diff --git a/changelog.txt b/changelog.txt index e11b1744..9862c572 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,12 +1,24 @@ == Changelog == -= 2.11.1 December xx, 2025 = += 2.11.1 December 16, 2025 = + +* Enhancements: + + - Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'. + - Added: 'Rate Limit' setting for nopriv AJAX actions. * Bugfixes: - - Fixed: CVE-2025-13220. - - Fixed: CVE-2025-13217. - - Fixed: CVE-2025-14081. + - Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes. + - Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds. + - Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission. + - Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting. + +* Templates required update: + + - members.php + - members-grid.php + - members-list.php = 2.11.0 December 02, 2025 = diff --git a/includes/admin/class-site-health.php b/includes/admin/class-site-health.php index 027e3502..00845b5e 100644 --- a/includes/admin/class-site-health.php +++ b/includes/admin/class-site-health.php @@ -1493,6 +1493,10 @@ class Site_Health { 'label' => __( 'Advanced > Security', 'ultimate-member' ), 'value' => '---------------------------------------------------------------------', ), + 'ajax_nopriv_rate_limit' => array( + 'label' => __( 'Enable Rate Limiting', 'ultimate-member' ), + 'value' => UM()->options()->get( 'ajax_nopriv_rate_limit' ) ? $labels['yes'] : $labels['no'], + ), 'banned_capabilities' => array( 'label' => __( 'Banned Administrative Capabilities', 'ultimate-member' ), 'value' => ! empty( $banned_capabilities ) ? implode( ', ', $banned_capabilities ) : '', @@ -2570,6 +2574,32 @@ class Site_Health { */ $debug_info = apply_filters( 'um_debug_member_directory_general_extend', $debug_info, $directory_id ); + $md_privacy_options = array( + 0 => __( 'Anyone', 'ultimate-member' ), + 1 => __( 'Guests only', 'ultimate-member' ), + 2 => __( 'Members only', 'ultimate-member' ), + 3 => __( 'Only specific roles', 'ultimate-member' ), + ); + $directory_privacy = get_post_meta( $directory_id, '_um_privacy', true ); + + $debug_info[] = array( + 'privacy' => array( + 'label' => __( 'Who can see this member directory', 'ultimate-member' ), + 'value' => array_key_exists( $directory_privacy, $md_privacy_options ) ? $md_privacy_options[ $directory_privacy ] : __( 'Invalid', 'ultimate-member' ), + ), + ); + if ( 3 === absint( $directory_privacy ) ) { + $directory_privacy_roles = get_post_meta( $directory_id, '_um_privacy_roles', true ); + $directory_privacy_roles = ! empty( $directory_privacy_roles ) && is_array( $directory_privacy_roles ) ? $directory_privacy_roles : array(); + + $debug_info[] = array( + 'privacy_roles' => array( + 'label' => __( 'Allowed roles', 'ultimate-member' ), + 'value' => $directory_privacy_roles, + ), + ); + } + if ( isset( $options[ get_post_meta( $directory_id, '_um_sortby', true ) ] ) ) { $sortby_label = $options[ get_post_meta( $directory_id, '_um_sortby', true ) ]; } else { diff --git a/readme.txt b/readme.txt index 62c9dd78..fc130685 100644 --- a/readme.txt +++ b/readme.txt @@ -167,14 +167,25 @@ No specific extensions are needed. But we highly recommended keep active these P IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION -= 2.11.1 2025-12-xx = += 2.11.1 2025-12-16 = + +**Enhancements** + +* Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'. +* Added: 'Rate Limit' setting for nopriv AJAX actions. **Bugfixes** -* Fixed: CVE-2025-13220. -* Fixed: CVE-2025-13217. -* Fixed: CVE-2025-14081. -* Fixed: CVE-2025-12492. +* Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes. +* Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds. +* Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission. +* Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting. + +* Templates required update: + +* members.php +* members-grid.php +* members-list.php = 2.11.0 2025-12-02 = @@ -194,149 +205,6 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI * Fixed: PHP warnings for roles without meta data. * Fixed: Typo in labels. -= 2.10.6 2025-10-02 = - -**Enhancements** - -* Added: Avoid caching of the UM Forms on the mobile devices via adding the nocache headers to the screens with UM Forms. -* Added: Filter hook `um_get_empty_status_users_query_result` for changing default query on the different websites to optimize it. -* Added: Filter hook `um_admin_settings_get_pages_list_args` for changing WP_Query arguments for getting pages visible in the dropdown fields in UM Settings. -* Added: JS filter hook `um_admin_blocks_prefixes_excluded` for excluding 3rd-party Gutenberg blocks with predefined prefixes from UM restriction arguments. -* Added: WebP file-extension support for UM uploader. -* Added: `UM_LICENSE_REQUEST_DEBUG` constant for debugging license activation process when it's needed. -* Added: `Extensions_Updater` class to standardize the upgrade process in UM extensions. -* Added: Sanitize handlers `sanitize_array_key_int` and `sanitize_array_key` for making sanitize in UM extensions' settings. - -**Bugfixes** - -* Fixed: Changed the view and the edit user profile links in the comments section on the frontend. -* Fixed: `Contains` conditional logic operand when value is array. -* Fixed: Getting cover_size for displaying it in the member directory card. -* Fixed: Filter's range for numeric-type fields to avoid getting the empty values. -* Fixed: Integer validation for the 'start_of_week' WP native setting. -* Fixed: Dependencies with Action Scheduler library. - -**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade** - -= 2.10.5 2025-06-25 = - -**Enhancements** - -* Added: Filter hook [`um_password_reset_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_password_reset_form_primary_btn_classes.html) for primary button classes in UM Password Reset form. -* Added: Filter hook [`um_login_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_login_form_primary_btn_classes.html) for primary button classes in UM Login form. -* Added: Filter hook [`um_register_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_register_form_primary_btn_classes.html) for primary button classes in UM Registration form. -* Tweak: Refactored Site Health data, added hooks for 3rd-party integration. -* Tweak: Avoid using `um_user( 'password_reset_link' )` and make it directly with `UM()->password()->reset_url( $user_id )` for getting a proper reset URL. -* Tweak: Avoid using `um_user( 'account_activation_link' )` and make it directly with `UM()->permalinks()->activate_url( $user_id )` for getting a proper activation URL. - -**Bugfixes** - -* Fixed: Stripped shortcodes in the user data during the Account, Registration and Profile forms submission. (Thanks to [MissVeronica](https://github.com/MissVeronica)) -* Fixed: Email placeholders values. -* Fixed: Refactor deactivation logic to un-schedule Action Scheduler actions. -* Fixed: Action Scheduler library errors. Updated to the recent 3.9.2 version. -* Fixed: Secondary email field validation. -* Fixed: Action Scheduler batch actions with users who have Undefined status. -* Fixed: Restrictions for 3rd-party Gutenberg Blocks. -* Fixed: Date/time picker filter-types range query on Member Directories. -* Fixed: Renamed "Macedonia, the former Yugoslav Republic of" to the official "North Macedonia". - -**Deprecated** - -* Fully deprecated `account_activation_link_tags_patterns( $placeholders )` function. It's not used previously. Used email function arguments instead. -* Fully deprecated `account_activation_link_tags_replaces( $replace_placeholders )` function. It's not used previously. Used email function arguments instead. -* Fully deprecated `UM()->profile()->add_placeholder()` function. Used email function arguments instead. -* Fully deprecated `UM()->profile()->add_replace_placeholder()` function. Used email function arguments instead. -* Fully deprecated `UM()->user()->add_activation_placeholder()` function. Used email function arguments instead. -* Fully deprecated `UM()->user()->add_activation_replace_placeholder()` function. Used email function arguments instead. -* Deprecated `UM()->user()->maybe_generate_password_reset_key( $userdata )` function. Use `UM()->common()->users()->maybe_generate_password_reset_key( $userdata )` instead. -* Deprecated `UM()->user()->set_last_login()` function. Use `UM()->common()->users()->set_last_login( $user_id )` instead. - -**Templates required update** - -* password-reset.php - -**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade** - -= 2.10.4 2025-05-15 = - -**Bugfixes** - -* Fixed: Security issue CVE ID: CVE-2025-47691. Used "sniccowp/php-scoper-wordpress-excludes" for getting the recent WordPress functions list and added them to the dynamic blacklist based on the WordPress version. -* Fixed: The Action Scheduler action `um_set_default_account_status`. Case when some users were approved manually or deleted, and we need to reset the admin notice. Added `error_log()` to the wrong conditions. -* Fixed: Reset Password request from not a predefined password reset page. It's possible to submit reset password form sitewide using block or shortcode. -* Fixed: Setting 'Allow users to change email' for the Account page. It works now for any role instead of only the roles with 'Can edit other member accounts?' capability enabled. - -= 2.10.3 2025-04-24 = - -**Enhancements** - -* Added: The `Ignore the "User Role > Registration Options"` setting. It provides an ability to auto-approve users if they were created via wp-admin > Users screen. -* Tweak: Avoid email notifications to Administrator about user registration via wp-admin > Users screen. -* Tweak: Updated the Action Scheduler implementation to improve flexibility and clarity. Refactor Action Scheduler for not only email handling. - -**Bugfixes** - -* Fixed: Member Directory styles when it's rendered on the Gutenberg builder page. -* Fixed: Member Directory filtering query when the custom users metatable is used. -* Fixed: PHP Warning that occurs when using the `getimagesize` function with an image from an external source. -* Fixed: Reset Password email notification's the {password_reset_link}` placeholder. -* Fixed: Changed "Turkey" to the current official term "Türkiye". - -**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade** - -= 2.10.2 2025-04-02 = - -**Enhancements** - -* Added: `UM()->common()-filesystem()::maybe_init_wp_filesystem();` method. -* Added: `UM()->common()-filesystem()::remove_dir();` method. - -**Bugfixes** - -* Fixed: Security issue CVE ID: CVE-2025-1702. Reviewed general search scripts and suggested another solution that uses only `$wpdb->prepare()`. - -= 2.10.1 2025-03-03 = - -**Bugfixes** - -* Fixed: Security issue CVE ID: CVE-2025-1702. -* Fixed: Activation link redirects to Reset Password after registration without password field and required email activation. -* Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime. -* Fixed: Profile photo metadata when Gravatar image is used. - -**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade** - -= 2.10.0 2025-02-18 = - -**Enhancements** - -* Added: User Profile `form-id` attribute and updated code for Profile/Cover photos actions dropdowns. -* Added: Honeypot scripts/styles via `wp_add_inline_script()`, `wp_add_inline_style()` changed from direct adding in header and footer. -* Updated: We've made improvements to requests for extension updates to boost stability. -* Updated: PHP requirement - the minimum PHP version is now upgraded to 7.0. -* Updated: Using $wpdb and WPCS for queries. Set minimum required version to 6.2 due to using %i for `$wpdb->prepare()`. -* Updated: Revised wp-admin user actions handling. Now, the required capability is `edit_users` instead of `manage_options`. -* Removed: User Profile hidden inputs on view mode. -* Tweak: WPCS enhancements. - -**Bugfixes** - -* Fixed: Security issue CVE ID: CVE-2024-12276. -* Fixed: Custom usermeta table metakeys for filtering in member directory (from `_money_spent` to `wc_money_spent_` and added `wc_order_count_`). -* Fixed: Layout for "Download your data" and "Erase of your data" fields. -* Fixed: Image sizes used for Open Graph meta in User Profile headers are now corrected. -* Fixed: "Delete account text" settings visibility issue in wp-admin. -* Fixed: The "Privacy Policy" field in the registration form. Disallowed HTML from the "Privacy Policy" content (like `