Merge pull request #1771 from ultimatemember/fix/CVE-2025-14081

Fix: CVE-2025-14081 and update field filtering logic.
This commit is contained in:
Mykyta Synelnikov
2025-12-16 17:10:54 +02:00
committed by GitHub
3 changed files with 9 additions and 4 deletions
+1 -1
View File
@@ -2,7 +2,7 @@
= 2.11.1 December xx, 2025 =
Fixed: CVE-2025-14081
= 2.11.0 December 02, 2025 =
+7 -3
View File
@@ -473,23 +473,27 @@ if ( ! class_exists( 'um\core\Account' ) ) {
return $url;
}
/**
* @param $fields
* @param $shortcode_args
* @return mixed
*/
function filter_fields_by_attrs( $fields, $shortcode_args ) {
private function filter_fields_by_attrs( $fields, $shortcode_args ) {
foreach ( $fields as $k => $field ) {
if ( isset( $shortcode_args[ $field['metakey'] ] ) && 0 == $shortcode_args[ $field['metakey'] ] ) {
unset( $fields[ $k ] );
continue;
}
// required user permission 'required_perm' - it's field attribute predefined in the field data in code.
if ( isset( $data['required_perm'] ) && ! UM()->roles()->um_user_can( $data['required_perm'] ) ) {
unset( $fields[ $k ] );
}
}
return $fields;
}
/**
* Init displayed fields for security check
*
+1
View File
@@ -171,6 +171,7 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
**Bugfixes**
* Fixed: CVE-2025-14081.
* Fixed: CVE-2025-12492.
= 2.11.0 2025-12-02 =