mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-11 18:56:10 +09:00
Merge pull request #1774 from ultimatemember/security/CVE-2025-15064
Fix critical security vulnerability in Ultimate Member plugin
This commit is contained in:
@@ -15,7 +15,7 @@
|
|||||||
"step": "installPlugin",
|
"step": "installPlugin",
|
||||||
"pluginZipFile": {
|
"pluginZipFile": {
|
||||||
"resource": "url",
|
"resource": "url",
|
||||||
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.11.1.zip"
|
"url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.11.2.zip"
|
||||||
},
|
},
|
||||||
"options": {
|
"options": {
|
||||||
"activate": true
|
"activate": true
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ GNU Version 2 or Any Later Version
|
|||||||
|
|
||||||
### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
|
### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
|
||||||
|
|
||||||
[Official Release Version: 2.11.1](https://github.com/ultimatemember/ultimatemember/releases/tag/2.11.1).
|
[Official Release Version: 2.11.2](https://github.com/ultimatemember/ultimatemember/releases/tag/2.11.2).
|
||||||
|
|
||||||
## Changelog
|
## Changelog
|
||||||
|
|
||||||
|
|||||||
@@ -900,14 +900,14 @@ small.um-max-filesize span{
|
|||||||
max-width: 300px;
|
max-width: 300px;
|
||||||
}
|
}
|
||||||
|
|
||||||
.um-search-area .um-search-field {
|
.um .um-form.um-search-area .um-search-field {
|
||||||
width: 100%;
|
width: 100%;
|
||||||
margin: 0;
|
margin: 0;
|
||||||
padding-left: 25px;
|
padding-left: 25px !important;
|
||||||
}
|
}
|
||||||
|
|
||||||
.rtl .um-search-area .um-search-field {
|
.rtl .um .um-form.um-search-area .um-search-field {
|
||||||
padding-right: 25px;
|
padding-right: 25px !important;
|
||||||
padding-left: initial;
|
padding-left: initial;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Vendored
+1
-1
File diff suppressed because one or more lines are too long
+48
-45
@@ -440,60 +440,63 @@ jQuery(document).ready(function() {
|
|||||||
return false;
|
return false;
|
||||||
});
|
});
|
||||||
|
|
||||||
jQuery( document.body ).on('click', '#um-search-button', function() {
|
jQuery( document.body ).on('click', '#um-search-button', function(e) {
|
||||||
var action = jQuery(this).parents('.um-search-form').data('members_page');
|
e.preventDefault();
|
||||||
|
|
||||||
var search_keys = [];
|
let $btn = jQuery(this);
|
||||||
jQuery(this).parents('.um-search-form').find('input[name="um-search-keys[]"]').each( function() {
|
if ( $btn.hasClass( 'um-disabled' ) ) {
|
||||||
search_keys.push( jQuery(this).val() );
|
return;
|
||||||
});
|
|
||||||
|
|
||||||
var search = jQuery(this).parents('.um-search-form').find('.um-search-field').val();
|
|
||||||
|
|
||||||
var url;
|
|
||||||
if ( search === '' ) {
|
|
||||||
url = action;
|
|
||||||
} else {
|
|
||||||
var query = '?';
|
|
||||||
for ( var i = 0; i < search_keys.length; i++ ) {
|
|
||||||
query += search_keys[i] + '=' + search;
|
|
||||||
if ( i !== search_keys.length - 1 ) {
|
|
||||||
query += '&';
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
url = action + query;
|
|
||||||
}
|
}
|
||||||
window.location = url;
|
|
||||||
|
let $form = $btn.parents('.um-search-form');
|
||||||
|
let search = $form.find('.um-search-field').val();
|
||||||
|
let nonce = $form.data('nonce');
|
||||||
|
|
||||||
|
$btn.addClass('um-disabled');
|
||||||
|
wp.ajax.send( 'um_search_widget_request', {
|
||||||
|
data: {
|
||||||
|
search: search,
|
||||||
|
_wpnonce: nonce
|
||||||
|
},
|
||||||
|
success: function(response) {
|
||||||
|
$btn.removeClass('um-disabled');
|
||||||
|
window.location = response.url;
|
||||||
|
},
|
||||||
|
error: function(e) {
|
||||||
|
console.log(e);
|
||||||
|
$btn.removeClass('um-disabled');
|
||||||
|
}
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
//make search on Enter click
|
//make search on Enter click
|
||||||
jQuery( document.body ).on( 'keypress', '.um-search-field', function(e) {
|
jQuery( document.body ).on( 'keypress', '.um-search-field', function(e) {
|
||||||
if ( e.which === 13 ) {
|
if ( e.which === 13 ) {
|
||||||
var action = jQuery(this).parents('.um-search-form').data('members_page');
|
let $field = jQuery(this);
|
||||||
|
let $form = $field.parents('.um-search-form');
|
||||||
|
|
||||||
var search_keys = [];
|
let $btn = $form.find('#um-search-button');
|
||||||
jQuery(this).parents('.um-search-form').find('input[name="um-search-keys[]"]').each( function() {
|
if ( $btn.hasClass( 'um-disabled' ) ) {
|
||||||
search_keys.push( jQuery(this).val() );
|
return;
|
||||||
});
|
|
||||||
|
|
||||||
var search = jQuery(this).val();
|
|
||||||
|
|
||||||
var url;
|
|
||||||
if ( search === '' ) {
|
|
||||||
url = action;
|
|
||||||
} else {
|
|
||||||
var query = '?';
|
|
||||||
for ( var i = 0; i < search_keys.length; i++ ) {
|
|
||||||
query += search_keys[i] + '=' + search;
|
|
||||||
if ( i !== search_keys.length - 1 ) {
|
|
||||||
query += '&';
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
url = action + query;
|
|
||||||
}
|
}
|
||||||
window.location = url;
|
let search = $field.val();
|
||||||
|
let nonce = $form.data('nonce');
|
||||||
|
|
||||||
|
$btn.addClass('um-disabled');
|
||||||
|
wp.ajax.send( 'um_search_widget_request', {
|
||||||
|
data: {
|
||||||
|
search: search,
|
||||||
|
_wpnonce: nonce
|
||||||
|
},
|
||||||
|
success: function(response) {
|
||||||
|
$btn.removeClass('um-disabled');
|
||||||
|
window.location = response.url;
|
||||||
|
},
|
||||||
|
error: function(e) {
|
||||||
|
console.log(e);
|
||||||
|
$btn.removeClass('um-disabled');
|
||||||
|
}
|
||||||
|
});
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|||||||
Vendored
+1
-1
File diff suppressed because one or more lines are too long
@@ -1,5 +1,11 @@
|
|||||||
== Changelog ==
|
== Changelog ==
|
||||||
|
|
||||||
|
= 2.11.2 January xx, 2026 =
|
||||||
|
|
||||||
|
* Bugfixes:
|
||||||
|
|
||||||
|
- Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description.
|
||||||
|
|
||||||
= 2.11.1 December 16, 2025 =
|
= 2.11.1 December 16, 2025 =
|
||||||
|
|
||||||
* Enhancements:
|
* Enhancements:
|
||||||
|
|||||||
+1
-1
@@ -33,7 +33,7 @@
|
|||||||
"wp-coding-standards/wpcs": "*",
|
"wp-coding-standards/wpcs": "*",
|
||||||
"symplify/phpstan-rules": "*",
|
"symplify/phpstan-rules": "*",
|
||||||
"phpdocumentor/phpdocumentor": "3.8.*",
|
"phpdocumentor/phpdocumentor": "3.8.*",
|
||||||
"sniccowp/php-scoper-wordpress-excludes": "6.8.*"
|
"sniccowp/php-scoper-wordpress-excludes": "6.9.*"
|
||||||
},
|
},
|
||||||
"scripts": {
|
"scripts": {
|
||||||
"wordpress-excludes": [
|
"wordpress-excludes": [
|
||||||
|
|||||||
@@ -19,6 +19,9 @@ class Pages {
|
|||||||
*/
|
*/
|
||||||
public function __construct() {
|
public function __construct() {
|
||||||
add_action( 'wp_ajax_um_get_pages_list', array( $this, 'get_pages_list' ) );
|
add_action( 'wp_ajax_um_get_pages_list', array( $this, 'get_pages_list' ) );
|
||||||
|
|
||||||
|
add_action( 'wp_ajax_um_search_widget_request', array( $this, 'search_widget_request' ) );
|
||||||
|
add_action( 'wp_ajax_nopriv_um_search_widget_request', array( $this, 'search_widget_request' ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -98,4 +101,58 @@ class Pages {
|
|||||||
|
|
||||||
wp_send_json( $return );
|
wp_send_json( $return );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* AJAX callback for getting search widget redirect to a proper member directory page.
|
||||||
|
*/
|
||||||
|
public function search_widget_request() {
|
||||||
|
check_ajax_referer( 'um_search_widget_request' );
|
||||||
|
|
||||||
|
if ( ! UM()->options()->get( 'members_page' ) ) {
|
||||||
|
wp_send_json_error( __( 'No members page enabled', 'ultimate-member' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
$member_directory_ids = array();
|
||||||
|
|
||||||
|
$page_id = UM()->config()->permalinks['members'];
|
||||||
|
if ( ! empty( $page_id ) ) {
|
||||||
|
$member_directory_ids = UM()->member_directory()->get_member_directory_id( $page_id );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( empty( $member_directory_ids ) ) {
|
||||||
|
wp_send_json_error( __( 'No members page enabled', 'ultimate-member' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
$url = um_get_predefined_page_url( 'members' );
|
||||||
|
|
||||||
|
$search = isset( $_POST['search'] ) ? sanitize_text_field( $_POST['search'] ) : '';
|
||||||
|
if ( empty( $search ) ) {
|
||||||
|
wp_send_json_success( array( 'url' => $url ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
// Current user priority role
|
||||||
|
$priority_user_role = false;
|
||||||
|
if ( is_user_logged_in() ) {
|
||||||
|
$priority_user_role = UM()->roles()->get_priority_user_role( get_current_user_id() );
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ( $member_directory_ids as $directory_id ) {
|
||||||
|
$directory_data = UM()->query()->post_data( $directory_id );
|
||||||
|
|
||||||
|
if ( isset( $directory_data['roles_can_search'] ) ) {
|
||||||
|
$directory_data['roles_can_search'] = maybe_unserialize( $directory_data['roles_can_search'] );
|
||||||
|
}
|
||||||
|
|
||||||
|
$show_search = empty( $directory_data['roles_can_search'] ) || ( ! empty( $priority_user_role ) && in_array( $priority_user_role, $directory_data['roles_can_search'], true ) );
|
||||||
|
if ( empty( $directory_data['search'] ) || ! $show_search ) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
$hash = UM()->member_directory()->get_directory_hash( $directory_id );
|
||||||
|
|
||||||
|
$url = add_query_arg( array( 'search_' . $hash => $search ), $url );
|
||||||
|
}
|
||||||
|
|
||||||
|
wp_send_json_success( array( 'url' => $url ) );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -822,6 +822,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
* @return array $form
|
* @return array $form
|
||||||
*/
|
*/
|
||||||
public function sanitize( $form ) {
|
public function sanitize( $form ) {
|
||||||
|
$submission_input = $form;
|
||||||
if ( isset( $form['form_id'] ) ) {
|
if ( isset( $form['form_id'] ) ) {
|
||||||
if ( isset( $this->form_data['custom_fields'] ) ) {
|
if ( isset( $this->form_data['custom_fields'] ) ) {
|
||||||
$custom_fields = maybe_unserialize( $this->form_data['custom_fields'] );
|
$custom_fields = maybe_unserialize( $this->form_data['custom_fields'] );
|
||||||
@@ -843,26 +844,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) {
|
if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) {
|
||||||
$form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content.
|
$form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content.
|
||||||
$form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field );
|
$form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field );
|
||||||
|
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), 'user_description' );
|
||||||
$allowed_html = UM()->get_allowed_html( 'templates' );
|
|
||||||
if ( empty( $allowed_html['iframe'] ) ) {
|
|
||||||
$allowed_html['iframe'] = array(
|
|
||||||
'allow' => true,
|
|
||||||
'frameborder' => true,
|
|
||||||
'loading' => true,
|
|
||||||
'name' => true,
|
|
||||||
'referrerpolicy' => true,
|
|
||||||
'sandbox' => true,
|
|
||||||
'src' => true,
|
|
||||||
'srcdoc' => true,
|
|
||||||
'title' => true,
|
|
||||||
'width' => true,
|
|
||||||
'height' => true,
|
|
||||||
'allowfullscreen' => true,
|
|
||||||
);
|
|
||||||
}
|
|
||||||
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), $allowed_html );
|
|
||||||
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
|
|
||||||
} else {
|
} else {
|
||||||
$form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) );
|
$form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) );
|
||||||
}
|
}
|
||||||
@@ -983,27 +965,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) {
|
if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) {
|
||||||
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
|
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
|
||||||
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] );
|
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] );
|
||||||
|
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' );
|
||||||
$allowed_html = UM()->get_allowed_html( 'templates' );
|
|
||||||
if ( empty( $allowed_html['iframe'] ) ) {
|
|
||||||
$allowed_html['iframe'] = array(
|
|
||||||
'allow' => true,
|
|
||||||
'frameborder' => true,
|
|
||||||
'loading' => true,
|
|
||||||
'name' => true,
|
|
||||||
'referrerpolicy' => true,
|
|
||||||
'sandbox' => true,
|
|
||||||
'src' => true,
|
|
||||||
'srcdoc' => true,
|
|
||||||
'title' => true,
|
|
||||||
'width' => true,
|
|
||||||
'height' => true,
|
|
||||||
'allowfullscreen' => true,
|
|
||||||
);
|
|
||||||
}
|
|
||||||
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), $allowed_html );
|
|
||||||
|
|
||||||
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
|
|
||||||
} else {
|
} else {
|
||||||
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
|
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
|
||||||
}
|
}
|
||||||
@@ -1012,26 +974,9 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
|
|
||||||
if ( ! $field_exists ) {
|
if ( ! $field_exists ) {
|
||||||
if ( $bio_html ) {
|
if ( $bio_html ) {
|
||||||
$allowed_html = UM()->get_allowed_html( 'templates' );
|
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
|
||||||
if ( empty( $allowed_html['iframe'] ) ) {
|
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], array() );
|
||||||
$allowed_html['iframe'] = array(
|
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' );
|
||||||
'allow' => true,
|
|
||||||
'frameborder' => true,
|
|
||||||
'loading' => true,
|
|
||||||
'name' => true,
|
|
||||||
'referrerpolicy' => true,
|
|
||||||
'sandbox' => true,
|
|
||||||
'src' => true,
|
|
||||||
'srcdoc' => true,
|
|
||||||
'title' => true,
|
|
||||||
'width' => true,
|
|
||||||
'height' => true,
|
|
||||||
'allowfullscreen' => true,
|
|
||||||
);
|
|
||||||
}
|
|
||||||
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), $allowed_html );
|
|
||||||
|
|
||||||
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
|
|
||||||
} else {
|
} else {
|
||||||
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
|
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
|
||||||
}
|
}
|
||||||
@@ -1039,31 +984,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return $form;
|
return apply_filters( 'um_sanitize_form_submission', $form, $submission_input );
|
||||||
}
|
|
||||||
|
|
||||||
public function wp_kses_user_desc( $tags, $context ) {
|
|
||||||
if ( 'user_description' === $context || 'pre_user_description' === $context ) {
|
|
||||||
$allowed_html = UM()->get_allowed_html( 'templates' );
|
|
||||||
if ( empty( $allowed_html['iframe'] ) ) {
|
|
||||||
$allowed_html['iframe'] = array(
|
|
||||||
'allow' => true,
|
|
||||||
'frameborder' => true,
|
|
||||||
'loading' => true,
|
|
||||||
'name' => true,
|
|
||||||
'referrerpolicy' => true,
|
|
||||||
'sandbox' => true,
|
|
||||||
'src' => true,
|
|
||||||
'srcdoc' => true,
|
|
||||||
'title' => true,
|
|
||||||
'width' => true,
|
|
||||||
'height' => true,
|
|
||||||
'allowfullscreen' => true,
|
|
||||||
);
|
|
||||||
}
|
|
||||||
$tags = $allowed_html;
|
|
||||||
}
|
|
||||||
return $tags;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -1370,12 +1370,10 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param array $args
|
|
||||||
* @param string $content
|
|
||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public function ultimatemember_searchform( $args = array(), $content = '' ) {
|
public function ultimatemember_searchform() {
|
||||||
if ( ! UM()->options()->get( 'members_page' ) ) {
|
if ( ! UM()->options()->get( 'members_page' ) ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
@@ -1391,7 +1389,7 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
|||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
//current user priority role
|
// Current user priority role
|
||||||
$priority_user_role = false;
|
$priority_user_role = false;
|
||||||
if ( is_user_logged_in() ) {
|
if ( is_user_logged_in() ) {
|
||||||
$priority_user_role = UM()->roles()->get_priority_user_role( get_current_user_id() );
|
$priority_user_role = UM()->roles()->get_priority_user_role( get_current_user_id() );
|
||||||
@@ -1405,7 +1403,7 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
|||||||
$directory_data['roles_can_search'] = maybe_unserialize( $directory_data['roles_can_search'] );
|
$directory_data['roles_can_search'] = maybe_unserialize( $directory_data['roles_can_search'] );
|
||||||
}
|
}
|
||||||
|
|
||||||
$show_search = empty( $directory_data['roles_can_search'] ) || ( ! empty( $priority_user_role ) && in_array( $priority_user_role, $directory_data['roles_can_search'] ) );
|
$show_search = empty( $directory_data['roles_can_search'] ) || ( ! empty( $priority_user_role ) && in_array( $priority_user_role, $directory_data['roles_can_search'], true ) );
|
||||||
if ( empty( $directory_data['search'] ) || ! $show_search ) {
|
if ( empty( $directory_data['search'] ) || ! $show_search ) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@@ -1419,12 +1417,11 @@ if ( ! class_exists( 'um\core\Shortcodes' ) ) {
|
|||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$query = array_filter( $query );
|
||||||
$search_value = array_values( $query );
|
$search_value = array_values( $query );
|
||||||
|
|
||||||
$t_args = array(
|
$t_args = array(
|
||||||
'query' => $query,
|
'search_value' => ! empty( $search_value ) ? $search_value[0] : '',
|
||||||
'search_value' => $search_value[0],
|
|
||||||
'members_page' => um_get_core_page( 'members' ),
|
|
||||||
);
|
);
|
||||||
return UM()->get_template( 'searchform.php', '', $t_args );
|
return UM()->get_template( 'searchform.php', '', $t_args );
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -462,11 +462,7 @@ function um_members( $argument ) {
|
|||||||
function um_get_search_form() {
|
function um_get_search_form() {
|
||||||
//um_deprecated_function( 'um_get_search_form', '2.1.0', 'do_shortcode( \'[ultimatemember_searchform]\' )' );
|
//um_deprecated_function( 'um_get_search_form', '2.1.0', 'do_shortcode( \'[ultimatemember_searchform]\' )' );
|
||||||
|
|
||||||
if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
|
return apply_shortcodes( '[ultimatemember_searchform]' );
|
||||||
return do_shortcode( '[ultimatemember_searchform]' );
|
|
||||||
} else {
|
|
||||||
return apply_shortcodes( '[ultimatemember_searchform]' );
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -58,12 +58,7 @@ class UM_Search_Widget extends \WP_Widget {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// display the search form
|
// display the search form
|
||||||
if ( version_compare( get_bloginfo('version'),'5.4', '<' ) ) {
|
echo apply_shortcodes( '[ultimatemember_searchform /]' );
|
||||||
echo do_shortcode( '[ultimatemember_searchform /]' );
|
|
||||||
} else {
|
|
||||||
echo apply_shortcodes( '[ultimatemember_searchform /]' );
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
echo $args['after_widget'];
|
echo $args['after_widget'];
|
||||||
}
|
}
|
||||||
|
|||||||
+10
-1
@@ -6,7 +6,7 @@ Tags: community, member, membership, user-profile, user-registration
|
|||||||
Requires PHP: 7.0
|
Requires PHP: 7.0
|
||||||
Requires at least: 6.2
|
Requires at least: 6.2
|
||||||
Tested up to: 6.9
|
Tested up to: 6.9
|
||||||
Stable tag: 2.11.1
|
Stable tag: 2.11.2
|
||||||
License: GPLv3
|
License: GPLv3
|
||||||
License URI: http://www.gnu.org/licenses/gpl-3.0.txt
|
License URI: http://www.gnu.org/licenses/gpl-3.0.txt
|
||||||
|
|
||||||
@@ -167,6 +167,12 @@ No specific extensions are needed. But we highly recommended keep active these P
|
|||||||
|
|
||||||
IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
|
IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
|
||||||
|
|
||||||
|
= 2.11.2 2026-01-xx =
|
||||||
|
|
||||||
|
**Bugfixes**
|
||||||
|
|
||||||
|
* Fixed: Security issue CVE ID: CVE-2025-15064. Deprecated ability to use HTML inside the user description.
|
||||||
|
|
||||||
= 2.11.1 2025-12-16 =
|
= 2.11.1 2025-12-16 =
|
||||||
|
|
||||||
**Enhancements**
|
**Enhancements**
|
||||||
@@ -209,6 +215,9 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
|
|||||||
|
|
||||||
== Upgrade Notice ==
|
== Upgrade Notice ==
|
||||||
|
|
||||||
|
= 2.11.2 =
|
||||||
|
This version fixes a security related bug. Upgrade immediately.
|
||||||
|
|
||||||
= 2.11.1 =
|
= 2.11.1 =
|
||||||
This version fixes a security related bug. Upgrade immediately.
|
This version fixes a security related bug. Upgrade immediately.
|
||||||
|
|
||||||
|
|||||||
@@ -6,23 +6,18 @@
|
|||||||
*
|
*
|
||||||
* Call: function ultimatemember_searchform()
|
* Call: function ultimatemember_searchform()
|
||||||
*
|
*
|
||||||
* @version 2.6.1
|
* @version 2.11.2
|
||||||
*
|
*
|
||||||
* @var string $members_page
|
|
||||||
* @var string $search_value
|
* @var string $search_value
|
||||||
* @var array $query
|
|
||||||
*/
|
*/
|
||||||
if ( ! defined( 'ABSPATH' ) ) {
|
if ( ! defined( 'ABSPATH' ) ) {
|
||||||
exit;
|
exit;
|
||||||
} ?>
|
}
|
||||||
|
?>
|
||||||
<div class="search-form um-search-form" data-members_page="<?php echo esc_url( $members_page ); ?>">
|
<div class="um search-form um-search-form" data-nonce="<?php echo esc_attr( wp_create_nonce( 'um_search_widget_request' ) ); ?>">
|
||||||
<?php foreach ( array_keys( $query ) as $key ) { ?>
|
<div class="um-form um-search-area">
|
||||||
<input type="hidden" name="um-search-keys[]" value="<?php echo esc_attr( $key ) ?>" />
|
<span class="screen-reader-text"><?php echo esc_html_x( 'Search for:', 'label', 'ultimate-member' ); ?></span>
|
||||||
<?php } ?>
|
<input type="search" class="um-search-field search-field" placeholder="<?php echo esc_attr_x( 'Search …', 'placeholder', 'ultimate-member' ); ?>" value="<?php echo esc_attr( $search_value ); ?>" name="search" title="<?php echo esc_attr_x( 'Search for:', 'label', 'ultimate-member' ); ?>" />
|
||||||
<div class="um-search-area">
|
<a href="#" id="um-search-button" class="um-search-icon um-faicon um-faicon-search"></a>
|
||||||
<span class="screen-reader-text"><?php echo _x( 'Search for:', 'label' ); ?></span>
|
|
||||||
<input type="search" class="um-search-field search-field" placeholder="<?php echo esc_attr_x( 'Search …', 'placeholder' ); ?>" value="<?php echo esc_attr( $search_value ); ?>" name="search" title="<?php echo esc_attr_x( 'Search for:', 'label' ); ?>" />
|
|
||||||
<a href="javascript:void(0);" id="um-search-button" class="um-search-icon um-faicon um-faicon-search"></a>
|
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
+2
-2
@@ -3,7 +3,7 @@
|
|||||||
* Plugin Name: Ultimate Member
|
* Plugin Name: Ultimate Member
|
||||||
* Plugin URI: http://ultimatemember.com/
|
* Plugin URI: http://ultimatemember.com/
|
||||||
* Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
|
* Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
|
||||||
* Version: 2.11.1
|
* Version: 2.11.2
|
||||||
* Author: Ultimate Member
|
* Author: Ultimate Member
|
||||||
* Author URI: http://ultimatemember.com/
|
* Author URI: http://ultimatemember.com/
|
||||||
* License: GPLv3
|
* License: GPLv3
|
||||||
@@ -34,7 +34,7 @@ define( 'UM_PATH', plugin_dir_path( __FILE__ ) );
|
|||||||
define( 'UM_PLUGIN', plugin_basename( __FILE__ ) );
|
define( 'UM_PLUGIN', plugin_basename( __FILE__ ) );
|
||||||
define( 'UM_VERSION', $plugin_data['Version'] );
|
define( 'UM_VERSION', $plugin_data['Version'] );
|
||||||
define( 'UM_PLUGIN_NAME', $plugin_data['Name'] );
|
define( 'UM_PLUGIN_NAME', $plugin_data['Name'] );
|
||||||
define( 'UM_WP_FUNCTIONS_VERSION', '6.8.0' ); // Updates every major WordPress release.
|
define( 'UM_WP_FUNCTIONS_VERSION', '6.9.0' ); // Updates every major WordPress release.
|
||||||
define( 'UM_LICENSE_REQUEST_DEBUG', false ); // Set true then need to debug the license request.
|
define( 'UM_LICENSE_REQUEST_DEBUG', false ); // Set true then need to debug the license request.
|
||||||
define( 'UM_UPDATER_DEBUG', false ); // Set true then need to debug the upgrade packages.
|
define( 'UM_UPDATER_DEBUG', false ); // Set true then need to debug the upgrade packages.
|
||||||
// define( 'UM_DEV_MODE', true );
|
// define( 'UM_DEV_MODE', true );
|
||||||
|
|||||||
Reference in New Issue
Block a user