Merge pull request #1651 from ultimatemember/development/2.9.x

Version 2.10.1
This commit is contained in:
Mykyta Synelnikov
2025-03-03 16:11:16 +02:00
committed by GitHub
13 changed files with 113 additions and 72 deletions
+1 -1
View File
@@ -15,7 +15,7 @@
"step": "installPlugin",
"pluginZipFile": {
"resource": "url",
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.10.0.zip"
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.10.1.zip"
},
"options": {
"activate": true
+1 -1
View File
@@ -44,7 +44,7 @@ GNU Version 2 or Any Later Version
### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
[Official Release Version: 2.10.0](https://github.com/ultimatemember/ultimatemember/releases/tag/2.10.0).
[Official Release Version: 2.10.1](https://github.com/ultimatemember/ultimatemember/releases/tag/2.10.1).
## Changelog
+5
View File
@@ -1152,3 +1152,8 @@ small.um-max-filesize span{
float: none;
height: auto;
}
/*Makes the honeypot invisible.*/
.um_request_name {
display: none !important;
}
+1 -1
View File
File diff suppressed because one or more lines are too long
+9
View File
@@ -698,3 +698,12 @@ jQuery(document).ready(function() {
}
});
});
// Makes the honeypot.
jQuery( window ).on( 'load', function() {
let $honeypotField = jQuery('input[name="um_request"]');
if ( $honeypotField.length ) {
$honeypotField.val('');
}
});
+1 -1
View File
File diff suppressed because one or more lines are too long
+11
View File
@@ -1,5 +1,16 @@
== Changelog ==
= 2.10.1 March 03, 2025 =
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-1702.
- Fixed: Activation link redirects to Reset Password after registration without password field and required email activation.
- Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
- Fixed: Profile photo metadata when Gravatar image is used.
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
= 2.10.0 February 18, 2025 =
* Enhancements:
+5 -2
View File
@@ -1,6 +1,8 @@
<?php
namespace um\core;
use WP_User_Query;
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
@@ -1708,6 +1710,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
$regexp_map = array(
'/select(.*?)from/im',
'/select(.*?)sleep/im',
"/sleep\(\d+\)/im", // avoid any sleep injections
'/select(.*?)database/im',
'/select(.*?)where/im',
'/update(.*?)set/im',
@@ -1768,7 +1771,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
* @param $type
* @param $primary_table
* @param $primary_id_column
* @param \WP_User_Query $context
* @param WP_User_Query $context
*
* @return array
*/
@@ -2940,7 +2943,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
add_filter( 'pre_user_query', array( &$this, 'pagination_changes' ), 10, 1 );
$user_query = new \WP_User_Query( $this->query_args );
$user_query = new WP_User_Query( $this->query_args );
remove_filter( 'pre_user_query', array( &$this, 'pagination_changes' ), 10 );
+43 -25
View File
@@ -134,52 +134,70 @@ if ( ! class_exists( 'um\core\Permalinks' ) ) {
exit;
}
$redirect = um_get_core_page( 'login', 'account_active' );
$set_password_required = get_user_meta( $user_id, 'um_set_password_required', true );
// Activate account link is valid. Can be approved below.
um_fetch_user( $user_id );
um_fetch_user( $user_id ); // @todo maybe don't need to fetch.
UM()->common()->users()->approve( $user_id, true );
if ( ! empty( $set_password_required ) ) {
$redirect = um_user( 'password_reset_link' );
}
um_reset_user();
$user_role = UM()->roles()->get_priority_user_role( $user_id );
$user_role_data = UM()->roles()->role_data( $user_role );
// log in automatically
// Log in automatically after activation.
$login = ! empty( $user_role_data['login_email_activate'] ); // Role setting "Login user after validating the activation link?"
if ( ! is_user_logged_in() && $login ) {
if ( $login && ! is_user_logged_in() ) {
UM()->user()->auto_login( $user_id );
}
/**
* UM hook
* Fires on user activation after visit link for email confirmation.
*
* @type action
* @title um_after_email_confirmation
* @description Action on user activation
* @input_vars
* [{"var":"$user_id","type":"int","desc":"User ID"}]
* @change_log
* ["Since: 2.0"]
* @usage add_action( 'um_after_email_confirmation', 'function_name', 10, 1 );
* @example
* <?php
* add_action( 'um_after_email_confirmation', 'my_after_email_confirmation', 10, 1 );
* @hook um_after_email_confirmation
*
* @param {int} $user_id The user ID.
*
* @since 2.0
*
* @example <caption>Doing some code after email confirmation and approved $user_id.</caption>
* function my_after_email_confirmation( $user_id ) {
* // your code here
* }
* ?>
* add_filter( 'um_after_email_confirmation', 'my_after_email_confirmation' );
*/
do_action( 'um_after_email_confirmation', $user_id );
// Prepare redirect link.
$set_password_required = get_user_meta( $user_id, 'um_set_password_required', true );
if ( empty( $set_password_required ) ) {
$redirect = empty( $user_role_data['url_email_activate'] ) ? um_get_core_page( 'login', 'account_active' ) : trim( $user_role_data['url_email_activate'] ); // Role setting "URL redirect after email activation"
// Role setting "URL redirect after email activation".
$redirect = empty( $user_role_data['url_email_activate'] ) ? um_get_core_page( 'login', 'account_active' ) : trim( $user_role_data['url_email_activate'] );
} else {
// Redirect to the change password page if there is no password for this user.
um_fetch_user( $user_id );
$redirect = um_user( 'password_reset_link' );
}
/**
* Filter to change the redirect URL after email confirmation.
*
* @hook um_after_email_confirmation_redirect
*
* @param {string} $redirect The redirect URL.
* @param {int} $user_id The user ID.
* @param {bool} $login Auto login has been applied and user currently is logged in.
*
* @since 2.0
*
* @example <caption>Change redirect after confirmation only for the user with ID=99.</caption>
* function my_after_email_confirmation_redirect( $redirect, $user_id, $login ) {
* // your code here
* if ( $user_id === 99 ) {
* $redirect = 'custom_url';
* }
* return $redirect;
* }
* add_filter( 'um_after_email_confirmation_redirect', 'my_after_email_confirmation_redirect', 10, 3 );
*/
$redirect = apply_filters( 'um_after_email_confirmation_redirect', $redirect, $user_id, $login );
exit( wp_redirect( $redirect ) );
um_safe_redirect( $redirect );
}
}
+20 -15
View File
@@ -734,24 +734,28 @@ function um_profile_dynamic_meta_desc() {
$image = um_get_user_avatar_url( $user_id, 'original' );
}
$image = current( explode( '?', $image ) ); // strip $_GET attributes from photo URL.
$image_path = wp_normalize_path( ABSPATH . wp_parse_url( $image, PHP_URL_PATH ) );
$image_info = wp_check_filetype( $image_path );
$imagesizes = getimagesize( $image_path );
if ( is_array( $imagesizes ) ) {
$image_width = $imagesizes[0];
$image_height = $imagesizes[1];
$image_info = array();
$image_width = $image_size;
$image_height = $image_size;
if ( false === strpos( $image, 'gravatar.com' ) ) {
// Ignore Gravatar image here and handler a real image.
$image = current( explode( '?', $image ) ); // strip $_GET attributes from photo URL.
$image_path = wp_normalize_path( ABSPATH . wp_parse_url( $image, PHP_URL_PATH ) );
$image_info = wp_check_filetype( $image_path );
$imagesizes = getimagesize( $image_path );
if ( is_array( $imagesizes ) ) {
list( $image_width, $image_height ) = $imagesizes;
}
} else {
$image_width = $image_size;
$image_height = $image_size;
// Gravatar image.
$image_path = esc_url_raw( $image );
}
$person = array(
'@context' => 'https://schema.org',
'@type' => 'ProfilePage',
'dateCreated' => um_user( 'user_registered' ),
'mainEntity' => array(
'@context' => 'https://schema.org',
'@type' => 'ProfilePage',
'dateCreated' => um_user( 'user_registered' ),
'mainEntity' => array(
'@type' => 'Person',
'name' => esc_attr( $title ),
'alternateName' => um_user( 'user_login' ),
@@ -762,6 +766,7 @@ function um_profile_dynamic_meta_desc() {
),
),
);
$user_last_update = um_user( 'last_update' );
if ( ! empty( $user_last_update ) ) {
if ( is_numeric( $user_last_update ) ) {
@@ -813,7 +818,7 @@ function um_profile_dynamic_meta_desc() {
<?php if ( is_ssl() ) { ?>
<meta property="og:image:secure_url" content="<?php echo esc_url( $image ); ?>"/>
<?php } ?>
<?php if ( $image_info['type'] ) { ?>
<?php if ( ! empty( $image_info['type'] ) ) { ?>
<meta property="og:image:type" content="<?php echo esc_attr( $image_info['type'] ); ?>" />
<?php } ?>
<meta property="og:url" content="<?php echo esc_url( $url ); ?>"/>
-24
View File
@@ -144,18 +144,6 @@ final class Enqueue extends \um\common\Enqueue {
$localize_data = apply_filters( 'um_enqueue_localize_data', $localize_data );
wp_localize_script( 'um_scripts', 'um_scripts', $localize_data );
// Makes the honeypot.
if ( ! empty( UM()->fields()->set_mode ) && ( 'profile' !== UM()->fields()->set_mode || true === UM()->fields()->editing ) ) {
ob_start();
?>
jQuery( window ).on( 'load', function() {
jQuery('input[name="<?php echo esc_js( UM()->honeypot ); ?>"]').val('');
});
<?php
$inline_script = ob_get_clean();
wp_add_inline_script( 'um_scripts', $inline_script );
}
wp_register_script( 'um_dropdown', $js_url . 'dropdown' . $suffix . '.js', array( 'jquery' ), UM_VERSION, true );
wp_register_script( 'um_members', $js_url . 'um-members' . $suffix . '.js', array( 'jquery', 'wp-util', 'jquery-ui-slider', 'um_dropdown', 'wp-hooks', 'jquery-masonry', 'um_scripts' ), UM_VERSION, true );
@@ -206,18 +194,6 @@ final class Enqueue extends \um\common\Enqueue {
$deps = array_merge( array( 'um_ui', 'um_tipsy', 'um_raty', 'select2', 'um_fileupload', 'um_common', 'um_responsive', 'um_modal' ), self::$fonticons_handlers );
wp_register_style( 'um_styles', $css_url . 'um-styles' . $suffix . '.css', $deps, UM_VERSION );
// Makes the honeypot invisible.
if ( ! empty( UM()->fields()->set_mode ) && ( 'profile' !== UM()->fields()->set_mode || true === UM()->fields()->editing ) ) {
ob_start();
?>
.<?php echo esc_attr( UM()->honeypot ); ?>_name {
display: none !important;
}
<?php
$inline_styles = ob_get_clean();
wp_add_inline_style( 'um_styles', $inline_styles );
}
wp_register_style( 'um_members', $css_url . 'um-members' . $suffix . '.css', array( 'um_styles' ), UM_VERSION );
// RTL styles.
if ( is_rtl() ) {
+15 -1
View File
@@ -6,7 +6,7 @@ Tags: community, member, membership, user-profile, user-registration
Requires PHP: 7.0
Requires at least: 6.2
Tested up to: 6.7
Stable tag: 2.10.0
Stable tag: 2.10.1
License: GPLv3
License URI: http://www.gnu.org/licenses/gpl-3.0.txt
@@ -167,6 +167,17 @@ No specific extensions are needed. But we highly recommended keep active these P
IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
= 2.10.1 2025-03-03 =
**Bugfixes**
* Fixed: Security issue CVE ID: CVE-2025-1702.
* Fixed: Activation link redirects to Reset Password after registration without password field and required email activation.
* Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
* Fixed: Profile photo metadata when Gravatar image is used.
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
= 2.10.0 2025-02-18 =
**Enhancements**
@@ -267,6 +278,9 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
== Upgrade Notice ==
= 2.10.1 =
This version fixes a security related bug. Upgrade immediately.
= 2.10.0 =
Increased the minimum PHP and WordPress requirements. The plugin now requires at least PHP 7.0 and WordPress 6.2. This version fixes a security related bug. Upgrade immediately.
+1 -1
View File
@@ -3,7 +3,7 @@
* Plugin Name: Ultimate Member
* Plugin URI: http://ultimatemember.com/
* Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
* Version: 2.10.0
* Version: 2.10.1
* Author: Ultimate Member
* Author URI: http://ultimatemember.com/
* Text Domain: ultimate-member