Fix: CVE-2025-14081 and update field filtering logic.

Addressed a security vulnerability (CVE-2025-14081) and enhanced the logic for filtering fields based on user permissions. Made `filter_fields_by_attrs` a private function for improved encapsulation.
2026-06-05 15:09:37 +09:00 · 2025-12-05 18:08:59 +02:00
parent b75a2145dd
commit ecfb652059
3 changed files with 9 additions and 5 deletions
@@ -473,23 +473,27 @@ if ( ! class_exists( 'um\core\Account' ) ) {
 			return $url;
 		}

-
 		/**
 		 * @param $fields
 		 * @param $shortcode_args
 		 * @return mixed
 		 */
-		function filter_fields_by_attrs( $fields, $shortcode_args ) {
+		private function filter_fields_by_attrs( $fields, $shortcode_args ) {
 			foreach ( $fields as $k => $field ) {
 				if ( isset( $shortcode_args[ $field['metakey'] ] ) && 0 == $shortcode_args[ $field['metakey'] ] ) {
 					unset( $fields[ $k ] );
+					continue;
+				}
+
+				// required user permission 'required_perm' - it's field attribute predefined in the field data in code.
+				if ( isset( $data['required_perm'] ) && ! UM()->roles()->um_user_can( $data['required_perm'] ) ) {
+					unset( $fields[ $k ] );
 				}
 			}

 			return $fields;
 		}

-
 		/**
 		 * Init displayed fields for security check
 		 *