Add privacy options and rate limiting in Member Directory

Introduced 'Privacy Options' to control visibility of the Member Directory and a rate limiting feature for nopriv AJAX actions. Fixed multiple security issues (CVE-2025-13220, CVE-2025-13217, CVE-2025-14081, CVE-2025-12492) by improving attribute handling, input sanitization, and adding privacy settings. Updated templates include members.php, members-grid.php, and members-list.php.
This commit is contained in:
Mykyta Synelnikov
2025-12-16 17:47:30 +02:00
parent 70144e2487
commit b0805ce468
4 changed files with 63 additions and 153 deletions
+16 -4
View File
@@ -1,12 +1,24 @@
== Changelog ==
= 2.11.1 December xx, 2025 =
= 2.11.1 December 16, 2025 =
* Enhancements:
- Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'.
- Added: 'Rate Limit' setting for nopriv AJAX actions.
* Bugfixes:
- Fixed: CVE-2025-13220.
- Fixed: CVE-2025-13217.
- Fixed: CVE-2025-14081.
- Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes.
- Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds.
- Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
- Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
* Templates required update:
- members.php
- members-grid.php
- members-list.php
= 2.11.0 December 02, 2025 =