* Enhancements:
- Added: Server-side validation when the Search Form is submitted.
- Added: Action hook `um_approve_user_on_email_confirmation` to natively approve the user after validating the email activation link.
- Added: JS filter wp.hook `um_member_directory_popstate_ignore` to stop window.pushSate in the member directory for 3rd-party integrations.
* Bugfixes:
- Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`.
- Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values.
- Fixed: Profile photo dropdown menu position for screens smaller than 340px.
- Fixed: Display of the saved value of the "Privacy Options" > "Allowed roles" setting for the member directory.
- Fixed: Information in Site-Health about the registration form's `Template` and `Role` settings.
- Fixed: Information in Site-Health about the login and profile form's `Template` settings.
* Templates Requiring Update:
- members.php
- searchform.php
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
* Enhancements:
- Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'.
- Added: 'Rate Limit' setting for nopriv AJAX actions.
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes.
- Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds.
- Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
- Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
* Templates required update:
- members.php
- members-grid.php
- members-list.php
* Enhancements:
- Added: Extra condition for checking the license activation requests.
- Added: 2nd `$args` attribute to the action hook 'um_cover_area_content'.
- Added: `$args` and `$user_id` attributes to the action hook 'um_after_profile_header_name'.
- Added: Class `um-profile-subnav-{$subnav_id}-link` to the sub navigation links in the User Profile page.
- Tweak: Updated `Extensions_Updater` class to use Action Scheduler in the upgrade process of the UM extensions.
* Bugfixes:
- Fixed: User profile links in the comments section on the frontend when the `$comment->user_id` is empty.
- Fixed: The `emotize` function regexp for better emoji converting.
- Fixed: The conflict between the image uploader and lazy-loading attribute added by 3rd-party plugins.
- Fixed: PHP warnings for roles without meta data.
- Fixed: Typo in labels.
* Enhancements:
- Added: Avoid caching of the UM Forms on the mobile devices via adding the nocache headers to the screens with UM Forms.
- Added: Filter hook `um_get_empty_status_users_query_result` for changing default query on the different websites to optimize it.
- Added: Filter hook `um_admin_settings_get_pages_list_args` for changing WP_Query arguments for getting pages visible in the dropdown fields in UM Settings.
- Added: JS filter hook `um_admin_blocks_prefixes_excluded` for excluding 3rd-party Gutenberg blocks with predefined prefixes from UM restriction arguments.
- Added: WebP file-extension support for UM uploader.
- Added: `UM_LICENSE_REQUEST_DEBUG` constant for debugging license activation process when it's needed.
- Added: `Extensions_Updater` class to standardize the upgrade process in UM extensions.
- Added: Sanitize handlers `sanitize_array_key_int` and `sanitize_array_key` for making sanitize in UM extensions' settings.
* Bugfixes:
- Fixed: Changed the view and the edit user profile links in the comments section on the frontend.
- Fixed: `Contains` conditional logic operand when value is array.
- Fixed: Getting cover_size for displaying it in the member directory card.
- Fixed: Filter's range for numeric-type fields to avoid getting the empty values.
- Fixed: Integer validation for the 'start_of_week' WP native setting.
- Fixed: Dependencies with Action Scheduler library.
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Enhancements:
- Added: Filter hook [`um_password_reset_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_password_reset_form_primary_btn_classes.html) for primary button classes in UM Password Reset form.
- Added: Filter hook [`um_login_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_login_form_primary_btn_classes.html) for primary button classes in UM Login form.
- Added: Filter hook [`um_register_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_register_form_primary_btn_classes.html) for primary button classes in UM Registration form.
- Tweak: Refactored Site Health data, added hooks for 3rd-party integration.
- Tweak: Avoid using `um_user( 'password_reset_link' )` and make it directly with `UM()->password()->reset_url( $user_id )` for getting a proper reset URL.
- Tweak: Avoid using `um_user( 'account_activation_link' )` and make it directly with `UM()->permalinks()->activate_url( $user_id )` for getting a proper activation URL.
* Bugfixes:
- Fixed: Stripped shortcodes in the user data during the Account, Registration and Profile forms submission. (Thanks to [MissVeronica](https://github.com/MissVeronica))
- Fixed: Email placeholders values.
- Fixed: Refactor deactivation logic to un-schedule Action Scheduler actions.
- Fixed: Action Scheduler library errors. Updated to the recent 3.9.2 version.
- Fixed: Secondary email field validation.
- Fixed: Action Scheduler batch actions with users who have Undefined status.
- Fixed: Restrictions for 3rd-party Gutenberg Blocks.
- Fixed: Date/time picker filter-types range query on Member Directories.
- Fixed: Renamed "Macedonia, the former Yugoslav Republic of" to the official "North Macedonia".
* Deprecated:
- Fully deprecated `account_activation_link_tags_patterns( $placeholders )` function. It's not used previously. Used email function arguments instead.
- Fully deprecated `account_activation_link_tags_replaces( $replace_placeholders )` function. It's not used previously. Used email function arguments instead.
- Fully deprecated `UM()->profile()->add_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->profile()->add_replace_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->user()->add_activation_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->user()->add_activation_replace_placeholder()` function. Used email function arguments instead.
- Deprecated `UM()->user()->maybe_generate_password_reset_key( $userdata )` function. Use `UM()->common()->users()->maybe_generate_password_reset_key( $userdata )` instead.
- Deprecated `UM()->user()->set_last_login()` function. Use `UM()->common()->users()->set_last_login( $user_id )` instead.
* Templates required update:
- password-reset.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
v2.10.3
* Enhancements:
- Added: The `Ignore the "User Role > Registration Options"` setting. It provides an ability to auto-approve users if they were created via wp-admin > Users screen.
- Tweak: Avoid email notifications to Administrator about user registration via wp-admin > Users screen.
- Tweak: Updated the Action Scheduler implementation to improve flexibility and clarity. Refactor Action Scheduler for not only email handling.
* Bugfixes:
- Fixed: Member Directory styles when it's rendered on the Gutenberg builder page.
- Fixed: Member Directory filtering query when the custom users metatable is used.
- Fixed: PHP Warning that occurs when using the `getimagesize` function with an image from an external source.
- Fixed: Reset Password email notification's the {password_reset_link}` placeholder.
- Fixed: Changed "Turkey" to the current official term "Türkiye".
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
v2.10.2
* Enhancements:
- Added: `UM()->common()-filesystem()::maybe_init_wp_filesystem();` method.
- Added: `UM()->common()-filesystem()::remove_dir();` method.
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-1702. Reviewed general search scripts and suggested another solution that uses only `$wpdb->prepare()`.
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-1702.
- Fixed: Activation link redirects to Reset Password after registration without password field and required email activation.
- Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
- Fixed: Profile photo metadata when Gravatar image is used.
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Enhancements:
- Added: Compatibility with the new [Ultimate Member - Zapier](https://ultimatemember.com/extensions/zapier/) extension
- Added: Only approved user Reset Password setting defined as true by default
- Added: `UM()->is_new_ui()` function for future enhancements related to new UI
- Added: Filter hook `um_before_user_submitted_registration_data`
- Tweak: Changed hook's priority for initialization of email templates paths
- Tweak: Removed `load_plugin_textdomain` due to (article)[https://make.wordpress.org/core/202...-support-for-only-using-PHP-translation-files]
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-0308
- Fixed: Security issue CVE ID: CVE-2025-0318
- Fixed: Using placeholders in email templates when Action Scheduler is active. Using `fetch_user_id` attribute for fetching necessary user before sending email
- Fixed: PHP 8.4 compatibility. Using WordPress native `wp_is_mobile()` instead of MobileDetect library
- Fixed: PHP errors related to `UM()->localize()` function
- Fixed: PHP errors in user meta header when `last_update` meta is empty
- Fixed: Small CSS changes and avoid duplicates
- Fixed: Removed ms-native show password button for type="password" field in UM forms
- Fixed: Define scalable attribute for cropper
* Deprecated:
- Fully deprecated `UM()->mobile()` function
- Fully deprecated `UM()->localize()` function
- Fully deprecated `um_language_textdomain` filter hook
* Templates required update:
- account.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Enhancements:
- Added: Using PHP tidy extension (if it's active) to make HTML textarea value clear
- Added: `um_tidy_config` filter hook for setting PHP tidy config
- Tweak: Avoid using force `set_status()` function.
- Tweak: Properly using `UM()->common()->users()->get_status( $user_id )` instead of `um_user( 'account_status' )`
- Tweak: Properly using `UM()->common()->users()->get_status( $user_id, 'formatted' )` instead of `um_user( 'account_status_name' )`
- Tweak: Properly using `um_user( 'status' )` for getting user role setting while registration
* Bugfixes:
- Fixed: UM tipsy removing inside .um-page selector (e.g. tipsy init from um-modal)
- Fixed: Rollback using `<iframe>` for displaying HTML formatted textarea value
- Fixed: Capability to edit user profile for Administrator when user doesn't have a capability to edit its profile
- Fixed: Sending email notifications based on user status after registration
- Fixed: PHP error when meta `um_member_directory_data` has a wrong format
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Bugfixes:
- Fixed: Download routing initialization
- Fixed: Textarea height and HTML formatted textarea field height isolated via `<iframe>` on view mode
- Fixed: User registration if email activation or admin review are required
- Fixed: First installation errors
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade