mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-17 13:43:38 +09:00
Update dynamic function blacklist for security enhancement
Added a mechanism to dynamically retrieve and merge updated WordPress function lists into the blacklist to prevent unsafe usage in dropdown options. Addresses a security issue (CVE-2025-47691) by using a JSON-based function source tied to WordPress versioning.
This commit is contained in:
@@ -193,6 +193,25 @@ if ( ! class_exists( 'um\core\Builtin' ) ) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks for a blacklist function in the custom callback field error.
|
||||
*
|
||||
* @param array $args Custom field submission data.
|
||||
*
|
||||
* @return int|string Empty or error string.
|
||||
*/
|
||||
public function functions_blacklist_field_err( $args ) {
|
||||
if ( empty( $args['_custom_dropdown_options_source'] ) ) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ( UM()->fields()->is_source_blacklisted( $args['_custom_dropdown_options_source'] ) ) {
|
||||
return __( 'This is not possible for security reasons.', 'ultimate-member' );
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check date range errors (start date)
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user