mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-11 10:46:11 +09:00
Add privacy options and rate limiting in Member Directory
Introduced 'Privacy Options' to control visibility of the Member Directory and a rate limiting feature for nopriv AJAX actions. Fixed multiple security issues (CVE-2025-13220, CVE-2025-13217, CVE-2025-14081, CVE-2025-12492) by improving attribute handling, input sanitization, and adding privacy settings. Updated templates include members.php, members-grid.php, and members-list.php.
This commit is contained in:
+16
-4
@@ -1,12 +1,24 @@
|
||||
== Changelog ==
|
||||
|
||||
= 2.11.1 December xx, 2025 =
|
||||
= 2.11.1 December 16, 2025 =
|
||||
|
||||
* Enhancements:
|
||||
|
||||
- Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'.
|
||||
- Added: 'Rate Limit' setting for nopriv AJAX actions.
|
||||
|
||||
* Bugfixes:
|
||||
|
||||
- Fixed: CVE-2025-13220.
|
||||
- Fixed: CVE-2025-13217.
|
||||
- Fixed: CVE-2025-14081.
|
||||
- Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes.
|
||||
- Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds.
|
||||
- Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
|
||||
- Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
|
||||
|
||||
* Templates required update:
|
||||
|
||||
- members.php
|
||||
- members-grid.php
|
||||
- members-list.php
|
||||
|
||||
= 2.11.0 December 02, 2025 =
|
||||
|
||||
|
||||
Reference in New Issue
Block a user