Merge pull request #1770 from ultimatemember/fix/CVE-2025-13217

Fix: Address CVE-2025-13217 and improve input sanitization
This commit is contained in:
Mykyta Synelnikov
2025-12-16 17:12:17 +02:00
committed by GitHub
3 changed files with 9 additions and 6 deletions
+2 -1
View File
@@ -2,7 +2,8 @@
= 2.11.1 December xx, 2025 =
Fixed: CVE-2025-14081
Fixed: CVE-2025-13217.
Fixed: CVE-2025-14081.
= 2.11.0 December 02, 2025 =
+6 -5
View File
@@ -76,15 +76,15 @@ function um_profile_field_filter_hook__youtube_video( $value, $data ) {
}
$value = ( strstr( $value, 'http' ) || strstr( $value, '://' ) ) ? um_youtube_id_from_url( $value ) : $value;
if ( false !== $value ) {
$value = 'https://www.youtube.com/embed/' . $value;
$value = '<div class="um-youtube">'
. '<iframe width="600" height="450" src="https://www.youtube.com/embed/' . $value . '" frameborder="0" allowfullscreen></iframe>'
. '<iframe width="600" height="450" src="' . esc_url( $value ) . '" frameborder="0" allowfullscreen></iframe>'
. '</div>';
}
return $value;
}
add_filter( 'um_profile_field_filter_hook__youtube_video', 'um_profile_field_filter_hook__youtube_video', 99, 2 );
/**
* Outputs a spotify iframe
*
@@ -127,8 +127,9 @@ function um_profile_field_filter_hook__vimeo_video( $value, $data ) {
}
$value = ! is_numeric( $value ) ? (int) substr( parse_url( $value, PHP_URL_PATH ), 1 ) : $value;
$value = 'https://player.vimeo.com/video/' . $value;
$value = '<div class="um-vimeo">
<iframe src="https://player.vimeo.com/video/' . $value . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
<iframe src="' . esc_url( $value ) . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
</div>';
return $value;
}
@@ -199,14 +200,14 @@ function um_profile_field_filter_hook__googlemap( $value, $data ) {
if ( ! $value ) {
return '';
}
$value = 'https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed';
$value = '<div class="um-googlemap">
<iframe width="600" height="450" frameborder="0" style="border:0" src="https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed"></iframe>
<iframe width="600" height="450" frameborder="0" style="border:0" src="' . esc_url( $value ) . '"></iframe>
</div>';
return $value;
}
add_filter( 'um_profile_field_filter_hook__googlemap', 'um_profile_field_filter_hook__googlemap', 99, 2 );
/**
* User's registration date
*
+1
View File
@@ -171,6 +171,7 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
**Bugfixes**
* Fixed: CVE-2025-13217.
* Fixed: CVE-2025-14081.
* Fixed: CVE-2025-12492.