Merge pull request #1784 from ultimatemember/security/CVE-2026-1404

Fixed CVE 2026 1404. Cross-Site Scripting via Filter Parameters
This commit is contained in:
Mykyta Synelnikov
2026-02-09 10:30:24 +02:00
committed by GitHub
2 changed files with 17 additions and 7 deletions
+11 -1
View File
@@ -169,9 +169,19 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
= 2.11.2 2026-02-09 =
**Enhancements**
* Added: Server side validation when Searching Form is submitted.
**Bugfixes**
* Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description.
* Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`.
* Fixed: Security issue CVE ID: CVE-2026-1404. Changed template items formatting to avoid using HTML symbols in the filter values.
* Templates required update:
* members.php
* searchform.php
= 2.11.1 2025-12-16 =
+6 -6
View File
@@ -6,7 +6,7 @@
*
* Page: "Members"
*
* @version 2.11.1
* @version 2.11.2
*
* @var array $args
*/
@@ -343,13 +343,13 @@ $postid = ! empty( $post->ID ) ? $post->ID : '';
<# _.each( data.filters, function( filter, key, list ) { #>
<div class="um-members-filter-tag">
<# if ( filter.type == 'slider' ) { #>
{{{filter.value_label}}}
{{filter.value_label}}
<# } else { #>
<strong>{{{filter.label}}}</strong>: {{{filter.value_label}}}
<strong>{{filter.label}}</strong>: {{filter.value_label}}
<# } #>
<div class="um-members-filter-remove um-tip-n" data-name="{{{filter.name}}}"
data-value="{{{filter.value}}}" data-range="{{{filter.range}}}"
data-type="{{{filter.type}}}" title="<?php esc_attr_e( 'Remove filter', 'ultimate-member' ) ?>">&times;</div>
<div class="um-members-filter-remove um-tip-n" data-name="{{filter.name}}"
data-value="{{filter.value}}" data-range="{{filter.range}}"
data-type="{{filter.type}}" title="<?php esc_attr_e( 'Remove filter', 'ultimate-member' ) ?>">&times;</div>
</div>
<# }); #>
<# } #>