Addressed several security issues including CVE-2025-15064 and CVE-2026-1404. Added server-side validation for forms and introduced hooks for email confirmation. Adjusted template handling, resolved mobile display issues, and updated Site Health debug information.
Introduced 'Privacy Options' to control visibility of the Member Directory and a rate limiting feature for nopriv AJAX actions. Fixed multiple security issues (CVE-2025-13220, CVE-2025-13217, CVE-2025-14081, CVE-2025-12492) by improving attribute handling, input sanitization, and adding privacy settings. Updated templates include members.php, members-grid.php, and members-list.php.
Adds configurable privacy options for member directories, allowing restrictions on visibility based on roles or login status. Introduces rate limiting for unauthenticated AJAX requests to prevent brute-force attacks or abuse.
Ensure `get_option` returns an empty array as a fallback to prevent errors when metadata for a role does not exist. This resolves potential issues with undefined or unexpected data during role editing.
Introduced the `UM_UPDATER_DEBUG` constant to enable debugging for upgrade packages. This facilitates easier troubleshooting and testing during update processes.
Updated the `package_start` method to define separate hooks for 'start' and 'complete' package lifecycle events. This improves code clarity and prepares the updater for handling more specific actions in the future.
Introduced batch processing for extension updates with package start and complete hooks, preventing duplicate actions via transient flags. Added constants for configuration and helper methods to manage package version state effectively. Ensures smoother upgrade handling for Ultimate Member extensions.
Previously, requests on license validation did not adequately handle empty responses or WP errors. This update ensures retries are performed with `sslverify=true` in such cases and enhances debug logging to provide clearer error details for troubleshooting.
Introduced a new method `is_license_debug_enabled` to check debug conditions and added extensive logging for license requests when debugging is enabled. A new constant `UM_LICENSE_REQUEST_DEBUG` was also defined to control debug mode. These changes enhance visibility into license request handling during development or troubleshooting.
Updated logic to handle the 'predefined' field flag when determining default page creation. This ensures buttons for creating default pages only appear under the correct conditions, improving reliability and consistency.
Introduced 'sanitize_array_key_int' and 'sanitize_array_key' cases to enhance sanitization of array-based input in admin settings. This ensures default values are used for invalid keys and enforces stricter validation for cleaner and more secure input handling.
Introduced a new `Extensions_Updater` class to manage extension update processes, including version checks and file execution. Added a corresponding `extension_updater` method in `class-admin.php` to initialize and manage updater instances based on provided data.
Updated the structure of debug information methods by replacing `array_merge` with simpler array extensions and renaming variables for clarity. This ensures consistent handling of role metadata and improves readability and maintainability of code across multiple plugins.
Added a mechanism to dynamically retrieve and merge updated WordPress function lists into the blacklist to prevent unsafe usage in dropdown options. Addresses a security issue (CVE-2025-47691) by using a JSON-based function source tied to WordPress versioning.
Introduce fields for "Ignore User Role Registration Options" and re-add "Email sending by Action Scheduler" under the Site Health settings. This improves the clarity and organization of user options in the admin interface.
Added new settings for registration management and improved Action Scheduler flexibility. Resolved issues with Member Directory styling, filtering, and email placeholders. Updated terminology and documentation; ensure cached assets are refreshed post-update.
Ensure proper handling of user data in password reset functions by adding checks and updating parameter handling. Introduce a new filter to extend site health information and include a setting for enabling email sending via Action Scheduler. Improve code clarity with updated comments and function annotations.
This update enhances security by introducing checks for banned and blacklisted meta keys in custom fields. It includes CSS updates for admin builder styles and ensures banned fields are flagged accurately in the site health tool.
Introduced a new batch process to handle users lacking an `account_status` meta efficiently. Refactored legacy methods, added async scheduling, and created helper functions to manage and track progress. These changes improve performance and reliability for large user bases.
Updated the setting name across relevant files to improve clarity and better reflect its functionality. Adjusted related logic to ensure consistent behavior with the new naming.
Updated the Action Scheduler implementation to improve flexibility and clarity. Replaced the 'enable_action_scheduler' option with 'enable_as_email_sending' for better specificity. Introduced hook-based checks to selectively enable email scheduling, ensuring compatibility and optimized performance.
Added comments to clarify the usage of meta keys introduced in WooCommerce 9.1.0 and marked TODOs for future cleanup. Also included a legacy key, `_money_spent`, for backward compatibility with WooCommerce versions below 9.1.0.
Replaced deprecated and complex search query methods with a more streamlined and flexible implementation. Introduced improved handling of core and custom search fields, optimized search logic, and added better filter support. Incremented plugin version to 2.10.2 to reflect these changes.
Bump plugin version to 2.10.0, update documentation, and adjust URLs and metadata accordingly. This release includes increased minimum PHP and WordPress requirements and addresses security-related issues. Users are strongly advised to update immediately.
Added separate buttons for 'Live Preview Screen' and 'Live Preview Mobile' in the form builder for better user experience. Updated coding standards for consistency, including proper handling of PHP tags and escaping functions. These changes improve readability, maintainability, and enhance functionality.
Issue #1646
Adjusted spacing for better code readability and consistency in the query arguments within the class-actions-listener.php file. This change ensures the code aligns with coding standards without affecting functionality.
Raised minimum PHP version to 7.0 and finalized the plugin version to 2.9.3. Introduced a centralized user actions array and replaced 'manage_options' capability with 'edit_users' for better permission handling. Optimized the nonce actions extension method for cleaner code.
* reviewed #1619
Mykyta Synelnikov