diff --git a/includes/core/class-common.php b/includes/core/class-common.php
index 3fbedb58..21fe5efd 100644
--- a/includes/core/class-common.php
+++ b/includes/core/class-common.php
@@ -33,6 +33,16 @@ if ( ! class_exists( 'Common' ) ) {
                     'not_found_in_trash' => __('Nothing found in Trash'),
                     'search_items' => __('Search Forms')
                 ),
+                'capabilities' => array(
+                    'edit_post'          => 'update_core',
+                    'read_post'          => 'update_core',
+                    'delete_post'        => 'update_core',
+                    'edit_posts'         => 'update_core',
+                    'edit_others_posts'  => 'update_core',
+                    'delete_posts'       => 'update_core',
+                    'publish_posts'      => 'update_core',
+                    'read_private_posts' => 'update_core'
+                ),
                 'show_ui' => true,
                 'show_in_menu' => false,
                 'public' => false,
@@ -52,6 +62,16 @@ if ( ! class_exists( 'Common' ) ) {
                         'not_found_in_trash' => __('Nothing found in Trash'),
                         'search_items' => __('Search Member Directories')
                     ),
+                    'capabilities' => array(
+                        'edit_post'          => 'update_core',
+                        'read_post'          => 'update_core',
+                        'delete_post'        => 'update_core',
+                        'edit_posts'         => 'update_core',
+                        'edit_others_posts'  => 'update_core',
+                        'delete_posts'       => 'update_core',
+                        'publish_posts'      => 'update_core',
+                        'read_private_posts' => 'update_core'
+                    ),
                     'show_ui' => true,
                     'show_in_menu' => false,
                     'public' => false,
diff --git a/includes/core/class-files.php b/includes/core/class-files.php
index 954a2c31..da77b80d 100644
--- a/includes/core/class-files.php
+++ b/includes/core/class-files.php
@@ -476,8 +476,8 @@ if ( ! class_exists( 'Files' ) ) {
          ***/
         function delete_file( $src ) {
 
-            if ( strstr( $src, '?' ) ){
-                $splitted = explode('?', $src );
+            if ( strstr( $src, '?' ) ) {
+                $splitted = explode( '?', $src );
                 $src = $splitted[0];
             }
 
diff --git a/includes/core/class-form.php b/includes/core/class-form.php
index 111c3bf2..07aca335 100644
--- a/includes/core/class-form.php
+++ b/includes/core/class-form.php
@@ -181,7 +181,7 @@ if ( ! class_exists( 'Form' ) ) {
                                 $role = current( $_POST['role'] );
                             }
 
-                            if ( isset( $custom_field_roles ) && is_array(  $custom_field_roles ) && ! empty( $role ) && ! in_array( $role , $custom_field_roles ) ) {
+                            if ( /*isset( $custom_field_roles ) && is_array(  $custom_field_roles ) &&*/ ! empty( $role ) && ! in_array( $role , $custom_field_roles ) ) {
                                 wp_die( __( 'This is not possible for security reasons.','ultimate-member') );
                             }
 
diff --git a/includes/core/class-user.php b/includes/core/class-user.php
index bb53350e..d0d45e3c 100644
--- a/includes/core/class-user.php
+++ b/includes/core/class-user.php
@@ -119,6 +119,9 @@ if ( ! class_exists( 'User' ) ) {
 
             $userdata = get_userdata( $user_id );
 
+            if ( empty( $userdata ) )
+                return UM()->permalinks()->profile_permalink( $profile_slug );
+
             $user_in_url = '';
             // Username
             if ( $permalink_base == 'user_login' ) {
diff --git a/includes/core/um-actions-account.php b/includes/core/um-actions-account.php
index 555f7103..05e59c53 100644
--- a/includes/core/um-actions-account.php
+++ b/includes/core/um-actions-account.php
@@ -10,7 +10,7 @@
 		if ( $_POST['user_password'] && $_POST['confirm_user_password'] ) {
 			$changes['user_pass'] = $_POST['user_password'];
 
-			$args['id'] = um_user('ID');
+			$args['user_id'] = um_user('ID');
 
 			do_action('send_password_change_email', $args );
 
diff --git a/includes/core/um-actions-password.php b/includes/core/um-actions-password.php
index f00a075a..06fc9563 100644
--- a/includes/core/um-actions-password.php
+++ b/includes/core/um-actions-password.php
@@ -61,9 +61,9 @@
 	 *
 	 */
 	add_action('send_password_change_email','um_send_password_change_email');
-	function um_send_password_change_email( $args ){
+	function um_send_password_change_email( $args ) {
 
-		extract(  $args );
+		extract( $args );
 
 		um_fetch_user( $user_id );
 
diff --git a/includes/core/um-actions-wpadmin.php b/includes/core/um-actions-wpadmin.php
index aa980a69..12c467c8 100644
--- a/includes/core/um-actions-wpadmin.php
+++ b/includes/core/um-actions-wpadmin.php
@@ -3,7 +3,7 @@
 	/***
 	***	@redirect wp-admin for non guests
 	***/
-	add_action( 'init', 'um_block_wpadmin_for_guests' );
+/*	add_action( 'init', 'um_block_wpadmin_for_guests' );
 	function um_block_wpadmin_for_guests() {
 		global $pagenow;
 		
@@ -44,13 +44,11 @@
 						$redirect = $custom_url;
 					}
 					
-					/* ---------- */
 					//Add support query string data after user login
 					if($_SERVER['QUERY_STRING']) {
 						$redirect .= '?'.$_SERVER['QUERY_STRING'];
 					}
-					/* ---------- */
-					
+
 					exit( wp_redirect( $redirect ) );
 				}
 			}
@@ -94,13 +92,15 @@
 		}
 
 		
-	}
+	}*/
 	
 	/***
 	***	@checks if user can access the backend
 	***/
 	function um_block_wpadmin_by_user_role() {
-		if ( is_admin() && ! defined('DOING_AJAX') && um_user( 'ID' ) && ! um_user( 'can_access_wpadmin' ) && ! is_super_admin( um_user('ID') ) ) {
+		/*var_dump( is_admin() && ! defined('DOING_AJAX') && um_user( 'ID' ) && ! um_user( 'can_access_wpadmin' ) && ! is_super_admin( um_user('ID') ) );
+        exit;*/
+        if ( is_admin() && ! defined('DOING_AJAX') && um_user( 'ID' ) && ! um_user( 'can_access_wpadmin' ) && ! is_super_admin( um_user('ID') ) ) {
 			um_redirect_home();
 		}
 	}
diff --git a/includes/lib/upload/um-file-upload.php b/includes/lib/upload/um-file-upload.php
index cf085cc5..0d6710d8 100644
--- a/includes/lib/upload/um-file-upload.php
+++ b/includes/lib/upload/um-file-upload.php
@@ -24,6 +24,11 @@ require_once( $wp_load );
 $ret['error'] = null;
 $ret = array();
 
+if ( ! is_user_logged_in() ) {
+    $ret['error'] = 'Invalid user';
+    die( json_encode( $ret ) );
+}
+
 $nonce = $_POST['_wpnonce'];
 $id = $_POST['key'];
 $timestamp = $_POST['timestamp'];
diff --git a/includes/um-short-functions.php b/includes/um-short-functions.php
index a57076bd..7a543b21 100644
--- a/includes/um-short-functions.php
+++ b/includes/um-short-functions.php
@@ -567,17 +567,22 @@
 	***	@Check that temp upload is valid
 	***/
 	function um_is_temp_upload( $url ) {
-		$url = explode('/ultimatemember/temp/', $url);
+
+		$url = realpath( $url );
+
+		if ( ! $url )
+			return false;
+
+		$url = explode( '/ultimatemember/temp/', $url );
 		if ( isset( $url[1] ) ) {
 
-			if ( strstr( $url[1], '../' ) || strstr( $url[1], '%' ) ) {
+			if ( strstr( $url[1], '../' ) || strstr( $url[1], '%' ) )
 				return false;
-			}
 
 			$src = UM()->files()->upload_temp . $url[1];
-			if ( !file_exists( $src ) ) {
+			if ( ! file_exists( $src ) )
 				return false;
-			}
+
 			return $src;
 		}
 		return false;
diff --git a/templates/account.php b/templates/account.php
index 5c6efe6b..146d0814 100644
--- a/templates/account.php
+++ b/templates/account.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo $form_id; ?>">
+<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo esc_attr( $form_id ); ?>">
 
 	<div class="um-form">
 	
diff --git a/templates/login.php b/templates/login.php
index a77b93aa..935c74b4 100644
--- a/templates/login.php
+++ b/templates/login.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo $form_id; ?>">
+<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo esc_attr( $form_id ); ?>">
 
 	<div class="um-form">
 	
diff --git a/templates/logout.php b/templates/logout.php
index 23574478..7e9c7846 100644
--- a/templates/logout.php
+++ b/templates/logout.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode, $args ); ?> um-<?php echo $form_id; ?>">
+<div class="um <?php echo $this->get_class( $mode, $args ); ?> um-<?php echo esc_attr( $form_id ); ?>">
 
 	<div class="um-form">
 	
diff --git a/templates/members.php b/templates/members.php
index 03ebc4a8..3ad96eb2 100644
--- a/templates/members.php
+++ b/templates/members.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo $form_id; ?>">
+<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo esc_attr( $form_id ); ?>">
 
 	<div class="um-form">
 
diff --git a/templates/message.php b/templates/message.php
index 4bb9df34..e0ee773e 100644
--- a/templates/message.php
+++ b/templates/message.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo $form_id; ?>">
+<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo esc_attr( $form_id ); ?>">
 
 	<div class="um-postmessage">
 		
diff --git a/templates/password-change.php b/templates/password-change.php
index 6eb69375..421707c5 100644
--- a/templates/password-change.php
+++ b/templates/password-change.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo $form_id; ?>">
+<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo esc_attr( $form_id ); ?>">
 
 	<div class="um-form">
 	
diff --git a/templates/password-reset.php b/templates/password-reset.php
index 21f6538b..2e827ae1 100644
--- a/templates/password-reset.php
+++ b/templates/password-reset.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo $form_id; ?>">
+<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo esc_attr( $form_id ); ?>">
 
 	<div class="um-form">
 	
diff --git a/templates/profile.php b/templates/profile.php
index abe8994f..a76bf001 100644
--- a/templates/profile.php
+++ b/templates/profile.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo $form_id; ?> um-role-<?php echo um_user( 'role' ); ?> ">
+<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo esc_attr( $form_id ); ?> um-role-<?php echo um_user( 'role' ); ?> ">
 
 	<div class="um-form">
 	
diff --git a/templates/register.php b/templates/register.php
index f183fde0..47339cb1 100644
--- a/templates/register.php
+++ b/templates/register.php
@@ -1,4 +1,4 @@
-<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo $form_id; ?>">
+<div class="um <?php echo $this->get_class( $mode ); ?> um-<?php echo esc_attr( $form_id ); ?>">
 
 	<div class="um-form">