Decryption key:
Ultimate Member Core Plugin v2.12.1 Nulled ( Full package ) ( Includes all addons, theme, core plugin )
= 2.12.1 July 06, 2026 =
* Enhancements:
- Added: Ability to handle local website URLs resources (image, audio, video from Media Library, 3rd-party local URLs embed to iframe) in the oEmbed-type field value.
- Added: The API key field type for the settings fields.
* Bugfixes:
- Fixed: Security issue, CVE ID: CVE-2026-4248. Extern blacklist filter for convert_tag replace placeholders function. (Additional keys were researched by Hrro. This info added for the Wordfence team if they need this information).
- Fixed: Security issue when accidentally `manage_options` level user role can be listed in the User Role dropdown on the registration/edit profile forms. (Researched by Haitam Lazaar).
- Fixed: Set <iframe> size proportions during responsive handlers.
- Fixed: mousewheel action during member directory loading and overlay is displayed.
- Fixed: WP_Styles notice due to not loaded `um_modal` styles.
- Fixed: oEmbed-type field styles.
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
Ultimate Member Core Plugin v2.12.0 Nulled
== Changelog ==
= 2.12.0 June 12, 2026 =
* Bugfixes:
- Fixed: Security issue, CVE ID: CVE-2026-7761.
- Restricted `get_directory_by_hash()` function to only match posts with post_type='um_directory' and publish post status.
- Used `0 === strpos()` instead of `strstr()` for getting proper post_data.
- Added condition for getting only allowed fields in tagline_fields and reveal_fields to `build_user_card_data()`.
- Fixed: Security issue, CVE ID: CVE-2026-8489.
- Used WordPress native `wp_kses()` escaper for displaying user_description field. Used WordPress native `make_clickable()` function to make raw links clickable.
- Fixed: Security issue, CVE ID: CVE-2026-xxxx. Make the role and status visible for the user who can edit these users in the request. Reported by [Ben Tamam](bentamam.github.io).
- Fixed: Remove UM option function when the option value equals "0".
* Deprecated:
- Temporary deprecated: UM REST API. Legacy feature that has to be refactored. Will be refactored and re-released soon.
Ultimate Member Core Plugin v2.11.4 Nulled
== Changelog ==
= 2.11.4 April 30, 2026
* Enhancements:
- Added: Checking format of the 3rd-party registered custom fields. Avoid PHP errors related to the wrong format or unexpected attributes.
* Bugfixes:
- Fixed: Added uploader fields accept argument for set allowed mime-types in the upload dialog window. Updated 3.1.2 version of this library [hayageek/jquery-upload-file](https://github.com/hayageek/jquery-upload-file/). Don't use 4.0.11 version for now.
- Fixed: JS initialization of the empty uploader fields.
- Fixed: User Profile URLs in the User Profile form on the not-predefined pages placed via shortcode.
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
Ultimate Member Core Plugin v2.11.3 Nulled
== Changelog ==
= 2.11.3 March 26, 2026 =
* Enhancements:
- Added: UM > Settings > Advanced > APIs section for set available APIs settings.
- Added: GoogleMaps API setting when it's available.
- Added: Function `UM()->mail()->enabled_email()` for checking if the email notification is enabled by the user.
- Added: `color` type of sanitize settings saved in wp-admin.
- Added: Checking array type of submission data when `url` type of sanitize is used in wp-admin.
- Added: Enhance UM form sanitization filter with $form_data param. Added the $form_data parameter to the `um_sanitize_form_submission` filter.
- Added: Option for special character requirement for passwords. It's situated in "General > Users > Password requires special character" (based on @faisalahammad suggestions)
- Added: Filter hook `um_before_account_delete_text` for changing before delete account text by 3rd-party plugins. End-customers can use it for translations.
- Added: Filter hook `um_custom_{$message_key}` (`um_custom_pending_message`, `um_custom_checkmail_message`) for changing after-registration message based on the user status by 3rd-party plugins. End-customers can use it for translations.
- Added: Filter hook `um_convert_tags_blacklist_fields` For 3rd-party integrations to control the usermeta keys in `um_convert_tags()` function.
- Added: `.um-display-none` CSS utility + `umShow()/umHide()/umToggle()` jQuery helpers.
- Added: `um-notice` JS library.
* Bugfixes:
- Fixed: Security issue, CVE ID: CVE-2026-4248. Added blacklist filter for convert_tag replace placeholders function.
- Fixed: HTML sanitization logic for textarea-type custom fields with enabled HTML using setting.
- Fixed: WP editor formatting to prevent incorrect HTML entity conversion when using html-mode in the textarea-type custom fields. Applied and removed this filter dynamically to avoid interfering with other processes.
- Fixed: Dynamic string translation pattern and improve escaping. Replaced incorrect __('%s') pattern. (@faisalahammad)
- Fixed: `wp_die()` function triggering on the frontend actions. Added UM notice above the User Profile page. (based on @faisalahammad suggestions)
- Fixed: Password reset key handling for multiple users. Previously, the static reset key caused issues when handling password resets for multiple users simultaneously.
- Fixed: `um_trim_string()` function for using with UTF-8 symbols.
- Fixed: PHP Notice: Function WP_Scripts::add was called incorrectly.
* Templates Requiring Update:
- members.php
- message.php
- restricted-blog.php
- restricted-taxonomy.php
* Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade *
Ultimate Member Core Plugin v2.11.2
2.11.2 2026-02-10
Enhancements
Bugfixes
- Added: Server-side validation when the Search Form is submitted.
- Added: Action hook um_approve_user_on_email_confirmation to natively approve the user after validating the email activation link.
- Added: JS filter wp.hook um_member_directory_popstate_ignore to stop window.pushSate in the member directory for 3rd-party integrations.
Templates Requiring Update
- Fixed: Security issue, CVE ID: CVE-2025-15064. Deprecated the ability to use HTML inside the user description. It’s still allowed to use only predefined ‘user_description’ tags in wp_kses().
- Fixed: Security issue, CVE ID: CVE-2026-1404. Modified template item formatting to avoid using HTML characters in the filter values.
- Fixed: Profile photo dropdown menu position for screens smaller than 340px.
- Fixed: Display of the saved value of the “Privacy Options” > “Allowed roles” setting for the member directory.
- Fixed: Information in Site-Health about the registration form’s Template and Role settings.
- Fixed: Information in Site-Health about the login and profile form’s Template settings.
Note: Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after the upgrade
- members.php
- searchform.php
Ultimate Member Core Plugin v2.11.1 Nulled
= v2.11.1 December 16, 2025 =
* Enhancements:
- Added: 'Privacy Options' for Member Directory. 'Who can see this member directory' and 'Allowed Roles'.
- Added: 'Rate Limit' setting for nopriv AJAX actions.
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-13220. Used `shortcode_atts()` function to avoid using wrong attributes.
- Fixed: Security issue CVE ID: CVE-2025-13217. Implementing proper input sanitization and escaping for iframe URLs in YouTube, Vimeo, and Google Maps embeds.
- Fixed: Security issue CVE ID: CVE-2025-14081. Filtering fields based on user permissions during Account form submission.
- Fixed: Security issue CVE ID: CVE-2025-12492. Added directory privacy settings and added rate limiting.
* Templates required update:
- members.php
- members-grid.php
- members-list.php
Ultimate Member Core Plugin v2.11.0 + Extensions
= v2.11.0 December 02, 2025 =
* Enhancements:
- Added: Extra condition for checking the license activation requests.
- Added: 2nd `$args` attribute to the action hook 'um_cover_area_content'.
- Added: `$args` and `$user_id` attributes to the action hook 'um_after_profile_header_name'.
- Added: Class `um-profile-subnav-{$subnav_id}-link` to the sub navigation links in the User Profile page.
- Tweak: Updated `Extensions_Updater` class to use Action Scheduler in the upgrade process of the UM extensions.
* Bugfixes:
- Fixed: User profile links in the comments section on the frontend when the `$comment->user_id` is empty.
- Fixed: The `emotize` function regexp for better emoji converting.
- Fixed: The conflict between the image uploader and lazy-loading attribute added by 3rd-party plugins.
- Fixed: PHP warnings for roles without meta data.
- Fixed: Typo in labels.
Ultimate Member Core Plugin v2.10.6
2.10.6 - 2025-10-02
Enhancements
Bugfixes
- Added: Avoid caching of the UM Forms on the mobile devices via adding the nocache headers to the screens with UM Forms.
- Added: Filter hook um_get_empty_status_users_query_result for changing default query on the different websites to optimize it.
- Added: Filter hook um_admin_settings_get_pages_list_args for changing WP_Query arguments for getting pages visible in the dropdown fields in UM Settings.
- Added: JS filter hook um_admin_blocks_prefixes_excluded for excluding 3rd-party Gutenberg blocks with predefined prefixes from UM restriction arguments.
- Added: WebP file-extension support for UM uploader.
- Added: UM_LICENSE_REQUEST_DEBUG constant for debugging license activation process when it’s needed.
- Added: Extensions_Updater class to standardize the upgrade process in UM extensions.
- Added: Sanitize handlers sanitize_array_key_int and sanitize_array_key for making sanitize in UM extensions’ settings.
Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade
- Fixed: Changed the view and the edit user profile links in the comments section on the frontend.
- Fixed: Contains conditional logic operand when value is array.
- Fixed: Getting cover_size for displaying it in the member directory card.
- Fixed: Filter’s range for numeric-type fields to avoid getting the empty values.
- Fixed: Integer validation for the ‘start_of_week’ WP native setting.
- Fixed: Dependencies with Action Scheduler library.
Ultimate Member Core Plugin v2.10.5
= 2.10.5 June 25, 2025 =
* Enhancements:
- Added: Filter hook [`um_password_reset_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_password_reset_form_primary_btn_classes.html) for primary button classes in UM Password Reset form.
- Added: Filter hook [`um_login_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_login_form_primary_btn_classes.html) for primary button classes in UM Login form.
- Added: Filter hook [`um_register_form_primary_btn_classes`](https://ultimatemember.github.io/ultimatemember/hooks/um_register_form_primary_btn_classes.html) for primary button classes in UM Registration form.
- Tweak: Refactored Site Health data, added hooks for 3rd-party integration.
- Tweak: Avoid using `um_user( 'password_reset_link' )` and make it directly with `UM()->password()->reset_url( $user_id )` for getting a proper reset URL.
- Tweak: Avoid using `um_user( 'account_activation_link' )` and make it directly with `UM()->permalinks()->activate_url( $user_id )` for getting a proper activation URL.
* Bugfixes:
- Fixed: Stripped shortcodes in the user data during the Account, Registration and Profile forms submission. (Thanks to [MissVeronica](https://github.com/MissVeronica))
- Fixed: Email placeholders values.
- Fixed: Refactor deactivation logic to un-schedule Action Scheduler actions.
- Fixed: Action Scheduler library errors. Updated to the recent 3.9.2 version.
- Fixed: Secondary email field validation.
- Fixed: Action Scheduler batch actions with users who have Undefined status.
- Fixed: Restrictions for 3rd-party Gutenberg Blocks.
- Fixed: Date/time picker filter-types range query on Member Directories.
- Fixed: Renamed "Macedonia, the former Yugoslav Republic of" to the official "North Macedonia".
* Deprecated:
- Fully deprecated `account_activation_link_tags_patterns( $placeholders )` function. It's not used previously. Used email function arguments instead.
- Fully deprecated `account_activation_link_tags_replaces( $replace_placeholders )` function. It's not used previously. Used email function arguments instead.
- Fully deprecated `UM()->profile()->add_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->profile()->add_replace_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->user()->add_activation_placeholder()` function. Used email function arguments instead.
- Fully deprecated `UM()->user()->add_activation_replace_placeholder()` function. Used email function arguments instead.
- Deprecated `UM()->user()->maybe_generate_password_reset_key( $userdata )` function. Use `UM()->common()->users()->maybe_generate_password_reset_key( $userdata )` instead.
- Deprecated `UM()->user()->set_last_login()` function. Use `UM()->common()->users()->set_last_login( $user_id )` instead.
* Templates required update:
- password-reset.php
* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade *
Ultimate Member Core Plugin v2.10.4
= 2.10.4 May 15, 2025 =
* Bugfixes:
- Fixed: Security issue CVE ID: CVE-2025-47691. Used "sniccowp/php-scoper-wordpress-excludes" for getting the recent WordPress functions list and added them to the dynamic blacklist based on the WordPress version.
- Fixed: The Action Scheduler action `um_set_default_account_status`. Case when some users were approved manually or deleted, and we need to reset the admin notice. Added `error_log()` to the wrong conditions.
- Fixed: Reset Password request from not a predefined password reset page. It's possible to submit reset password form sitewide using block or shortcode.
- Fixed: Setting 'Allow users to change email' for the Account page. It works now for any role instead of only the roles with 'Can edit other member accounts?' capability enabled.