From d54a4117be7a98aaa69310d7f243b643ae609d6d Mon Sep 17 00:00:00 2001 From: Mykyta Synelnikov Date: Thu, 15 May 2025 01:23:28 +0300 Subject: [PATCH] Fix critical security issue and resolve multiple bugs Addressed CVE-2025-47691 by updating the dynamic blacklist logic using WordPress functions. Fixed bugs related to Action Scheduler, password reset functionality, and email change settings for user accounts, ensuring better role compatibility. Updated version to 2.10.4. --- changelog.txt | 9 +++++++++ readme.txt | 5 +++-- ultimate-member.php | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/changelog.txt b/changelog.txt index 020e8c31..888d7c1b 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,5 +1,14 @@ == Changelog == += 2.10.4 May 15, 2025 = + +* Bugfixes: + + - Fixed: Security issue CVE ID: CVE-2025-47691. Used "sniccowp/php-scoper-wordpress-excludes" for getting the recent WordPress functions list and added them to the dynamic blacklist based on the WordPress version. + - Fixed: The Action Scheduler action `um_set_default_account_status`. Case when some users were approved manually or deleted, and we need to reset the admin notice. Added `error_log()` to the wrong conditions. + - Fixed: Reset Password request from not a predefined password reset page. It's possible to submit reset password form sitewide using block or shortcode. + - Fixed: Setting 'Allow users to change email' for the Account page. It works now for any role instead of only the roles with 'Can edit other member accounts?' capability enabled. + = 2.10.3 April 24, 2025 = * Enhancements: diff --git a/readme.txt b/readme.txt index c8c1fbe1..e22d12d7 100644 --- a/readme.txt +++ b/readme.txt @@ -6,7 +6,7 @@ Tags: community, member, membership, user-profile, user-registration Requires PHP: 7.0 Requires at least: 6.2 Tested up to: 6.8 -Stable tag: 2.10.3 +Stable tag: 2.10.4 License: GPLv3 License URI: http://www.gnu.org/licenses/gpl-3.0.txt @@ -167,13 +167,14 @@ No specific extensions are needed. But we highly recommended keep active these P IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION -= 2.10.4 2025-05-14 = += 2.10.4 2025-05-15 = **Bugfixes** * Fixed: Security issue CVE ID: CVE-2025-47691. Used "sniccowp/php-scoper-wordpress-excludes" for getting the recent WordPress functions list and added them to the dynamic blacklist based on the WordPress version. * Fixed: The Action Scheduler action `um_set_default_account_status`. Case when some users were approved manually or deleted, and we need to reset the admin notice. Added `error_log()` to the wrong conditions. * Fixed: Reset Password request from not a predefined password reset page. It's possible to submit reset password form sitewide using block or shortcode. +* Fixed: Setting 'Allow users to change email' for the Account page. It works now for any role instead of only the roles with 'Can edit other member accounts?' capability enabled. = 2.10.3 2025-04-24 = diff --git a/ultimate-member.php b/ultimate-member.php index 34455372..15a0cd4d 100644 --- a/ultimate-member.php +++ b/ultimate-member.php @@ -3,7 +3,7 @@ * Plugin Name: Ultimate Member * Plugin URI: http://ultimatemember.com/ * Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress - * Version: 2.10.4-alpha + * Version: 2.10.4 * Author: Ultimate Member * Author URI: http://ultimatemember.com/ * Text Domain: ultimate-member