= 2.12.0 June 12, 2026 =
* Bugfixes:
- Fixed: Security issue, CVE ID: CVE-2026-7761.
- Restricted `get_directory_by_hash()` function to only match posts with post_type='um_directory' and publish post status.
- Used `0 === strpos()` instead of `strstr()` for getting proper post_data.
- Added condition for getting only allowed fields in tagline_fields and reveal_fields to `build_user_card_data()`.
- Fixed: Security issue, CVE ID: CVE-2026-8489.
- Used WordPress native `wp_kses()` escaper for displaying user_description field. Used WordPress native `make_clickable()` function to make raw links clickable.
- Fixed: Security issue, CVE ID: CVE-2026-xxxx. Make the role and status visible for the user who can edit these users in the request. Reported by [Ben Tamam](bentamam.github.io).
- Fixed: Remove UM option function when the option value equals "0".
* Deprecated:
- Temporary deprecated: UM REST API. Legacy feature that has to be refactored. Will be refactored and re-released soon.
= 2.11.4 April 30, 2026 =
* Enhancements:
- Added: Checking format of the 3rd-party registered custom fields. Avoid PHP errors related to the wrong format or unexpected attributes.
* Bugfixes:
- Fixed: Added uploader fields accept argument for set allowed mime-types in the upload dialog window. Updated 3.1.2 version of this library [hayageek/jquery-upload-file](https://github.com/hayageek/jquery-upload-file/). Don't use 4.0.11 version for now.
- Fixed: JS initialization of the empty uploader fields.
- Fixed: User Profile URLs in the User Profile form on the not-predefined pages placed via shortcode.
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
= 2.11.3 March 26, 2026 =
* Enhancements:
- Added: UM > Settings > Advanced > APIs section for set available APIs settings.
- Added: GoogleMaps API setting when it's available.
- Added: Function `UM()->mail()->enabled_email()` for checking if the email notification is enabled by the user.
- Added: `color` type of sanitize settings saved in wp-admin.
- Added: Checking array type of submission data when `url` type of sanitize is used in wp-admin.
- Added: Enhance UM form sanitization filter with $form_data param. Added the $form_data parameter to the `um_sanitize_form_submission` filter.
- Added: Option for special character requirement for passwords. It's situated in "General > Users > Password requires special character" (based on @faisalahammad suggestions)
- Added: Filter hook `um_before_account_delete_text` for changing before delete account text by 3rd-party plugins. End-customers can use it for translations.
- Added: Filter hook `um_custom_{$message_key}` (`um_custom_pending_message`, `um_custom_checkmail_message`) for changing after-registration message based on the user status by 3rd-party plugins. End-customers can use it for translations.
- Added: Filter hook `um_convert_tags_blacklist_fields` For 3rd-party integrations to control the usermeta keys in `um_convert_tags()` function.
- Added: `.um-display-none` CSS utility + `umShow()/umHide()/umToggle()` jQuery helpers.
- Added: `um-notice` JS library.
* Bugfixes:
- Fixed: Security issue, CVE ID: CVE-2026-4248. Added blacklist filter for convert_tag replace placeholders function.
- Fixed: HTML sanitization logic for textarea-type custom fields with enabled HTML using setting.
- Fixed: WP editor formatting to prevent incorrect HTML entity conversion when using html-mode in the textarea-type custom fields. Applied and removed this filter dynamically to avoid interfering with other processes.
- Fixed: Dynamic string translation pattern and improve escaping. Replaced incorrect __('%s') pattern. (@faisalahammad)
- Fixed: `wp_die()` function triggering on the frontend actions. Added UM notice above the User Profile page. (based on @faisalahammad suggestions)
- Fixed: Password reset key handling for multiple users. Previously, the static reset key caused issues when handling password resets for multiple users simultaneously.
- Fixed: `um_trim_string()` function for using with UTF-8 symbols.
- Fixed: PHP Notice: Function WP_Scripts::add was called incorrectly.
* Templates Requiring Update:
- members.php
- message.php
- restricted-blog.php
- restricted-taxonomy.php
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
* Enhancements:
- Added: Server-side validation when the Search Form is submitted.
- Added: Action hook `um_approve_user_on_email_confirmation` to natively approve the user after validating the email activation link.
- Added: JS filter wp.hook `um_member_directory_popstate_ignore` to stop window.pushSate in the member directory for 3rd-party integrations.
* Bugfixes:
- Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It's still allowed to use only predefined 'user_description' tags in `wp_kses()`.
- Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values.
- Fixed: Profile photo dropdown menu position for screens smaller than 340px.
- Fixed: Display of the saved value of the "Privacy Options" > "Allowed roles" setting for the member directory.
- Fixed: Information in Site-Health about the registration form's `Template` and `Role` settings.
- Fixed: Information in Site-Health about the login and profile form's `Template` settings.
* Templates Requiring Update:
- members.php
- searchform.php
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
* Enhancements:
- Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'.
- Added: 'Rate Limit' setting for nopriv AJAX actions.
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes.
- Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds.
- Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
- Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
* Templates required update:
- members.php
- members-grid.php
- members-list.php
* Enhancements:
- Added: Extra condition for checking the license activation requests.
- Added: 2nd `$args` attribute to the action hook 'um_cover_area_content'.
- Added: `$args` and `$user_id` attributes to the action hook 'um_after_profile_header_name'.
- Added: Class `um-profile-subnav-{$subnav_id}-link` to the sub navigation links in the User Profile page.
- Tweak: Updated `Extensions_Updater` class to use Action Scheduler in the upgrade process of the UM extensions.
* Bugfixes:
- Fixed: User profile links in the comments section on the frontend when the `$comment->user_id` is empty.
- Fixed: The `emotize` function regexp for better emoji converting.
- Fixed: The conflict between the image uploader and lazy-loading attribute added by 3rd-party plugins.
- Fixed: PHP warnings for roles without meta data.
- Fixed: Typo in labels.
* Enhancements:
- Added: Avoid caching of the UM Forms on the mobile devices via adding the nocache headers to the screens with UM Forms.
- Added: Filter hook `um_get_empty_status_users_query_result` for changing default query on the different websites to optimize it.
- Added: Filter hook `um_admin_settings_get_pages_list_args` for changing WP_Query arguments for getting pages visible in the dropdown fields in UM Settings.
- Added: JS filter hook `um_admin_blocks_prefixes_excluded` for excluding 3rd-party Gutenberg blocks with predefined prefixes from UM restriction arguments.
- Added: WebP file-extension support for UM uploader.
- Added: `UM_LICENSE_REQUEST_DEBUG` constant for debugging license activation process when it's needed.
- Added: `Extensions_Updater` class to standardize the upgrade process in UM extensions.
- Added: Sanitize handlers `sanitize_array_key_int` and `sanitize_array_key` for making sanitize in UM extensions' settings.
* Bugfixes:
- Fixed: Changed the view and the edit user profile links in the comments section on the frontend.
- Fixed: `Contains` conditional logic operand when value is array.
- Fixed: Getting cover_size for displaying it in the member directory card.
- Fixed: Filter's range for numeric-type fields to avoid getting the empty values.
- Fixed: Integer validation for the 'start_of_week' WP native setting.
- Fixed: Dependencies with Action Scheduler library.
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Enhancements:
- Added: Filter hook [`um_password_reset_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_password_reset_form_primary_btn_classes.html) for primary button classes in UM Password Reset form.
- Added: Filter hook [`um_login_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_login_form_primary_btn_classes.html) for primary button classes in UM Login form.
- Added: Filter hook [`um_register_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_register_form_primary_btn_classes.html) for primary button classes in UM Registration form.
- Tweak: Refactored Site Health data, added hooks for 3rd-party integration.
- Tweak: Avoid using `um_user( 'password_reset_link' )` and make it directly with `UM()->password()->reset_url( $user_id )` for getting a proper reset URL.
- Tweak: Avoid using `um_user( 'account_activation_link' )` and make it directly with `UM()->permalinks()->activate_url( $user_id )` for getting a proper activation URL.
* Bugfixes:
- Fixed: Stripped shortcodes in the user data during the Account, Registration and Profile forms submission. (Thanks to [MissVeronica](https://github.com/MissVeronica))
- Fixed: Email placeholders values.
- Fixed: Refactor deactivation logic to un-schedule Action Scheduler actions.
- Fixed: Action Scheduler library errors. Updated to the recent 3.9.2 version.
- Fixed: Secondary email field validation.
- Fixed: Action Scheduler batch actions with users who have Undefined status.
- Fixed: Restrictions for 3rd-party Gutenberg Blocks.
- Fixed: Date/time picker filter-types range query on Member Directories.
- Fixed: Renamed "Macedonia, the former Yugoslav Republic of" to the official "North Macedonia".
* Deprecated:
- Fully deprecated `account_activation_link_tags_patterns( $placeholders )` function. It's not used previously. Used email function arguments instead.
- Fully deprecated `account_activation_link_tags_replaces( $replace_placeholders )` function. It's not used previously. Used email function arguments instead.
- Fully deprecated `UM()->profile()->add_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->profile()->add_replace_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->user()->add_activation_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->user()->add_activation_replace_placeholder()` function. Used email function arguments instead.
- Deprecated `UM()->user()->maybe_generate_password_reset_key( $userdata )` function. Use `UM()->common()->users()->maybe_generate_password_reset_key( $userdata )` instead.
- Deprecated `UM()->user()->set_last_login()` function. Use `UM()->common()->users()->set_last_login( $user_id )` instead.
* Templates required update:
- password-reset.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
v2.10.3
* Enhancements:
- Added: The `Ignore the "User Role > Registration Options"` setting. It provides an ability to auto-approve users if they were created via wp-admin > Users screen.
- Tweak: Avoid email notifications to Administrator about user registration via wp-admin > Users screen.
- Tweak: Updated the Action Scheduler implementation to improve flexibility and clarity. Refactor Action Scheduler for not only email handling.
* Bugfixes:
- Fixed: Member Directory styles when it's rendered on the Gutenberg builder page.
- Fixed: Member Directory filtering query when the custom users metatable is used.
- Fixed: PHP Warning that occurs when using the `getimagesize` function with an image from an external source.
- Fixed: Reset Password email notification's the {password_reset_link}` placeholder.
- Fixed: Changed "Turkey" to the current official term "Türkiye".
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
v2.10.2
* Enhancements:
- Added: `UM()->common()-filesystem()::maybe_init_wp_filesystem();` method.
- Added: `UM()->common()-filesystem()::remove_dir();` method.
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-1702. Reviewed general search scripts and suggested another solution that uses only `$wpdb->prepare()`.
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-1702.
- Fixed: Activation link redirects to Reset Password after registration without password field and required email activation.
- Fixed: Honeypot scripts/styles for themes without pre-rendered shortcodes. Enqueue honeypot scripts/styles everytime.
- Fixed: Profile photo metadata when Gravatar image is used.
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
* Enhancements:
- Added: Compatibility with the new [Ultimate Member - Zapier](https://ultimatemember.com/extensions/zapier/) extension
- Added: Only approved user Reset Password setting defined as true by default
- Added: `UM()->is_new_ui()` function for future enhancements related to new UI
- Added: Filter hook `um_before_user_submitted_registration_data`
- Tweak: Changed hook's priority for initialization of email templates paths
- Tweak: Removed `load_plugin_textdomain` due to (article)[https://make.wordpress.org/core/202...-support-for-only-using-PHP-translation-files]
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-0308
- Fixed: Security issue CVE ID: CVE-2025-0318
- Fixed: Using placeholders in email templates when Action Scheduler is active. Using `fetch_user_id` attribute for fetching necessary user before sending email
- Fixed: PHP 8.4 compatibility. Using WordPress native `wp_is_mobile()` instead of MobileDetect library
- Fixed: PHP errors related to `UM()->localize()` function
- Fixed: PHP errors in user meta header when `last_update` meta is empty
- Fixed: Small CSS changes and avoid duplicates
- Fixed: Removed ms-native show password button for type="password" field in UM forms
- Fixed: Define scalable attribute for cropper
* Deprecated:
- Fully deprecated `UM()->mobile()` function
- Fully deprecated `UM()->localize()` function
- Fully deprecated `um_language_textdomain` filter hook
* Templates required update:
- account.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
* Enhancements:
- Added: Using PHP tidy extension (if it's active) to make HTML textarea value clear
- Added: `um_tidy_config` filter hook for setting PHP tidy config
- Tweak: Avoid using force `set_status()` function.
- Tweak: Properly using `UM()->common()->users()->get_status( $user_id )` instead of `um_user( 'account_status' )`
- Tweak: Properly using `UM()->common()->users()->get_status( $user_id, 'formatted' )` instead of `um_user( 'account_status_name' )`
- Tweak: Properly using `um_user( 'status' )` for getting user role setting while registration
* Bugfixes:
- Fixed: UM tipsy removing inside .um-page selector (e.g. tipsy init from um-modal)
- Fixed: Rollback using `<iframe>` for displaying HTML formatted textarea value
- Fixed: Capability to edit user profile for Administrator when user doesn't have a capability to edit its profile
- Fixed: Sending email notifications based on user status after registration
- Fixed: PHP error when meta `um_member_directory_data` has a wrong format
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade