User Role Editor Pro version 4.39 was published at November 27th, 2017. Pay attention that this version contains the security related update. It’s strongly recommended to install this version in a short term in spite of a low risk level of the discovered vulnerabilities.
Changes List
Core version: 4.38
- New: Admin menu access add-on: It’s possible to manage the allowed URL parameters list via “White list of URLs parameters’ link. This link is located at “Settings->User Role Editor->Additional Module” tab, just under “Activate Administrator Menu Access module” checkbox.
- New: Posts/pages edit restrictions add-on: ‘ure_post_edit_access_terms_list’ custom filter allows to set a categories (terms) list (CSV) programmatically.
- Update: Meta boxes access add-on supports WPML meta boxes now.
- Update: Settings->User Role Editor->Additional Modules: section with defaults for Content View Restrictions add-on is shown/hidden by click on “Show Defaults…/Hide Defaults…” link.
- Update: “Force custom post types use its own capabilities” option: custom post types are selected by enhanced criteria. Permissions was not changed earlier for CPT with a ‘page’ capability type.
- Fix: Posts/pages edit restrictions add-on: excluded the cases, when edit restrictions would be applied to a user with superadmin priveleges.
- Core version was updated to 4.38
- Security: XSS vulnerability was fixed at URE’s options page. Bug was discovered and fixed at tab index value numeric type checking. Tab index value is additionally escaped before output also.
- Security: Deprecated code for debug output to the .log file in case of database query error was removed.
- Security: Multiple select jQuery plugin (https://github.com/wenzhixin/multiple-select/) was updated to the latest available version 1.2.1, which fixed XSS vulnerability, existed in earlier versions.
