mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-11 18:56:10 +09:00
Merge pull request #1651 from ultimatemember/development/2.9.x
Version 2.10.1
This commit is contained in:
@@ -15,7 +15,7 @@
|
||||
"step": "installPlugin",
|
||||
"pluginZipFile": {
|
||||
"resource": "url",
|
||||
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.10.0.zip"
|
||||
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.10.1.zip"
|
||||
},
|
||||
"options": {
|
||||
"activate": true
|
||||
|
||||
@@ -44,7 +44,7 @@ GNU Version 2 or Any Later Version
|
||||
|
||||
### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
|
||||
|
||||
[Official Release Version: 2.10.0](https://github.com/ultimatemember/ultimatemember/releases/tag/2.10.0).
|
||||
[Official Release Version: 2.10.1](https://github.com/ultimatemember/ultimatemember/releases/tag/2.10.1).
|
||||
|
||||
## Changelog
|
||||
|
||||
|
||||
@@ -1152,3 +1152,8 @@ small.um-max-filesize span{
|
||||
float: none;
|
||||
height: auto;
|
||||
}
|
||||
|
||||
/*Makes the honeypot invisible.*/
|
||||
.um_request_name {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
Vendored
+1
-1
File diff suppressed because one or more lines are too long
@@ -698,3 +698,12 @@ jQuery(document).ready(function() {
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
// Makes the honeypot.
|
||||
jQuery( window ).on( 'load', function() {
|
||||
let $honeypotField = jQuery('input[name="um_request"]');
|
||||
if ( $honeypotField.length ) {
|
||||
$honeypotField.val('');
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
Vendored
+1
-1
File diff suppressed because one or more lines are too long
@@ -1,5 +1,16 @@
|
||||
== Changelog ==
|
||||
|
||||
= 2.10.1 March 03, 2025 =
|
||||
|
||||
* Bugfixes:
|
||||
|
||||
- Fixed: Security issue CVE ID: CVE-2025-1702.
|
||||
- Fixed: Activation link redirects to Reset Password after registration without password field and required email activation.
|
||||
- Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
|
||||
- Fixed: Profile photo metadata when Gravatar image is used.
|
||||
|
||||
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
|
||||
|
||||
= 2.10.0 February 18, 2025 =
|
||||
|
||||
* Enhancements:
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
<?php
|
||||
namespace um\core;
|
||||
|
||||
use WP_User_Query;
|
||||
|
||||
if ( ! defined( 'ABSPATH' ) ) {
|
||||
exit;
|
||||
}
|
||||
@@ -1708,6 +1710,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
|
||||
$regexp_map = array(
|
||||
'/select(.*?)from/im',
|
||||
'/select(.*?)sleep/im',
|
||||
"/sleep\(\d+\)/im", // avoid any sleep injections
|
||||
'/select(.*?)database/im',
|
||||
'/select(.*?)where/im',
|
||||
'/update(.*?)set/im',
|
||||
@@ -1768,7 +1771,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
|
||||
* @param $type
|
||||
* @param $primary_table
|
||||
* @param $primary_id_column
|
||||
* @param \WP_User_Query $context
|
||||
* @param WP_User_Query $context
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
@@ -2940,7 +2943,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
|
||||
|
||||
add_filter( 'pre_user_query', array( &$this, 'pagination_changes' ), 10, 1 );
|
||||
|
||||
$user_query = new \WP_User_Query( $this->query_args );
|
||||
$user_query = new WP_User_Query( $this->query_args );
|
||||
|
||||
remove_filter( 'pre_user_query', array( &$this, 'pagination_changes' ), 10 );
|
||||
|
||||
|
||||
@@ -134,52 +134,70 @@ if ( ! class_exists( 'um\core\Permalinks' ) ) {
|
||||
exit;
|
||||
}
|
||||
|
||||
$redirect = um_get_core_page( 'login', 'account_active' );
|
||||
$set_password_required = get_user_meta( $user_id, 'um_set_password_required', true );
|
||||
// Activate account link is valid. Can be approved below.
|
||||
|
||||
um_fetch_user( $user_id );
|
||||
um_fetch_user( $user_id ); // @todo maybe don't need to fetch.
|
||||
UM()->common()->users()->approve( $user_id, true );
|
||||
if ( ! empty( $set_password_required ) ) {
|
||||
$redirect = um_user( 'password_reset_link' );
|
||||
}
|
||||
um_reset_user();
|
||||
|
||||
$user_role = UM()->roles()->get_priority_user_role( $user_id );
|
||||
$user_role_data = UM()->roles()->role_data( $user_role );
|
||||
|
||||
// log in automatically
|
||||
// Log in automatically after activation.
|
||||
$login = ! empty( $user_role_data['login_email_activate'] ); // Role setting "Login user after validating the activation link?"
|
||||
if ( ! is_user_logged_in() && $login ) {
|
||||
if ( $login && ! is_user_logged_in() ) {
|
||||
UM()->user()->auto_login( $user_id );
|
||||
}
|
||||
|
||||
/**
|
||||
* UM hook
|
||||
* Fires on user activation after visit link for email confirmation.
|
||||
*
|
||||
* @type action
|
||||
* @title um_after_email_confirmation
|
||||
* @description Action on user activation
|
||||
* @input_vars
|
||||
* [{"var":"$user_id","type":"int","desc":"User ID"}]
|
||||
* @change_log
|
||||
* ["Since: 2.0"]
|
||||
* @usage add_action( 'um_after_email_confirmation', 'function_name', 10, 1 );
|
||||
* @example
|
||||
* <?php
|
||||
* add_action( 'um_after_email_confirmation', 'my_after_email_confirmation', 10, 1 );
|
||||
* @hook um_after_email_confirmation
|
||||
*
|
||||
* @param {int} $user_id The user ID.
|
||||
*
|
||||
* @since 2.0
|
||||
*
|
||||
* @example <caption>Doing some code after email confirmation and approved $user_id.</caption>
|
||||
* function my_after_email_confirmation( $user_id ) {
|
||||
* // your code here
|
||||
* }
|
||||
* ?>
|
||||
* add_filter( 'um_after_email_confirmation', 'my_after_email_confirmation' );
|
||||
*/
|
||||
do_action( 'um_after_email_confirmation', $user_id );
|
||||
|
||||
// Prepare redirect link.
|
||||
$set_password_required = get_user_meta( $user_id, 'um_set_password_required', true );
|
||||
if ( empty( $set_password_required ) ) {
|
||||
$redirect = empty( $user_role_data['url_email_activate'] ) ? um_get_core_page( 'login', 'account_active' ) : trim( $user_role_data['url_email_activate'] ); // Role setting "URL redirect after email activation"
|
||||
// Role setting "URL redirect after email activation".
|
||||
$redirect = empty( $user_role_data['url_email_activate'] ) ? um_get_core_page( 'login', 'account_active' ) : trim( $user_role_data['url_email_activate'] );
|
||||
} else {
|
||||
// Redirect to the change password page if there is no password for this user.
|
||||
um_fetch_user( $user_id );
|
||||
$redirect = um_user( 'password_reset_link' );
|
||||
}
|
||||
/**
|
||||
* Filter to change the redirect URL after email confirmation.
|
||||
*
|
||||
* @hook um_after_email_confirmation_redirect
|
||||
*
|
||||
* @param {string} $redirect The redirect URL.
|
||||
* @param {int} $user_id The user ID.
|
||||
* @param {bool} $login Auto login has been applied and user currently is logged in.
|
||||
*
|
||||
* @since 2.0
|
||||
*
|
||||
* @example <caption>Change redirect after confirmation only for the user with ID=99.</caption>
|
||||
* function my_after_email_confirmation_redirect( $redirect, $user_id, $login ) {
|
||||
* // your code here
|
||||
* if ( $user_id === 99 ) {
|
||||
* $redirect = 'custom_url';
|
||||
* }
|
||||
* return $redirect;
|
||||
* }
|
||||
* add_filter( 'um_after_email_confirmation_redirect', 'my_after_email_confirmation_redirect', 10, 3 );
|
||||
*/
|
||||
$redirect = apply_filters( 'um_after_email_confirmation_redirect', $redirect, $user_id, $login );
|
||||
|
||||
exit( wp_redirect( $redirect ) );
|
||||
um_safe_redirect( $redirect );
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -734,24 +734,28 @@ function um_profile_dynamic_meta_desc() {
|
||||
$image = um_get_user_avatar_url( $user_id, 'original' );
|
||||
}
|
||||
|
||||
$image = current( explode( '?', $image ) ); // strip $_GET attributes from photo URL.
|
||||
$image_path = wp_normalize_path( ABSPATH . wp_parse_url( $image, PHP_URL_PATH ) );
|
||||
$image_info = wp_check_filetype( $image_path );
|
||||
|
||||
$imagesizes = getimagesize( $image_path );
|
||||
if ( is_array( $imagesizes ) ) {
|
||||
$image_width = $imagesizes[0];
|
||||
$image_height = $imagesizes[1];
|
||||
$image_info = array();
|
||||
$image_width = $image_size;
|
||||
$image_height = $image_size;
|
||||
if ( false === strpos( $image, 'gravatar.com' ) ) {
|
||||
// Ignore Gravatar image here and handler a real image.
|
||||
$image = current( explode( '?', $image ) ); // strip $_GET attributes from photo URL.
|
||||
$image_path = wp_normalize_path( ABSPATH . wp_parse_url( $image, PHP_URL_PATH ) );
|
||||
$image_info = wp_check_filetype( $image_path );
|
||||
$imagesizes = getimagesize( $image_path );
|
||||
if ( is_array( $imagesizes ) ) {
|
||||
list( $image_width, $image_height ) = $imagesizes;
|
||||
}
|
||||
} else {
|
||||
$image_width = $image_size;
|
||||
$image_height = $image_size;
|
||||
// Gravatar image.
|
||||
$image_path = esc_url_raw( $image );
|
||||
}
|
||||
|
||||
$person = array(
|
||||
'@context' => 'https://schema.org',
|
||||
'@type' => 'ProfilePage',
|
||||
'dateCreated' => um_user( 'user_registered' ),
|
||||
'mainEntity' => array(
|
||||
'@context' => 'https://schema.org',
|
||||
'@type' => 'ProfilePage',
|
||||
'dateCreated' => um_user( 'user_registered' ),
|
||||
'mainEntity' => array(
|
||||
'@type' => 'Person',
|
||||
'name' => esc_attr( $title ),
|
||||
'alternateName' => um_user( 'user_login' ),
|
||||
@@ -762,6 +766,7 @@ function um_profile_dynamic_meta_desc() {
|
||||
),
|
||||
),
|
||||
);
|
||||
|
||||
$user_last_update = um_user( 'last_update' );
|
||||
if ( ! empty( $user_last_update ) ) {
|
||||
if ( is_numeric( $user_last_update ) ) {
|
||||
@@ -813,7 +818,7 @@ function um_profile_dynamic_meta_desc() {
|
||||
<?php if ( is_ssl() ) { ?>
|
||||
<meta property="og:image:secure_url" content="<?php echo esc_url( $image ); ?>"/>
|
||||
<?php } ?>
|
||||
<?php if ( $image_info['type'] ) { ?>
|
||||
<?php if ( ! empty( $image_info['type'] ) ) { ?>
|
||||
<meta property="og:image:type" content="<?php echo esc_attr( $image_info['type'] ); ?>" />
|
||||
<?php } ?>
|
||||
<meta property="og:url" content="<?php echo esc_url( $url ); ?>"/>
|
||||
|
||||
@@ -144,18 +144,6 @@ final class Enqueue extends \um\common\Enqueue {
|
||||
$localize_data = apply_filters( 'um_enqueue_localize_data', $localize_data );
|
||||
wp_localize_script( 'um_scripts', 'um_scripts', $localize_data );
|
||||
|
||||
// Makes the honeypot.
|
||||
if ( ! empty( UM()->fields()->set_mode ) && ( 'profile' !== UM()->fields()->set_mode || true === UM()->fields()->editing ) ) {
|
||||
ob_start();
|
||||
?>
|
||||
jQuery( window ).on( 'load', function() {
|
||||
jQuery('input[name="<?php echo esc_js( UM()->honeypot ); ?>"]').val('');
|
||||
});
|
||||
<?php
|
||||
$inline_script = ob_get_clean();
|
||||
wp_add_inline_script( 'um_scripts', $inline_script );
|
||||
}
|
||||
|
||||
wp_register_script( 'um_dropdown', $js_url . 'dropdown' . $suffix . '.js', array( 'jquery' ), UM_VERSION, true );
|
||||
|
||||
wp_register_script( 'um_members', $js_url . 'um-members' . $suffix . '.js', array( 'jquery', 'wp-util', 'jquery-ui-slider', 'um_dropdown', 'wp-hooks', 'jquery-masonry', 'um_scripts' ), UM_VERSION, true );
|
||||
@@ -206,18 +194,6 @@ final class Enqueue extends \um\common\Enqueue {
|
||||
$deps = array_merge( array( 'um_ui', 'um_tipsy', 'um_raty', 'select2', 'um_fileupload', 'um_common', 'um_responsive', 'um_modal' ), self::$fonticons_handlers );
|
||||
wp_register_style( 'um_styles', $css_url . 'um-styles' . $suffix . '.css', $deps, UM_VERSION );
|
||||
|
||||
// Makes the honeypot invisible.
|
||||
if ( ! empty( UM()->fields()->set_mode ) && ( 'profile' !== UM()->fields()->set_mode || true === UM()->fields()->editing ) ) {
|
||||
ob_start();
|
||||
?>
|
||||
.<?php echo esc_attr( UM()->honeypot ); ?>_name {
|
||||
display: none !important;
|
||||
}
|
||||
<?php
|
||||
$inline_styles = ob_get_clean();
|
||||
wp_add_inline_style( 'um_styles', $inline_styles );
|
||||
}
|
||||
|
||||
wp_register_style( 'um_members', $css_url . 'um-members' . $suffix . '.css', array( 'um_styles' ), UM_VERSION );
|
||||
// RTL styles.
|
||||
if ( is_rtl() ) {
|
||||
|
||||
+15
-1
@@ -6,7 +6,7 @@ Tags: community, member, membership, user-profile, user-registration
|
||||
Requires PHP: 7.0
|
||||
Requires at least: 6.2
|
||||
Tested up to: 6.7
|
||||
Stable tag: 2.10.0
|
||||
Stable tag: 2.10.1
|
||||
License: GPLv3
|
||||
License URI: http://www.gnu.org/licenses/gpl-3.0.txt
|
||||
|
||||
@@ -167,6 +167,17 @@ No specific extensions are needed. But we highly recommended keep active these P
|
||||
|
||||
IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
|
||||
|
||||
= 2.10.1 2025-03-03 =
|
||||
|
||||
**Bugfixes**
|
||||
|
||||
* Fixed: Security issue CVE ID: CVE-2025-1702.
|
||||
* Fixed: Activation link redirects to Reset Password after registration without password field and required email activation.
|
||||
* Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
|
||||
* Fixed: Profile photo metadata when Gravatar image is used.
|
||||
|
||||
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
|
||||
|
||||
= 2.10.0 2025-02-18 =
|
||||
|
||||
**Enhancements**
|
||||
@@ -267,6 +278,9 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
|
||||
|
||||
== Upgrade Notice ==
|
||||
|
||||
= 2.10.1 =
|
||||
This version fixes a security related bug. Upgrade immediately.
|
||||
|
||||
= 2.10.0 =
|
||||
Increased the minimum PHP and WordPress requirements. The plugin now requires at least PHP 7.0 and WordPress 6.2. This version fixes a security related bug. Upgrade immediately.
|
||||
|
||||
|
||||
+1
-1
@@ -3,7 +3,7 @@
|
||||
* Plugin Name: Ultimate Member
|
||||
* Plugin URI: http://ultimatemember.com/
|
||||
* Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
|
||||
* Version: 2.10.0
|
||||
* Version: 2.10.1
|
||||
* Author: Ultimate Member
|
||||
* Author URI: http://ultimatemember.com/
|
||||
* Text Domain: ultimate-member
|
||||
|
||||
Reference in New Issue
Block a user