Merge pull request #863 from wpdev10/master

check for nonce while changing user type for bulk users

Author: wpdev10

admin/class-admin.php

@@ -1326,6 +1326,14 @@ public function handle_bulk_user_type_change() {
             return;
         }
 
+        if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( $_GET['_wpnonce'], 'bulk-users' ) ) {
+            wp_die( __( 'Security check failed. Please try again.' ) );
+        }
+
+        if ( ! current_user_can( 'edit_users' ) ) {
+            wp_die( __( 'You do not have permission to perform this action.' ) );
+        }
+
         $new_user_type = absint( $_GET['uwp_new_user_type'] );
 
         if ( ! $new_user_type ) {

admin/settings/class-formbuilder.php

@@ -2552,7 +2552,7 @@ public function create_field() {
 					$tags = '';
 				}
 
-				if ( $tags != 'skip_field' ) {
+				if ( $tags != 'skip_field' && !empty( $_REQUEST[ $pkey ] ) ) {
 					$_REQUEST[ $pkey ] = strip_tags( $_REQUEST[ $pkey ], $tags );
 				}
 			}

includes/class-forms.php

@@ -468,8 +468,8 @@ public function display_notices( $type ) {
 				} elseif ( ! empty( $notice ) ) {
 						echo wp_kses_post( $notice );
 				}
-}
-}
+            }
+        }
 
 		if ( $type == 'change' ) {
 			$user_id      = get_current_user_id();

languages/userswp-en_US.mo

@@ -1,9 +1,9 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: UsersWP 1.2.47\n"
+"Project-Id-Version: UsersWP 1.2.48\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-10-31 11:19+0530\n"
-"PO-Revision-Date: 2025-10-31 11:19+0530\n"
+"POT-Creation-Date: 2025-11-12 16:42+0530\n"
+"PO-Revision-Date: 2025-11-12 16:42+0530\n"
 "Last-Translator: \n"
 "Language-Team: AyeCode Ltd <contact@ayecode.io>\n"
 "Language: en_US\n"
@@ -15,7 +15,7 @@ msgstr ""
 "_nx:1,2;_x;_ex;esc_attr_e;esc_attr__\n"
 "X-Poedit-Basepath: ..\n"
 "X-Poedit-SourceCharset: UTF-8\n"
-"X-Generator: Poedit 3.5\n"
+"X-Generator: Poedit 3.3.2\n"
 "X-Poedit-SearchPath-0: .\n"
 "X-Poedit-SearchPathExcluded-0: vendor\n"
 
@@ -303,7 +303,7 @@ msgstr ""
 msgid "Form %d"
 msgstr ""
 
-#: admin/class-admin.php:1033
+#: admin/class-admin.php:1033 admin/class-admin.php:1334
 msgid "You do not have permission to perform this action."
 msgstr ""
 
@@ -328,6 +328,10 @@ msgstr ""
 msgid "Change"
 msgstr ""
 
+#: admin/class-admin.php:1330
+msgid "Security check failed. Please try again."
+msgstr ""
+
 #: admin/class-uwp-admin-help.php:38
 msgid "Help &amp; Support"
 msgstr ""

languages/userswp-en_US.po

@@ -2,9 +2,9 @@
 Contributors: stiofansisland, paoltaia, ayecode, ismiaini
 Donate link: https://www.ko-fi.com/stiofan
 Tags: login form, registration, registration form, user profile, user registration, members, membership
-Requires at least: 5.0
+Requires at least: 6.1
 Tested up to: 6.8
-Stable tag: 1.2.47
+Stable tag: 1.2.48
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -90,6 +90,8 @@ UsersWP can be extended with several add-ons. Few examples are:
 * [User to User Private Messages](https://userswp.io/downloads/private-messages/) - Allow your users to send each other private messages in a Facebook-like chat.
 * [Membership](https://userswp.io/downloads/membership-plugin/) - Add Membership functionality to your WordPress website!
 * [Dashboard](https://userswp.io/downloads/dashboard/) - Manage everything from one simple, easy-to-use dashboard.
+* [MailerLite](https://userswp.io/downloads/mailerlite/) - Capture newsletter subscribers during registration to your mailerlite newsletter list.
+* [MailPoet](https://userswp.io/downloads/mailpoet/) - Capture newsletter subscribers during registration to your mailpoet newsletter list.
 
 There are many others and we release new Add-ons frequently. You can see the full collection here: [UsersWP Premium Add-ons](https://userswp.io/downloads/category/addons/)
 
@@ -150,6 +152,9 @@ Yes, you can customize it with Elementor, but also with Gutenberg, Divi, Beaver
 
 == Changelog ==
 
+= 1.2.48 - 2025-11-12 =
+* Check nonce while changing the user type for bulk users - FIXED/SECURITY
+
 = 1.2.47 - 2025-10-31 =
 * Merge SD 1.2.29 - CHANGED
 

readme.txt

@@ -3,7 +3,7 @@
 Plugin Name: UsersWP
 Plugin URI: https://userswp.io/
 Description: The only lightweight user profile plugin for WordPress. UsersWP features front end user profile, users directory, a registration and a login form.
-Version: 1.2.47
+Version: 1.2.48
 Author: AyeCode Ltd
 Author URI: https://userswp.io
 License: GPL-2.0+
@@ -24,7 +24,7 @@
 }
 
 if ( ! defined( 'USERSWP_VERSION' ) ) {
-	define( 'USERSWP_VERSION', '1.2.47' );
+	define( 'USERSWP_VERSION', '1.2.48' );
 }
 
 if ( ! defined( 'USERSWP_PATH' ) ) {

userswp.php

@@ -3,7 +3,7 @@
         'name' => 'uswerwp/userswp',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => 'd13ebfa8745b6ed3d47b0aecbd0a5c714e7cfe8f',
+        'reference' => '619a2da9b81f24569354f02c393faca03b26ffc0',
         'type' => 'project',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -79,7 +79,7 @@
         'uswerwp/userswp' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'd13ebfa8745b6ed3d47b0aecbd0a5c714e7cfe8f',
+            'reference' => '619a2da9b81f24569354f02c393faca03b26ffc0',
             'type' => 'project',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),