* fixed security issue CVE ID: CVE-2025-0308

* fixed security issue CVE ID: CVE-2025-0318
This commit is contained in:
Mykyta Synelnikov
2025-01-08 12:20:35 +02:00
parent 5cefd5ba3a
commit e5fe05503a
2 changed files with 15 additions and 16 deletions
+3 -3
View File
@@ -1727,15 +1727,15 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
break;
}
}
return $search;
// Early escape of the search line. The same as `$wpdb->prepare()`.
return esc_sql( $search );
}
/**
* Handle general search line request
*/
public function general_search() {
//general search
// General search
if ( ! empty( $_POST['search'] ) ) {
// complex using with change_meta_sql function
$search = $this->prepare_search( $_POST['search'] );
+12 -13
View File
@@ -933,20 +933,19 @@ function um_submit_form_errors_hook_( $submitted_data, $form_data ) {
} elseif ( ! UM()->validation()->safe_username( $submitted_data[ $key ] ) ) {
UM()->form()->add_error( $key, __( 'Your email contains invalid characters', 'ultimate-member' ) );
}
break;
}
if ( '' === $submitted_data[ $key ] ) {
UM()->form()->add_error( $key, __( 'You must provide your email', 'ultimate-member' ) );
} elseif ( ! is_email( $submitted_data[ $key ] ) || email_exists( $submitted_data[ $key ] ) ) {
UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
} else {
if ( '' !== $submitted_data[ $key ] && ! is_email( $submitted_data[ $key ] ) ) {
UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
} elseif ( '' !== $submitted_data[ $key ] && email_exists( $submitted_data[ $key ] ) ) {
UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
} elseif ( '' !== $submitted_data[ $key ] ) {
$users = get_users( 'meta_value=' . $submitted_data[ $key ] );
foreach ( $users as $user ) {
if ( $user->ID !== $submitted_data['user_id'] ) {
UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
}
// There we have valid and unique user_email. But need to check in usermeta table for other users.
$users = get_users( 'meta_value=' . $submitted_data[ $key ] );
foreach ( $users as $user ) {
if ( $user->ID !== $submitted_data['user_id'] ) {
UM()->form()->add_error( $key, __( 'The email you entered is incorrect', 'ultimate-member' ) );
}
}
}