mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-11 10:46:11 +09:00
Merge pull request #1771 from ultimatemember/fix/CVE-2025-14081
Fix: CVE-2025-14081 and update field filtering logic.
This commit is contained in:
+1
-1
@@ -2,7 +2,7 @@
|
||||
|
||||
= 2.11.1 December xx, 2025 =
|
||||
|
||||
|
||||
Fixed: CVE-2025-14081
|
||||
|
||||
= 2.11.0 December 02, 2025 =
|
||||
|
||||
|
||||
@@ -473,23 +473,27 @@ if ( ! class_exists( 'um\core\Account' ) ) {
|
||||
return $url;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param $fields
|
||||
* @param $shortcode_args
|
||||
* @return mixed
|
||||
*/
|
||||
function filter_fields_by_attrs( $fields, $shortcode_args ) {
|
||||
private function filter_fields_by_attrs( $fields, $shortcode_args ) {
|
||||
foreach ( $fields as $k => $field ) {
|
||||
if ( isset( $shortcode_args[ $field['metakey'] ] ) && 0 == $shortcode_args[ $field['metakey'] ] ) {
|
||||
unset( $fields[ $k ] );
|
||||
continue;
|
||||
}
|
||||
|
||||
// required user permission 'required_perm' - it's field attribute predefined in the field data in code.
|
||||
if ( isset( $data['required_perm'] ) && ! UM()->roles()->um_user_can( $data['required_perm'] ) ) {
|
||||
unset( $fields[ $k ] );
|
||||
}
|
||||
}
|
||||
|
||||
return $fields;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Init displayed fields for security check
|
||||
*
|
||||
|
||||
@@ -171,6 +171,7 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
|
||||
|
||||
**Bugfixes**
|
||||
|
||||
* Fixed: CVE-2025-14081.
|
||||
* Fixed: CVE-2025-12492.
|
||||
|
||||
= 2.11.0 2025-12-02 =
|
||||
|
||||
Reference in New Issue
Block a user