From e5fe05503a9b4bfc4c0516a9ce4f78ece1a0c4b6 Mon Sep 17 00:00:00 2001
From: Mykyta Synelnikov <nsinelnikov.work@gmail.com>
Date: Wed, 8 Jan 2025 12:20:35 +0200
Subject: [PATCH 1/2] * fixed security issue CVE ID: CVE-2025-0308 * fixed
 security issue CVE ID: CVE-2025-0318

---
 includes/core/class-member-directory.php |  6 +++---
 includes/core/um-actions-form.php        | 25 ++++++++++++------------
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/includes/core/class-member-directory.php b/includes/core/class-member-directory.php
index dd40f0dd..d535eaaa 100644
--- a/includes/core/class-member-directory.php
+++ b/includes/core/class-member-directory.php
@@ -1727,15 +1727,15 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
 					break;
 				}
 			}
-
-			return $search;
+			// Early escape of the search line. The same as `$wpdb->prepare()`.
+			return esc_sql( $search );
 		}
 
 		/**
 		 * Handle general search line request
 		 */
 		public function general_search() {
-			//general search
+			// General search
 			if ( ! empty( $_POST['search'] ) ) {
 				// complex using with change_meta_sql function
 				$search = $this->prepare_search( $_POST['search'] );
diff --git a/includes/core/um-actions-form.php b/includes/core/um-actions-form.php
index bf3560be..097ab0c4 100644
--- a/includes/core/um-actions-form.php
+++ b/includes/core/um-actions-form.php
@@ -933,20 +933,19 @@ function um_submit_form_errors_hook_( $submitted_data, $form_data ) {
 					} elseif ( ! UM()->validation()->safe_username( $submitted_data[ $key ] ) ) {
 						UM()->form()->add_error( $key, __( 'Your email contains invalid characters', 'ultimate-member' ) );
 					}
+					break;
+				}
+
+				if ( '' === $submitted_data[ $key ] ) {
+					UM()->form()->add_error( $key, __( 'You must provide your email', 'ultimate-member' ) );
+				} elseif ( ! is_email( $submitted_data[ $key ] ) || email_exists( $submitted_data[ $key ] ) ) {
+					UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
 				} else {
-
-					if ( '' !== $submitted_data[ $key ] && ! is_email( $submitted_data[ $key ] ) ) {
-						UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
-					} elseif ( '' !== $submitted_data[ $key ] && email_exists( $submitted_data[ $key ] ) ) {
-						UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
-					} elseif ( '' !== $submitted_data[ $key ] ) {
-
-						$users = get_users( 'meta_value=' . $submitted_data[ $key ] );
-
-						foreach ( $users as $user ) {
-							if ( $user->ID !== $submitted_data['user_id'] ) {
-								UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
-							}
+					// There we have valid and unique user_email. But need to check in usermeta table for other users.
+					$users = get_users( 'meta_value=' . $submitted_data[ $key ] );
+					foreach ( $users as $user ) {
+						if ( $user->ID !== $submitted_data['user_id'] ) {
+							UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
 						}
 					}
 				}

From 5ebefde6b8776844095a864a2baa34f9fcd73f98 Mon Sep 17 00:00:00 2001
From: Mykyta Synelnikov <nsinelnikov.work@gmail.com>
Date: Fri, 10 Jan 2025 02:17:18 +0200
Subject: [PATCH 2/2] * fixed security issue CVE ID: CVE-2025-0308

---
 includes/core/class-member-directory.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/includes/core/class-member-directory.php b/includes/core/class-member-directory.php
index d535eaaa..68ab77c7 100644
--- a/includes/core/class-member-directory.php
+++ b/includes/core/class-member-directory.php
@@ -1716,6 +1716,9 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
 			// Make the search line empty if it contains the mySQL query statements.
 			$regexp_map = array(
 				'/select(.*?)from/im',
+				'/select(.*?)sleep/im',
+				'/select(.*?)database/im',
+				'/select(.*?)where/im',
 				'/update(.*?)set/im',
 				'/delete(.*?)from/im',
 			);
@@ -1873,8 +1876,11 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
 						$search_where = preg_replace( '/ AND \((.*?)\)/im', "$1 OR", $search_where );
 
 						// str_replace( '/', '\/', wp_slash( $search ) ) means that we add backslashes to special symbols + add backslash to slash(/) symbol for proper regular pattern.
+						$pattern = $wpdb->prepare( $meta_join_for_search . '.meta_value = %s', $search );
+						$pattern = '/(' . str_replace( '/', '\/', wp_slash( $pattern ) ) . ')/im';
+
 						$sql['where'] = preg_replace(
-							'/(' . $meta_join_for_search . '.meta_value = \'' . str_replace( '/', '\/', wp_slash( $search ) ) . '\')/im',
+							$pattern,
 							trim( $search_where ) . " $1",
 							$sql['where'],
 							1