Update dynamic function blacklist for security enhancement

Added a mechanism to dynamically retrieve and merge updated WordPress function lists into the blacklist to prevent unsafe usage in dropdown options. Addresses a security issue (CVE-2025-47691) by using a JSON-based function source tied to WordPress versioning.
This commit is contained in:
Mykyta Synelnikov
2025-05-12 13:16:17 +03:00
parent 1181b7956d
commit 9d83fba560
7 changed files with 3941 additions and 5 deletions
+19
View File
@@ -193,6 +193,25 @@ if ( ! class_exists( 'um\core\Builtin' ) ) {
return 0;
}
/**
* Checks for a blacklist function in the custom callback field error.
*
* @param array $args Custom field submission data.
*
* @return int|string Empty or error string.
*/
public function functions_blacklist_field_err( $args ) {
if ( empty( $args['_custom_dropdown_options_source'] ) ) {
return 0;
}
if ( UM()->fields()->is_source_blacklisted( $args['_custom_dropdown_options_source'] ) ) {
return __( 'This is not possible for security reasons.', 'ultimate-member' );
}
return 0;
}
/**
* Check date range errors (start date)
*