CVE 2024 2765

includes/admin/class-secure.php

@@ -331,7 +331,7 @@ public function add_restore_account( $val, $column_name, $user_id ) {
 					$val                .= '<div><small>' . esc_html__( 'Blocked Due to Suspicious Activity', 'ultimate-member' ) . '</small></div>';
 					$nonce               = wp_create_nonce( 'um-security-restore-account-nonce-' . $user_id );
 					$restore_account_url = admin_url( 'users.php?user_id=' . $user_id . '&um_secure_restore_account=1&_wpnonce=' . $nonce );
-					$action              = ' &#183; <a href=" ' . esc_attr( $restore_account_url ) . ' " onclick=\'return confirm("' . esc_js( __( 'Are you sure that you want to restore this account after getting flagged for suspicious activity?', 'ultimate-member' ) ) . '");\'><small>' . esc_html__( 'Restore Account', 'ultimate-member' ) . '</small></a>';
+					$action              = ' &#183; <a href=" ' . esc_url( $restore_account_url ) . ' " onclick=\'return confirm("' . esc_js( __( 'Are you sure that you want to restore this account after getting flagged for suspicious activity?', 'ultimate-member' ) ) . '");\'><small>' . esc_html__( 'Restore Account', 'ultimate-member' ) . '</small></a>';
 					if ( ! empty( $datetime ) ) {
 						$val .= '<div><small>' . human_time_diff( strtotime( $datetime ) ) . ' ' . __( 'ago', 'ultimate-member' ) . '</small>' . $action . '</div>';
 					}

includes/admin/core/class-admin-users.php

@@ -274,7 +274,7 @@ public function get_bulk_admin_actions() {
 		public function user_row_actions( $actions, $user_object ) {
 			$user_id = $user_object->ID;
 
-			$actions['frontend_profile'] = '<a href="' . um_user_profile_url( $user_id ) . '">' . __( 'View profile', 'ultimate-member' ) . '</a>';
+			$actions['frontend_profile'] = '<a href="' . esc_url( um_user_profile_url( $user_id ) ) . '">' . __( 'View profile', 'ultimate-member' ) . '</a>';
 
 			$submitted = get_user_meta( $user_id, 'submitted', true );
 			if ( ! empty( $submitted ) ) {

includes/ajax/class-secure.php

@@ -284,7 +284,7 @@ public function scan_recommendations() {
 		if ( $suspicious_accounts_count > 0 ) {
 			$lock_register_forms_url = admin_url( 'admin.php?page=um_options&tab=advanced&section=secure&um_secure_lock_register_forms=1&_wpnonce=' . wp_create_nonce( 'um_secure_lock_register_forms' ) );
 			$content                .= $br . esc_html__( '1. Please temporarily lock all your active Register forms.', 'ultimate-member' );
-			$content                .= ' <a href="' . esc_attr( $lock_register_forms_url ) . '" target="_blank">' . esc_html__( 'Click here to lock them now.', 'ultimate-member' ) . '</a>';
+			$content                .= ' <a href="' . esc_url( $lock_register_forms_url ) . '" target="_blank">' . esc_html__( 'Click here to lock them now.', 'ultimate-member' ) . '</a>';
 			$content                .= ' ' . esc_html__( 'You can unblock the Register forms later. Just go to Ultimate Member > Settings > Advanced > Security and uncheck the option "Lock All Register Forms".', 'ultimate-member' );
 			$content                .= $br . $br;
 			$suspicious_accounts_url = admin_url( 'users.php?um_status=inactive' );
@@ -300,24 +300,24 @@ public function scan_recommendations() {
 			}
 
 			$content .= esc_html__( '2. Review all suspicious accounts and delete them completely.', 'ultimate-member' );
-			$content .= ' <a href="' . esc_attr( $suspicious_accounts_url ) . '" target="_blank">' . esc_html__( 'Click here to review accounts.', 'ultimate-member' ) . '</a>';
+			$content .= ' <a href="' . esc_url( $suspicious_accounts_url ) . '" target="_blank">' . esc_html__( 'Click here to review accounts.', 'ultimate-member' ) . '</a>';
 			$content .= $br . $br;
 
 			$nonce                    = wp_create_nonce( 'um-secure-expire-session-nonce' );
 			$destroy_all_sessions_url = admin_url( '?um_secure_expire_all_sessions=1&_wpnonce=' . esc_attr( $nonce ) . '&except_me=1' );
 			$content                 .= esc_html__( '3. If accounts are suspicious to you, please destroy all user sessions to logout active users on your site.', 'ultimate-member' );
-			$content                 .= ' <a href="' . esc_attr( $destroy_all_sessions_url ) . '" target="_blank">' . esc_html__( 'Click here to Destroy Sessions now', 'ultimate-member' ) . '</a>';
+			$content                 .= ' <a href="' . esc_url( $destroy_all_sessions_url ) . '" target="_blank">' . esc_html__( 'Click here to Destroy Sessions now', 'ultimate-member' ) . '</a>';
 
 			$content .= $br . $br;
 			$content .= esc_html__( '4. Run a complete scan on your site using third-party Security plugins such as', 'ultimate-member' );
-			$content .= ' <a target="_blank" href="' . esc_attr( admin_url( 'plugin-install.php?s=Jetpack%2520Protect%2520WP%2520Scan&tab=search&type=term' ) ) . '">' . esc_html__( 'WPScan/Jetpack Protect or WordFence Security', 'ultimate-member' ) . '</a>.';
+			$content .= ' <a target="_blank" href="' . esc_url( admin_url( 'plugin-install.php?s=Jetpack%2520Protect%2520WP%2520Scan&tab=search&type=term' ) ) . '">' . esc_html__( 'WPScan/Jetpack Protect or WordFence Security', 'ultimate-member' ) . '</a>.';
 
 			$content                .= $br . $br;
 			$nonce                   = wp_create_nonce( 'um-secure-enable-reset-pass-nonce' );
 			$reset_pass_sessions_url = admin_url( '?um_secure_enable_reset_password=1&_wpnonce=' . esc_attr( $nonce ) . '&except_me=1' );
 
 			$content .= esc_html__( '5. Force users to Reset their Passwords.', 'ultimate-member' );
-			$content .= ' <a target="_blank" href="' . esc_attr( $reset_pass_sessions_url ) . '">' . esc_html__( 'Click here to enable this option', 'ultimate-member' ) . '</a>.';
+			$content .= ' <a target="_blank" href="' . esc_url( $reset_pass_sessions_url ) . '">' . esc_html__( 'Click here to enable this option', 'ultimate-member' ) . '</a>.';
 			$content .= ' ' . esc_html__( 'When this option is enabled, users will be asked to reset their passwords(one-time) on the next login in the UM Login form.', 'ultimate-member' );
 			$content .= $br . $br;
 

includes/core/class-external-integrations.php

@@ -604,7 +604,7 @@ function get_status_html( $template, $code ) {
 		 */
 		function render_status_icon( $link, $text, $img ) {
 
-			$icon_html = '<a href="' . $link . '" title="' . $text . '">';
+			$icon_html = '<a href="' . esc_url( $link ) . '" title="' . esc_attr( $text ) . '">';
 			$icon_html .= '<img style="padding:1px;margin:2px;" border="0" src="'
 			              . ICL_PLUGIN_URL . '/res/img/'
 			              . $img . '" alt="'

includes/core/class-fields.php

@@ -3092,7 +3092,7 @@ public function edit_field( $key, $data, $rule = false, $args = array() ) {
 							$fonticon    = UM()->files()->get_fonticon_by_ext( $file_type['ext'] );
 
 							$output .= '<div class="um-single-fileinfo">';
-							$output .= '<a href="' . esc_attr( $file_url ) . '" target="_blank">';
+							$output .= '<a href="' . esc_url( $file_url ) . '" target="_blank">';
 							$output .= '<span class="icon" style="background:' . esc_attr( $fonticon_bg ) . '"><i class="' . esc_attr( $fonticon ) . '"></i></span>';
 							$output .= '<span class="filename">' . esc_html( $file_field_name ) . '</span>';
 							$output .= '</a></div></div>';

includes/core/um-actions-account.php

@@ -612,7 +612,7 @@ function um_after_account_privacy( $args ) {
 			$exports_url = wp_privacy_exports_url();
 
 			echo '<p>' . esc_html__( 'You could download your previous data:', 'ultimate-member' ) . '</p>';
-			echo '<a href="' . esc_attr( $exports_url . get_post_meta( $completed['ID'], '_export_file_name', true ) ) . '">' . esc_html__( 'Download Personal Data', 'ultimate-member' ) . '</a>';
+			echo '<a href="' . esc_url( $exports_url . get_post_meta( $completed['ID'], '_export_file_name', true ) ) . '">' . esc_html__( 'Download Personal Data', 'ultimate-member' ) . '</a>';
 			echo '<p>' . esc_html__( 'You could send a new request for an export of personal your data.', 'ultimate-member' ) . '</p>';
 
 		}

includes/core/um-filters-commenting.php

@@ -1,37 +1,38 @@
-<?php if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
-
+<?php
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
 
 /**
- * Control comment author display
+ * Control comment author display.
  *
- * @param $return
- * @param $author
- * @param $comment_ID
+ * @param string $return     The HTML-formatted comment author link.
+ * @param string $author     The comment author's username.
+ * @param string $comment_id The comment ID as a numeric string.
  *
  * @return string
  */
-function um_comment_link_to_profile( $return, $author, $comment_ID ) {
+function um_comment_link_to_profile( $return, $author, $comment_id ) {
+	$comment = get_comment( $comment_id );
 
-	$comment = get_comment( $comment_ID );
-
-	if( isset( $comment->user_id ) && ! empty(  $comment->user_id ) ){
+	if ( ! empty( $comment->user_id ) ) {
 		if ( isset( UM()->user()->cached_user[ $comment->user_id ] ) && UM()->user()->cached_user[ $comment->user_id ] ) {
-
-			$return = '<a href="'. UM()->user()->cached_user[$comment->user_id]['url'] . '">' . UM()->user()->cached_user[$comment->user_id]['name'] . '</a>';
-
+			$return = '<a href="' . esc_url( UM()->user()->cached_user[ $comment->user_id ]['url'] ) . '">' . UM()->user()->cached_user[ $comment->user_id ]['name'] . '</a>';
 		} else {
-
 			um_fetch_user( $comment->user_id );
 
-			UM()->user()->cached_user[ $comment->user_id ] = array('url' => um_user_profile_url(), 'name' => um_user('display_name') );
-			$return = '<a href="'. UM()->user()->cached_user[$comment->user_id]['url'] . '">' . UM()->user()->cached_user[$comment->user_id]['name'] . '</a>';
+			UM()->user()->cached_user[ $comment->user_id ] = array(
+				'url'  => um_user_profile_url(),
+				'name' => um_user( 'display_name' ),
+			);
 
-			um_reset_user();
+			$return = '<a href="' . esc_url( UM()->user()->cached_user[ $comment->user_id ]['url'] ) . '">' . UM()->user()->cached_user[ $comment->user_id ]['name'] . '</a>';
 
+			um_reset_user();
 		}
 	}
 
 	return $return;
 }
 
-add_filter('get_comment_author_link', 'um_comment_link_to_profile', 10000, 3 );
+add_filter( 'get_comment_author_link', 'um_comment_link_to_profile', 10000, 3 );

includes/core/um-filters-fields.php

@@ -114,7 +114,7 @@ function um_profile_field_filter_hook__youtube_video( $value, $data ) {
 function um_profile_field_filter_hook__spotify( $value, $data ) {
 	if ( preg_match( '/https:\/\/open.spotify.com\/.*/', $value ) ) {
 		if ( false !== strpos( $value, '/user/' ) ) {
-			$value = '<a href="' . esc_attr( $value ) . '" target="_blank">' . esc_html( $value ) . '</a>';
+			$value = '<a href="' . esc_url( $value ) . '" target="_blank">' . esc_html( $value ) . '</a>';
 		} else {
 			$url = str_replace( 'open.spotify.com/', 'open.spotify.com/embed/', $value );
 
@@ -162,12 +162,10 @@ function um_profile_field_filter_hook__vimeo_video( $value, $data ) {
  * @return int|string
  */
 function um_profile_field_filter_hook__phone( $value, $data ) {
-	$value = '<a href="tel:' . esc_attr( $value ) . '" rel="nofollow" title="' . esc_attr( $data['title'] ) . '">' . esc_html( $value ) . '</a>';
+	$value = '<a href="' . esc_url( 'tel:' . $value ) . '" rel="nofollow" title="' . esc_attr( $data['title'] ) . '">' . esc_html( $value ) . '</a>';
 	return $value;
 }
-add_filter( 'um_profile_field_filter_hook__phone_number', 'um_profile_field_filter_hook__phone', 99, 2 );
-add_filter( 'um_profile_field_filter_hook__mobile_number', 'um_profile_field_filter_hook__phone', 99, 2 );
-
+add_filter( 'um_profile_field_filter_hook__tel', 'um_profile_field_filter_hook__phone', 99, 2 );
 
 /**
  * Outputs a viber link
@@ -178,8 +176,9 @@ function um_profile_field_filter_hook__phone( $value, $data ) {
  * @return int|string
  */
 function um_profile_field_filter_hook__viber( $value, $data ) {
-	$value = str_replace('+', '', $value);
-	$value = '<a href="viber://chat?number=%2B' . esc_attr( $value ) . '" target="_blank"  rel="nofollow" title="' . esc_attr( $data['title'] ) . '">' . esc_html( $value ) . '</a>';
+	$value = str_replace( '+', '', $value );
+	$url   = 'viber://chat?number=%2B' . $value;
+	$value = '<a href="' . esc_url( $url, array( 'viber' ) ) . '" target="_blank"  rel="nofollow" title="' . esc_attr( $data['title'] ) . '">' . esc_html( $value ) . '</a>';
 	return $value;
 }
 add_filter( 'um_profile_field_filter_hook__viber', 'um_profile_field_filter_hook__viber', 99, 2 );
@@ -194,8 +193,9 @@ function um_profile_field_filter_hook__viber( $value, $data ) {
  * @return int|string
  */
 function um_profile_field_filter_hook__whatsapp( $value, $data ) {
-	$value = str_replace('+', '', $value);
-	$value = '<a href="https://api.whatsapp.com/send?phone=' . esc_attr( $value ) . '" target="_blank"  rel="nofollow" title="' . esc_attr( $data['title'] ) . '">' . esc_html( $value ) . '</a>';
+	$value = str_replace( '+', '', $value );
+	$url   = add_query_arg( array( 'phone' => $value ), 'https://api.whatsapp.com/send' );
+	$value = '<a href="' . esc_url( $url ) . '" target="_blank"  rel="nofollow" title="' . esc_attr( $data['title'] ) . '">' . esc_html( $value ) . '</a>';
 	return $value;
 }
 add_filter( 'um_profile_field_filter_hook__whatsapp', 'um_profile_field_filter_hook__whatsapp', 99, 2 );
@@ -391,7 +391,7 @@ function um_profile_field_filter_hook__file( $value, $data ) {
 		}
 		$value = '<div class="um-single-file-preview show">
                         <div class="um-single-fileinfo">
-                            <a href="' . esc_attr( $uri )  . '" target="_blank">
+                            <a href="' . esc_url( $uri )  . '" target="_blank">
                                 <span class="icon" style="background:'. UM()->files()->get_fonticon_bg_by_ext( $file_type['ext'] ) . '"><i class="'. UM()->files()->get_fonticon_by_ext( $file_type['ext'] ) .'"></i></span>
                                 <span class="filename">' . esc_attr( $value ) . '</span>
                             </a>
@@ -465,11 +465,13 @@ function um_profile_field_filter_hook__( $value, $data, $type = '' ) {
 		$url_rel            = ( isset( $data['url_rel'] ) && 'nofollow' === $data['url_rel'] ) ? 'rel="nofollow"' : '';
 		$data['url_target'] = ( isset( $data['url_target'] ) ) ? $data['url_target'] : '_blank';
 
+		$protocols = wp_allowed_protocols();
 		if ( false === strstr( $value, 'join.skype.com' ) ) {
 			$value = 'skype:' . $value . '?chat';
+			$protocols[] = 'skype';
 		}
 
-		$value = '<a href="' . esc_attr( $value ) . '" title="' . esc_attr( $alt ) . '" target="' . esc_attr( $data['url_target'] ) . '" ' . $url_rel . '>' . esc_html( $alt ) . '</a>';
+		$value = '<a href="' . esc_url( $value, $protocols ) . '" title="' . esc_attr( $alt ) . '" target="' . esc_attr( $data['url_target'] ) . '" ' . $url_rel . '>' . esc_html( $alt ) . '</a>';
 	} else {
 		// check $value is oEmbed
 		if ( 'oembed' === $data['type'] ) {
@@ -545,7 +547,7 @@ function um_profile_field_filter_hook__( $value, $data, $type = '' ) {
 
 	if ( ! is_array( $value ) ) {
 		if ( is_email( $value ) ) {
-			$value = '<a href="mailto:' . $value . '" title="' . $value . '">' . $value . '</a>';
+			$value = '<a href="' . esc_url( 'mailto:' . $value ) . '" title="' . $value . '">' . $value . '</a>';
 		}
 	} else {
 		$value = implode( ', ', $value );

includes/um-short-functions.php

@@ -870,7 +870,7 @@ function um_user_submited_display( $k, $title, $data = array(), $style = true )
 		}
 
 		if ( ! empty( $filedata['original_name'] ) ) {
-			$v = '<a class="um-preview-upload" target="_blank" href="' . esc_attr( $baseurl . um_user( 'ID' ) . '/' . $file ) . '">' . esc_html( $filedata['original_name'] ) . '</a>';
+			$v = '<a class="um-preview-upload" target="_blank" href="' . esc_url( $baseurl . um_user( 'ID' ) . '/' . $file ) . '">' . esc_html( $filedata['original_name'] ) . '</a>';
 		} else {
 			$v = $baseurl . um_user( 'ID' ) . '/' . $file;
 		}