From d6d129d53b4c456e90cafc89d9052b6feddf59f8 Mon Sep 17 00:00:00 2001
From: Mykyta Synelnikov <nsinelnikov.work@gmail.com>
Date: Sat, 1 Jul 2023 13:54:57 +0300
Subject: [PATCH] - prepared for release;

---
 includes/core/class-form.php | 56 ------------------------------------
 readme.txt                   |  6 ++--
 ultimate-member.php          |  2 +-
 3 files changed, 4 insertions(+), 60 deletions(-)

diff --git a/includes/core/class-form.php b/includes/core/class-form.php
index a0463c2b..e5b07c09 100644
--- a/includes/core/class-form.php
+++ b/includes/core/class-form.php
@@ -613,62 +613,6 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 					$this->post_form['role'] = $role;
 				}
 
-				// @todo REMOVE THAT !!! AND SEPARATE FORM DATA AND SUBMISSION DATA. MAY AFFECT TO EXTENSIONS
-				//$this->post_form = array_merge( $this->form_data, $this->post_form );
-
-				// Remove role from post_form at first if role ! empty and there aren't custom fields with role name
-//				if ( ! empty( $this->post_form['role'] ) ) {
-//					if ( ! strstr( $this->form_data['custom_fields'], 'role_' ) ) {
-//						unset( $this->post_form['role'] );
-//						//unset( $this->post_form['submitted']['role'] );
-//					}
-//				}
-
-				// Secure sanitize of the submitted data
-//				if ( ! empty( $this->post_form ) ) {
-//					$this->post_form = $this->clean_submitted_data( $this->post_form );
-//				}
-//				if ( ! empty( $this->post_form['submitted'] ) ) {
-//					$this->post_form['submitted'] = $this->clean_submitted_data( $this->post_form['submitted'] );
-//				}
-
-
-
-//				if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) {  // Secure selected role
-//					if ( ! empty( $_POST['role'] ) ) {
-//						$custom_field_roles = $this->custom_field_roles( $this->form_data['custom_fields'] );
-//
-//						if ( ! empty( $custom_field_roles ) ) {
-//							if ( is_array( $_POST['role'] ) ) {
-//								$role = current( $_POST['role'] );
-//								$role = sanitize_key( $role );
-//							} else {
-//								$role = sanitize_key( $_POST['role'] );
-//							}
-//
-//							global $wp_roles;
-//							$exclude_roles = array_diff( array_keys( $wp_roles->roles ), UM()->roles()->get_editable_user_roles() );
-//
-//							if ( ! empty( $role ) &&
-//								( ! in_array( $role, $custom_field_roles, true ) || in_array( $role, $exclude_roles, true ) ) ) {
-//								wp_die( esc_html__( 'This is not possible for security reasons.', 'ultimate-member' ) );
-//							}
-//
-//							$this->post_form['role']              = $role;
-//							$this->post_form['submitted']['role'] = $role;
-//						} else {
-//							unset( $this->post_form['role'] );
-//							unset( $this->post_form['submitted']['role'] );
-//
-//							// set default role for registration form if custom field hasn't proper value
-//							if ( 'register' === $this->form_data['mode'] ) {
-//								$role                    = $this->assigned_role( $this->form_id );
-//								$this->post_form['role'] = $role;
-//							}
-//						}
-//					}
-//				}
-
 				/**
 				 * Filters $_POST submitted data by the UM login, registration or profile form.
 				 * It's un-slashed by `wp_unslash()`, beautified and sanitized. `role` attribute is filtered by possible role.
diff --git a/readme.txt b/readme.txt
index c7031699..bccf43b9 100644
--- a/readme.txt
+++ b/readme.txt
@@ -160,15 +160,15 @@ No, you do not need to use our plugin’s login or registration pages and can us
 
 = Important: =
 
-* To learn more about version 2.1 please see this [docs](https://docs.ultimatemember.com/article/1512-upgrade-2-1-0)
-* UM2.1+ is a significant update to the Member Directories' code base from 2.0.x. Please make sure you take a full-site backup with restore point before updating the plugin
+IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY.
 
-= 2.6.7: July xx, 2023 =
+= 2.6.7: July 1, 2023 =
 
 * Bugfixes:
 
   - Fixed: A privilege escalation vulnerability used through UM Forms. Known in the wild that vulnerability allowed strangers to create administrator-level WordPress users. Please update immediately and check all administrator-level users on your website.
   - Fixed: Displaying fields on Account page > Privacy > Member directory settings
+  - Fixed: Allowed types for the file field
 
 = 2.6.6: June 29, 2023 =
 
diff --git a/ultimate-member.php b/ultimate-member.php
index 7bf23571..032244b2 100644
--- a/ultimate-member.php
+++ b/ultimate-member.php
@@ -3,7 +3,7 @@
 Plugin Name: Ultimate Member
 Plugin URI: http://ultimatemember.com/
 Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
-Version: 2.6.7-alpha
+Version: 2.6.7
 Author: Ultimate Member
 Author URI: http://ultimatemember.com/
 Text Domain: ultimate-member