WP-Members 3.2.6 is a security release with some additional updates. Because this includes a security update, it is recommended that you take steps to update from previous versions.
Here is an overview of what is included in this update:
There is a potential exploit with regard to the password change. It’s a limited exploit, but I feel any potential risk no matter how small needs to be addressed and closed. In this case, the fix is twofold and completely closes the discovered exploit and goes beyond that requirement. The function for password change can only be fired if the user is logged in. Additionally, a nonce has been added to the plugin’s short form (used for login, password change, password reset, and forgot username forms). Nonces were made a default of the long form in the previous version (it was previously optional). So this version adds that to the short form.
Some of the functions in the plugin’s API were updated and improved.
- wpmem_user_data() – Added “all” as an argument so the function can return all user meta or just WP-Members fields only.
- wpmem_set_user_product() – Added “date” argument to specify a specific expiration date. Default remains “false” and will set user expiration from the current date.
- wpmem_admin_after_profile_table & wpmem_user_after_profile_table actions – These fire after the HTML table in the admin/dashboard profile and can be used for adding to what is displayed after WP-Members custom fields.
- wpmem_login_form_rows filter – Added $arr argument passed to the filter. This contains an array containing all of the setup for the form (primarily what is filterable through wpmem_login_form_args, but here it is available if needed for determining how you will filter the rows array).
The logic for the function behind the [wpmem_field] had a ground-up rebuild. This will make the function more efficient and also easier to maintain in the future as new features are added. (Note: While this is not a “feature,” it is noted here so that if you experience any unexpected behavior in the [wpmem_field] shortcode following the upgrade, please let me know about it so it can be determined if it is related to the update.)
The registration form field validation was updated to evaluate required fields as “not null” instead of false/empty. This allows for “0” values which would previously have been evaluated as “false” and thus lead to the form returning an empty required field error if a “0” was entered. Since the current logic has been in place for almost 10 years, I’m surprised this hasn’t actually come up before, but with the addition of support for the HTML number field type, I did have a user indicate that they needed their number field to accept a minimum value of “0” – so now you can do that.
Added file post ID to the post_data array. The post_data array is passed through various filters and actions during the registration process. In the case of a file field type (“file” or “image”), this array of data now includes the post ID for the attachment. While this can be used for various things, the primary reason for inclusion was being able to easily find a file uploaded during registration for attachment to an email (i.e. sent as an attachment to the admin notification). While that could previously be done without this addition, the change makes it much simpler and eliminates any setup steps – the post ID needed is included in the data array.