mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-11 18:56:10 +09:00
Merge pull request #1770 from ultimatemember/fix/CVE-2025-13217
Fix: Address CVE-2025-13217 and improve input sanitization
This commit is contained in:
+2
-1
@@ -2,7 +2,8 @@
|
|||||||
|
|
||||||
= 2.11.1 December xx, 2025 =
|
= 2.11.1 December xx, 2025 =
|
||||||
|
|
||||||
Fixed: CVE-2025-14081
|
Fixed: CVE-2025-13217.
|
||||||
|
Fixed: CVE-2025-14081.
|
||||||
|
|
||||||
= 2.11.0 December 02, 2025 =
|
= 2.11.0 December 02, 2025 =
|
||||||
|
|
||||||
|
|||||||
@@ -76,15 +76,15 @@ function um_profile_field_filter_hook__youtube_video( $value, $data ) {
|
|||||||
}
|
}
|
||||||
$value = ( strstr( $value, 'http' ) || strstr( $value, '://' ) ) ? um_youtube_id_from_url( $value ) : $value;
|
$value = ( strstr( $value, 'http' ) || strstr( $value, '://' ) ) ? um_youtube_id_from_url( $value ) : $value;
|
||||||
if ( false !== $value ) {
|
if ( false !== $value ) {
|
||||||
|
$value = 'https://www.youtube.com/embed/' . $value;
|
||||||
$value = '<div class="um-youtube">'
|
$value = '<div class="um-youtube">'
|
||||||
. '<iframe width="600" height="450" src="https://www.youtube.com/embed/' . $value . '" frameborder="0" allowfullscreen></iframe>'
|
. '<iframe width="600" height="450" src="' . esc_url( $value ) . '" frameborder="0" allowfullscreen></iframe>'
|
||||||
. '</div>';
|
. '</div>';
|
||||||
}
|
}
|
||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
add_filter( 'um_profile_field_filter_hook__youtube_video', 'um_profile_field_filter_hook__youtube_video', 99, 2 );
|
add_filter( 'um_profile_field_filter_hook__youtube_video', 'um_profile_field_filter_hook__youtube_video', 99, 2 );
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Outputs a spotify iframe
|
* Outputs a spotify iframe
|
||||||
*
|
*
|
||||||
@@ -127,8 +127,9 @@ function um_profile_field_filter_hook__vimeo_video( $value, $data ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$value = ! is_numeric( $value ) ? (int) substr( parse_url( $value, PHP_URL_PATH ), 1 ) : $value;
|
$value = ! is_numeric( $value ) ? (int) substr( parse_url( $value, PHP_URL_PATH ), 1 ) : $value;
|
||||||
|
$value = 'https://player.vimeo.com/video/' . $value;
|
||||||
$value = '<div class="um-vimeo">
|
$value = '<div class="um-vimeo">
|
||||||
<iframe src="https://player.vimeo.com/video/' . $value . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
|
<iframe src="' . esc_url( $value ) . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
|
||||||
</div>';
|
</div>';
|
||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
@@ -199,14 +200,14 @@ function um_profile_field_filter_hook__googlemap( $value, $data ) {
|
|||||||
if ( ! $value ) {
|
if ( ! $value ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
$value = 'https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed';
|
||||||
$value = '<div class="um-googlemap">
|
$value = '<div class="um-googlemap">
|
||||||
<iframe width="600" height="450" frameborder="0" style="border:0" src="https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed"></iframe>
|
<iframe width="600" height="450" frameborder="0" style="border:0" src="' . esc_url( $value ) . '"></iframe>
|
||||||
</div>';
|
</div>';
|
||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
add_filter( 'um_profile_field_filter_hook__googlemap', 'um_profile_field_filter_hook__googlemap', 99, 2 );
|
add_filter( 'um_profile_field_filter_hook__googlemap', 'um_profile_field_filter_hook__googlemap', 99, 2 );
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* User's registration date
|
* User's registration date
|
||||||
*
|
*
|
||||||
|
|||||||
@@ -171,6 +171,7 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
|
|||||||
|
|
||||||
**Bugfixes**
|
**Bugfixes**
|
||||||
|
|
||||||
|
* Fixed: CVE-2025-13217.
|
||||||
* Fixed: CVE-2025-14081.
|
* Fixed: CVE-2025-14081.
|
||||||
* Fixed: CVE-2025-12492.
|
* Fixed: CVE-2025-12492.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user