  = false;
+					foreach ( array_keys( $caps ) as $cap ) {
+						if ( in_array( $cap, $arr_banned_caps, true ) ) {
+							$content       .= $br . '<a target="_blank" href="' . get_edit_post_link( $fid ) . '">' . get_the_title( $fid ) . '</a> contains <strong>administrative role</strong> ' . $flag;
+							$has_banned_cap = true;
+							break;
+						}
+					}
+
+					if ( ! $has_banned_cap || ! $is_customized ) {
+						$content .= $br . '<a target="_blank" href="' . get_edit_post_link( $fid ) . '">' . get_the_title( $fid ) . '</a>  is <strong>secured</strong> ' . $check;
+					}
+					break;
+			}
+		}
+		$content .= $br;
+
 		$content .= $br . '<strong>Block Disposable Email Addresses/Domains</strong>';
 		if ( empty( UM()->options()->get( 'blocked_emails' ) ) ) {
 			$content .= $br . $flag . 'You are not blocking email addresses or disposable email domains that are mostly used for Spam Account Registrations. You can get the list of disposable email domains with our basic extension <a href="https://docs.ultimatemember.com/article/1870-block-disposable-email-domains" target="_blank">Block Disposable Email Domains</a>.';
@@ -388,7 +415,6 @@ class Secure {
 		} else {
 			if ( in_array( 'um-recaptcha/um-recaptcha.php', $active_plugins, true ) ) {
 				$content .= $br . $check . 'Ultimate Member ReCaptcha is actived.';
-				$um_forms = get_posts( 'post_type=um_form&numberposts=-1&fields=ids' );
 				foreach ( $um_forms as $fid ) {
 					switch ( get_post_meta( $fid, '_um_mode', true ) ) {
 						case 'register':