Changed `wp_kses` to utilize 'user_description' instead of dynamic HTML templates, ensuring stricter sanitization. Introduced a new filter, `um_sanitize_form_submission`, for extending form sanitization logic, and preserved the original input in `$submission_input` for additional context.
Resolved CVE-2025-15064 by deprecating HTML usage in user descriptions. Updated plugin version to 2.11.2 across files and documentation, ensuring users are informed and prompted to upgrade immediately.
Shortened directory hash length from 32 to 5 characters for efficiency. Introduced `set_user_hash` and `get_user_hash` functions to securely manage unique tokens for user cards, ensuring better organization and fallback mechanisms. Updated references to use the new user hash method where applicable.
Adds configurable privacy options for member directories, allowing restrictions on visibility based on roles or login status. Introduces rate limiting for unauthenticated AJAX requests to prevent brute-force attacks or abuse.
Addressed a security vulnerability (CVE-2025-14081) and enhanced the logic for filtering fields based on user permissions. Made `filter_fields_by_attrs` a private function for improved encapsulation.
Resolved CVE-2025-13217 by implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds. This update ensures safer handling of user-provided links to mitigate potential security vulnerabilities.
Addressed CVE-2025-13220 by implementing necessary fixes in the plugin's shortcodes and updating sanitization for shortcode attributes. Removed redundant compatibility checks for WordPress versions earlier than 5.4 and improved stability in the shortcode handling logic.
Enhanced the action hook 'um_after_profile_header_name' by including `$args` and `$user_id` parameters. Updated documentation and examples to reflect these changes, enabling more flexible and detailed customization options for developers.
Bump the plugin version from 2.10.7 to 2.11.0 in all relevant files, reflecting the latest release. This includes updates to documentation, metadata, changelogs, and file references to maintain consistency.
Refactor the subnav link class generation to use an array-based approach. This ensures better flexibility and readability while adding the "active" class conditionally when needed.
Updated the `um_cover_area_content` hook to pass an additional `$args` parameter for enhanced customization in the user profile cover wrapper. Improved the documentation for clarity and usability.
Bumps required plugin version dependencies for compatibility. Refactors the `emotize` method by adding a `$stripslashes` parameter to provide optional handling of string slashes, improving flexibility and functionality.
Improved logic to handle cases where the cover image size array is invalid or empty by adding a fallback default size. For mobile devices, the second size is used if available, or the first size is used as a fallback. This ensures proper cover size selection and prevents potential errors.
Ensure 'start_of_week' option is validated as numeric to prevent incorrect calculations. This fixes potential issues when non-numeric values are stored in the option.
Previously, empty `meta_value` entries were included in the query, potentially causing inaccurate results. This update adds a condition to exclude empty `meta_value` entries, ensuring more reliable directory filtering.
Updated the condition to ensure proper validation for secondary email fields. This change ensures unique email addresses and prevents potential conflicts in user data.
Updated conditions to handle empty and invalid email input more accurately. Ensures required emails are not skipped and includes stricter checks for existing or incorrect emails.
Introduced new filter hooks for primary button classes in forms and improved URL handling for password resets and account activations. Deprecated several unused functions and replaced them with updated alternatives to streamline the codebase. Updated documentation and templates accordingly.
Updated the user ID comparison logic in the Ultimate Member plugin to use `absint` for both values. This prevents type mismatches and ensures robust validation during form submission.
Added `strip_shortcodes` across various sanitization routines to ensure user inputs do not execute shortcodes. This enhances security by blocking unintended shortcode processing in fields such as text, email, URLs, and form descriptions.
Updated the structure of debug information methods by replacing `array_merge` with simpler array extensions and renaming variables for clarity. This ensures consistent handling of role metadata and improves readability and maintainability of code across multiple plugins.
This update adds a condition to exclude empty `meta_value` entries in multiple queries within the member directory class. It ensures more accurate results and prevents potential issues caused by blank metadata in the `usermeta` table.
Added checks to enforce primary email requirement and prevent secondary email duplication with the primary email. Improved user lookup for unique email verification using meta queries.
Introduced new filters to customize CSS classes for primary buttons in login, registration, and password reset forms. This allows developers to extend button styling by applying custom classes via WordPress hooks. Changes enhance flexibility and improve theme compatibility.
The login form shortcode functionality was outdated and no longer in use. By removing it, the codebase is simplified and unnecessary complexity is eliminated. This improves maintainability and aligns with the current state of the plugin.
Introduce the `[um_login]` shortcode for rendering the login form, with backend logic for customization and error handling. Enhance flexibility by adding filters to dynamically modify primary button classes for login, register, and password-reset forms.
Streamline placeholder handling for emails by introducing universal patterns and replacements, and update email dispatch functions for efficiency. Deprecated various redundant user and password-related methods, consolidating logic into common utility classes for better maintainability.
Simplified conditional checks for password and account form submissions by replacing `isset` with `!empty` where applicable. This improves readability and reduces redundancy while maintaining functionality and security. Added comments to clarify nonce verification status.
Added a mechanism to dynamically retrieve and merge updated WordPress function lists into the blacklist to prevent unsafe usage in dropdown options. Addresses a security issue (CVE-2025-47691) by using a JSON-based function source tied to WordPress versioning.
Added optional parameter to `reset_url` for user-specific handling. Updated email dispatch logic to include dynamic generation of the password reset link with proper placeholder replacements.
Mykyta Synelnikov