mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-06-05 15:09:37 +09:00
Fix security vulnerability CVE-2025-13220 in Ultimate Member.
Addressed CVE-2025-13220 by implementing necessary fixes in the plugin's shortcodes and updating sanitization for shortcode attributes. Removed redundant compatibility checks for WordPress versions earlier than 5.4 and improved stability in the shortcode handling logic.
This commit is contained in:
Mykyta Synelnikov
@@ -2,7 +2,9 @@
|
||||
|
||||
= 2.11.1 December xx, 2025 =
|
||||
|
||||
* Bugfixes:
|
||||
|
||||
- Fixed: CVE-2025-13220.
|
||||
|
||||
= 2.11.0 December 02, 2025 =
|
||||
|
||||
|
||||
@@ -527,10 +527,10 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
function ultimatemember_login( $args = array() ) {
|
||||
public function ultimatemember_login( $args = array() ) {
|
||||
global $wpdb;
|
||||
|
||||
$args = ! empty( $args ) ? $args : array();
|
||||
$args = shortcode_atts( array(), $args, 'ultimatemember_login' );
|
||||
|
||||
$default_login = $wpdb->get_var(
|
||||
"SELECT pm.post_id
|
||||
@@ -547,23 +547,18 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
||||
$shortcode_attrs .= " {$key}=\"{$value}\"";
|
||||
}
|
||||
|
||||
if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
|
||||
return do_shortcode( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
} else {
|
||||
return apply_shortcodes( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
}
|
||||
return apply_shortcodes( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param array $args
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
function ultimatemember_register( $args = array() ) {
|
||||
public function ultimatemember_register( $args = array() ) {
|
||||
global $wpdb;
|
||||
|
||||
$args = ! empty( $args ) ? $args : array();
|
||||
$args = shortcode_atts( array(), $args, 'ultimatemember_register' );
|
||||
|
||||
$default_register = $wpdb->get_var(
|
||||
"SELECT pm.post_id
|
||||
@@ -580,23 +575,18 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
||||
$shortcode_attrs .= " {$key}=\"{$value}\"";
|
||||
}
|
||||
|
||||
if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
|
||||
return do_shortcode( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
} else {
|
||||
return apply_shortcodes( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
}
|
||||
return apply_shortcodes( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param array $args
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
function ultimatemember_profile( $args = array() ) {
|
||||
public function ultimatemember_profile( $args = array() ) {
|
||||
global $wpdb;
|
||||
|
||||
$args = ! empty( $args ) ? $args : array();
|
||||
$args = shortcode_atts( array(), $args, 'ultimatemember_profile' );
|
||||
|
||||
$default_profile = $wpdb->get_var(
|
||||
"SELECT pm.post_id
|
||||
@@ -614,23 +604,18 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
||||
$shortcode_attrs .= " {$key}=\"{$value}\"";
|
||||
}
|
||||
|
||||
if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
|
||||
return do_shortcode( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
} else {
|
||||
return apply_shortcodes( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
}
|
||||
return apply_shortcodes( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param array $args
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
function ultimatemember_directory( $args = array() ) {
|
||||
public function ultimatemember_directory( $args = array() ) {
|
||||
global $wpdb;
|
||||
|
||||
$args = ! empty( $args ) ? $args : array();
|
||||
$args = shortcode_atts( array(), $args, 'ultimatemember_directory' );
|
||||
|
||||
$default_directory = $wpdb->get_var(
|
||||
"SELECT pm.post_id
|
||||
@@ -648,11 +633,7 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
||||
$shortcode_attrs .= " {$key}=\"{$value}\"";
|
||||
}
|
||||
|
||||
if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
|
||||
return do_shortcode( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
} else {
|
||||
return apply_shortcodes( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
}
|
||||
return apply_shortcodes( "[ultimatemember {$shortcode_attrs} /]" );
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -169,7 +169,9 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
|
||||
|
||||
= 2.11.1 2025-12-xx =
|
||||
|
||||
**Bugfixes**
|
||||
|
||||
* Fixed: CVE-2025-13220.
|
||||
|
||||
= 2.11.0 2025-12-02 =
|
||||
|
||||
@@ -336,6 +338,9 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
|
||||
|
||||
== Upgrade Notice ==
|
||||
|
||||
= 2.11.1 =
|
||||
This version fixes a security related bug. Upgrade immediately.
|
||||
|
||||
= 2.10.4 =
|
||||
This version fixes a security related bug. Upgrade immediately.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user