Add privacy options and rate limiting in Member Directory

Introduced 'Privacy Options' to control visibility of the Member Directory and a rate limiting feature for nopriv AJAX actions. Fixed multiple security issues (CVE-2025-13220, CVE-2025-13217, CVE-2025-14081, CVE-2025-12492) by improving attribute handling, input sanitization, and adding privacy settings. Updated templates include members.php, members-grid.php, and members-list.php.
This commit is contained in:
Mykyta Synelnikov
2025-12-16 17:47:30 +02:00
parent 70144e2487
commit b0805ce468
4 changed files with 63 additions and 153 deletions
+16 -4
View File
@@ -1,12 +1,24 @@
== Changelog ==
= 2.11.1 December xx, 2025 =
= 2.11.1 December 16, 2025 =
* Enhancements:
- Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'.
- Added: 'Rate Limit' setting for nopriv AJAX actions.
* Bugfixes:
- Fixed: CVE-2025-13220.
- Fixed: CVE-2025-13217.
- Fixed: CVE-2025-14081.
- Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes.
- Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds.
- Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
- Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
* Templates required update:
- members.php
- members-grid.php
- members-list.php
= 2.11.0 December 02, 2025 =
+30
View File
@@ -1493,6 +1493,10 @@ class Site_Health {
'label' => __( 'Advanced > Security', 'ultimate-member' ),
'value' => '---------------------------------------------------------------------',
),
'ajax_nopriv_rate_limit' => array(
'label' => __( 'Enable Rate Limiting', 'ultimate-member' ),
'value' => UM()->options()->get( 'ajax_nopriv_rate_limit' ) ? $labels['yes'] : $labels['no'],
),
'banned_capabilities' => array(
'label' => __( 'Banned Administrative Capabilities', 'ultimate-member' ),
'value' => ! empty( $banned_capabilities ) ? implode( ', ', $banned_capabilities ) : '',
@@ -2570,6 +2574,32 @@ class Site_Health {
*/
$debug_info = apply_filters( 'um_debug_member_directory_general_extend', $debug_info, $directory_id );
$md_privacy_options = array(
0 => __( 'Anyone', 'ultimate-member' ),
1 => __( 'Guests only', 'ultimate-member' ),
2 => __( 'Members only', 'ultimate-member' ),
3 => __( 'Only specific roles', 'ultimate-member' ),
);
$directory_privacy = get_post_meta( $directory_id, '_um_privacy', true );
$debug_info[] = array(
'privacy' => array(
'label' => __( 'Who can see this member directory', 'ultimate-member' ),
'value' => array_key_exists( $directory_privacy, $md_privacy_options ) ? $md_privacy_options[ $directory_privacy ] : __( 'Invalid', 'ultimate-member' ),
),
);
if ( 3 === absint( $directory_privacy ) ) {
$directory_privacy_roles = get_post_meta( $directory_id, '_um_privacy_roles', true );
$directory_privacy_roles = ! empty( $directory_privacy_roles ) && is_array( $directory_privacy_roles ) ? $directory_privacy_roles : array();
$debug_info[] = array(
'privacy_roles' => array(
'label' => __( 'Allowed roles', 'ultimate-member' ),
'value' => $directory_privacy_roles,
),
);
}
if ( isset( $options[ get_post_meta( $directory_id, '_um_sortby', true ) ] ) ) {
$sortby_label = $options[ get_post_meta( $directory_id, '_um_sortby', true ) ];
} else {
+16 -148
View File
@@ -167,14 +167,25 @@ No specific extensions are needed. But we highly recommended keep active these P
IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
= 2.11.1 2025-12-xx =
= 2.11.1 2025-12-16 =
**Enhancements**
* Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'.
* Added: 'Rate Limit' setting for nopriv AJAX actions.
**Bugfixes**
* Fixed: CVE-2025-13220.
* Fixed: CVE-2025-13217.
* Fixed: CVE-2025-14081.
* Fixed: CVE-2025-12492.
* Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes.
* Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds.
* Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
* Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
* Templates required update:
* members.php
* members-grid.php
* members-list.php
= 2.11.0 2025-12-02 =
@@ -194,149 +205,6 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
* Fixed: PHP warnings for roles without meta data.
* Fixed: Typo in labels.
= 2.10.6 2025-10-02 =
**Enhancements**
* Added: Avoid caching of the UM Forms on the mobile devices via adding the nocache headers to the screens with UM Forms.
* Added: Filter hook `um_get_empty_status_users_query_result` for changing default query on the different websites to optimize it.
* Added: Filter hook `um_admin_settings_get_pages_list_args` for changing WP_Query arguments for getting pages visible in the dropdown fields in UM Settings.
* Added: JS filter hook `um_admin_blocks_prefixes_excluded` for excluding 3rd-party Gutenberg blocks with predefined prefixes from UM restriction arguments.
* Added: WebP file-extension support for UM uploader.
* Added: `UM_LICENSE_REQUEST_DEBUG` constant for debugging license activation process when it's needed.
* Added: `Extensions_Updater` class to standardize the upgrade process in UM extensions.
* Added: Sanitize handlers `sanitize_array_key_int` and `sanitize_array_key` for making sanitize in UM extensions' settings.
**Bugfixes**
* Fixed: Changed the view and the edit user profile links in the comments section on the frontend.
* Fixed: `Contains` conditional logic operand when value is array.
* Fixed: Getting cover_size for displaying it in the member directory card.
* Fixed: Filter's range for numeric-type fields to avoid getting the empty values.
* Fixed: Integer validation for the 'start_of_week' WP native setting.
* Fixed: Dependencies with Action Scheduler library.
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
= 2.10.5 2025-06-25 =
**Enhancements**
* Added: Filter hook [`um_password_reset_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_password_reset_form_primary_btn_classes.html) for primary button classes in UM Password Reset form.
* Added: Filter hook [`um_login_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_login_form_primary_btn_classes.html) for primary button classes in UM Login form.
* Added: Filter hook [`um_register_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_register_form_primary_btn_classes.html) for primary button classes in UM Registration form.
* Tweak: Refactored Site Health data, added hooks for 3rd-party integration.
* Tweak: Avoid using `um_user( 'password_reset_link' )` and make it directly with `UM()->password()->reset_url( $user_id )` for getting a proper reset URL.
* Tweak: Avoid using `um_user( 'account_activation_link' )` and make it directly with `UM()->permalinks()->activate_url( $user_id )` for getting a proper activation URL.
**Bugfixes**
* Fixed: Stripped shortcodes in the user data during the Account, Registration and Profile forms submission. (Thanks to [MissVeronica](https://github.com/MissVeronica))
* Fixed: Email placeholders values.
* Fixed: Refactor deactivation logic to un-schedule Action Scheduler actions.
* Fixed: Action Scheduler library errors. Updated to the recent 3.9.2 version.
* Fixed: Secondary email field validation.
* Fixed: Action Scheduler batch actions with users who have Undefined status.
* Fixed: Restrictions for 3rd-party Gutenberg Blocks.
* Fixed: Date/time picker filter-types range query on Member Directories.
* Fixed: Renamed "Macedonia, the former Yugoslav Republic of" to the official "North Macedonia".
**Deprecated**
* Fully deprecated `account_activation_link_tags_patterns( $placeholders )` function. It's not used previously. Used email function arguments instead.
* Fully deprecated `account_activation_link_tags_replaces( $replace_placeholders )` function. It's not used previously. Used email function arguments instead.
* Fully deprecated `UM()->profile()->add_placeholder()` function. Used email function arguments instead.
* Fully deprecated `UM()->profile()->add_replace_placeholder()` function. Used email function arguments instead.
* Fully deprecated `UM()->user()->add_activation_placeholder()` function. Used email function arguments instead.
* Fully deprecated `UM()->user()->add_activation_replace_placeholder()` function. Used email function arguments instead.
* Deprecated `UM()->user()->maybe_generate_password_reset_key( $userdata )` function. Use `UM()->common()->users()->maybe_generate_password_reset_key( $userdata )` instead.
* Deprecated `UM()->user()->set_last_login()` function. Use `UM()->common()->users()->set_last_login( $user_id )` instead.
**Templates required update**
* password-reset.php
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
= 2.10.4 2025-05-15 =
**Bugfixes**
* Fixed: Security issue CVE ID: CVE-2025-47691. Used "sniccowp/php-scoper-wordpress-excludes" for getting the recent WordPress functions list and added them to the dynamic blacklist based on the WordPress version.
* Fixed: The Action Scheduler action `um_set_default_account_status`. Case when some users were approved manually or deleted, and we need to reset the admin notice. Added `error_log()` to the wrong conditions.
* Fixed: Reset Password request from not a predefined password reset page. It's possible to submit reset password form sitewide using block or shortcode.
* Fixed: Setting 'Allow users to change email' for the Account page. It works now for any role instead of only the roles with 'Can edit other member accounts?' capability enabled.
= 2.10.3 2025-04-24 =
**Enhancements**
* Added: The `Ignore the "User Role > Registration Options"` setting. It provides an ability to auto-approve users if they were created via wp-admin > Users screen.
* Tweak: Avoid email notifications to Administrator about user registration via wp-admin > Users screen.
* Tweak: Updated the Action Scheduler implementation to improve flexibility and clarity. Refactor Action Scheduler for not only email handling.
**Bugfixes**
* Fixed: Member Directory styles when it's rendered on the Gutenberg builder page.
* Fixed: Member Directory filtering query when the custom users metatable is used.
* Fixed: PHP Warning that occurs when using the `getimagesize` function with an image from an external source.
* Fixed: Reset Password email notification's the {password_reset_link}` placeholder.
* Fixed: Changed "Turkey" to the current official term "Türkiye".
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
= 2.10.2 2025-04-02 =
**Enhancements**
* Added: `UM()->common()-filesystem()::maybe_init_wp_filesystem();` method.
* Added: `UM()->common()-filesystem()::remove_dir();` method.
**Bugfixes**
* Fixed: Security issue CVE ID: CVE-2025-1702. Reviewed general search scripts and suggested another solution that uses only `$wpdb->prepare()`.
= 2.10.1 2025-03-03 =
**Bugfixes**
* Fixed: Security issue CVE ID: CVE-2025-1702.
* Fixed: Activation link redirects to Reset Password after registration without password field and required email activation.
* Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
* Fixed: Profile photo metadata when Gravatar image is used.
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
= 2.10.0 2025-02-18 =
**Enhancements**
* Added: User Profile `form-id` attribute and updated code for Profile/Cover photos actions dropdowns.
* Added: Honeypot scripts/styles via `wp_add_inline_script()`, `wp_add_inline_style()` changed from direct adding in header and footer.
* Updated: We've made improvements to requests for extension updates to boost stability.
* Updated: PHP requirement - the minimum PHP version is now upgraded to 7.0.
* Updated: Using $wpdb and WPCS for queries. Set minimum required version to 6.2 due to using %i for `$wpdb->prepare()`.
* Updated: Revised wp-admin user actions handling. Now, the required capability is `edit_users` instead of `manage_options`.
* Removed: User Profile hidden inputs on view mode.
* Tweak: WPCS enhancements.
**Bugfixes**
* Fixed: Security issue CVE ID: CVE-2024-12276.
* Fixed: Custom usermeta table metakeys for filtering in member directory (from `_money_spent` to `wc_money_spent_` and added `wc_order_count_`).
* Fixed: Layout for "Download your data" and "Erase of your data" fields.
* Fixed: Image sizes used for Open Graph meta in User Profile headers are now corrected.
* Fixed: "Delete account text" settings visibility issue in wp-admin.
* Fixed: The "Privacy Policy" field in the registration form. Disallowed HTML from the "Privacy Policy" content (like `<form>`) is filtered out by the `wp_kses()` function.
* Fixed: Password fields are now sanitized the WordPress native way, with `wp_unslash()` omitted post-submission.
**Templates required update**
* gdpr-register.php
* profile.php
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
[See changelog for all versions](https://plugins.svn.wordpress.org/ultimate-member/trunk/changelog.txt).
== Upgrade Notice ==
+1 -1
View File
@@ -3,7 +3,7 @@
* Plugin Name: Ultimate Member
* Plugin URI: http://ultimatemember.com/
* Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
* Version: 2.11.1-alpha
* Version: 2.11.1
* Author: Ultimate Member
* Author URI: http://ultimatemember.com/
* License: GPLv3