Adjusted dates for version 2.11.2 release and added details of a new JS filter for improved 3rd-party integration. This update includes enhancements like server-side validation for search forms and a new action hook for user approval after email validation.
Addressed several security issues including CVE-2025-15064 and CVE-2026-1404. Added server-side validation for forms and introduced hooks for email confirmation. Adjusted template handling, resolved mobile display issues, and updated Site Health debug information.
Addressed several security issues including CVE-2025-15064 and CVE-2026-1404. Added server-side validation for forms and introduced hooks for email confirmation. Adjusted template handling, resolved mobile display issues, and updated Site Health debug information.
Introduced a new action `um_approve_user_on_email_confirmation` to enable user approval after verifying the email activation link. Refactored related logic to enhance extensibility and allow developers to hook custom behavior post-approval.
Replaced triple curly braces with double curly braces in Underscore.js templates to enhance security and consistency. Adjusted the version comment to reflect the update from 2.11.1 to 2.11.2.
Corrected the release date of version 2.11.2 from a placeholder to the finalized date, February 9, 2026. Ensures accurate documentation for users referencing the changelog.
Changed `wp_kses` to utilize 'user_description' instead of dynamic HTML templates, ensuring stricter sanitization. Introduced a new filter, `um_sanitize_form_submission`, for extending form sanitization logic, and preserved the original input in `$submission_input` for additional context.
Updated `UM_WP_FUNCTIONS_VERSION` and `php-scoper-wordpress-excludes` to align with WordPress 6.9.0. This ensures compatibility with the latest WordPress release while keeping dependencies up-to-date.
Cleaned up unnecessary and potentially confusing commented-out debug code. This improves code readability and ensures no ambiguity in the plugin's source.
Resolved CVE-2025-15064 by deprecating HTML usage in user descriptions. Updated plugin version to 2.11.2 across files and documentation, ensuring users are informed and prompted to upgrade immediately.
Bumped the stable tag from 2.11.0 to 2.11.1 in the plugin's readme file. This ensures consistency with the latest release version and avoids potential confusion for users.
Introduced 'Privacy Options' to control visibility of the Member Directory and a rate limiting feature for nopriv AJAX actions. Fixed multiple security issues (CVE-2025-13220, CVE-2025-13217, CVE-2025-14081, CVE-2025-12492) by improving attribute handling, input sanitization, and adding privacy settings. Updated templates include members.php, members-grid.php, and members-list.php.
Shortened directory hash length from 32 to 5 characters for efficiency. Introduced `set_user_hash` and `get_user_hash` functions to securely manage unique tokens for user cards, ensuring better organization and fallback mechanisms. Updated references to use the new user hash method where applicable.
Adds configurable privacy options for member directories, allowing restrictions on visibility based on roles or login status. Introduces rate limiting for unauthenticated AJAX requests to prevent brute-force attacks or abuse.
Addressed a security vulnerability (CVE-2025-14081) and enhanced the logic for filtering fields based on user permissions. Made `filter_fields_by_attrs` a private function for improved encapsulation.
Resolved CVE-2025-13217 by implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds. This update ensures safer handling of user-provided links to mitigate potential security vulnerabilities.
Addressed CVE-2025-13220 by implementing necessary fixes in the plugin's shortcodes and updating sanitization for shortcode attributes. Removed redundant compatibility checks for WordPress versions earlier than 5.4 and improved stability in the shortcode handling logic.
Bumped the Ultimate Member plugin version to 2.11.1 in multiple files, including improved metadata references (README, changelog, blueprint). Ensures consistency across documentation and assets for the updated release.
Enhanced the action hook 'um_after_profile_header_name' by including `$args` and `$user_id` parameters. Updated documentation and examples to reflect these changes, enabling more flexible and detailed customization options for developers.
Bump the required version of the 'groups' dependency from 2.4.2 to 2.5.0. This ensures compatibility with the latest features and fixes provided by the updated version.
Bump the plugin version from 2.10.7 to 2.11.0 in all relevant files, reflecting the latest release. This includes updates to documentation, metadata, changelogs, and file references to maintain consistency.
WordPress .pot File Generator