Several bugs since update

  • Resolved jens2021

    (@jens2021)


    2 years, 10 months ago

    Hi there,

    since the latest security updates several issues occure:

    1. No password-confirmation field on registration form

    2. Registrations will still be accepted, but the forwarding to a specific site after registration does not work anymore. Instead new registerd users will be redirected to the word-press login-page.

    3. New registers users are unable to login. It shows password is wrong. Reset password function seems working, but after reset the password it still shows that the password is not correct.

    4. I am usung hCaptcha on my site. hCaptcha does not work anymore at all.

    Side note: I am using wprocket, but UM-Sites are excludes and i always cleared the cache between steps while testing.

    For the time beeing I had no other choice as downgrade back to 2.6.2 by using a backup, because the latest updates made my page unusable. Sadly I can not say exactly which of the latest updates did all these above, but I can confirm the issues exist at 2.6.6. and 2.6.7.

    Please do a fix of that as soon as possible, so I can do the neccesary update.
    Thanks.

Viewing 15 replies - 1 through 15 (of 42 total)
1 2 3
  • carlosvai

    (@carlosvai)

    2 years, 10 months ago

    Hi! I would not advise that you downgrade.
    There has been a major attack and therefore quick fixes needed to be done.

    I’m using latest version (2.6.7) and have none of those issues with Oxygen builder.
    Only v 2.6.7 fixes the security problems.

    I would recommend you to install latest version too and deactivate the forms, at least that way you won’t have the risk of an intrusion
    https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/

    jhan303

    (@jhan303)

    2 years, 10 months ago

    I just updated to 2.6.7 as well, and no one can login.

    Thread Starter jens2021

    (@jens2021)

    2 years, 10 months ago

    Hi! I would not advise that you downgrade.
    There has been a major attack and therefore quick fixes needed to be done.

    I’m using latest version (2.6.7) and have none of those issues with Oxygen builder.
    Only v 2.6.7 fixes the security problems.

    I would recommend you to install latest version too and deactivate the forms, at least that way you won’t have the risk of an intrusion
    https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/

    Thank you for your reply and your advise.
    It´s great that the update is working for you with Oxygen builder, but that doens´t help me one inch. I have massive issues like I described above.
    However, I have no other choice than running 2.6.2, until the described isues are fixed. My website is completely unuseable without these functions, so also deactiving the forms is not an option.
    I know about the vulnerable, but i must take the risk until there is a full working update.
    I am a paying customer, so I expect full working update ASAP.


    I just updated to 2.6.7 as well, and no one can login.

    Thank you for confirming you having one of my described issues as well.

    Thread Starter jens2021

    (@jens2021)

    2 years, 10 months ago

    So, now I become really upset.

    Automatic updates are disabled, but anyhow an automatic updated of ultmate member occured.

    It´s unaccepable to force an update if the update has several bugs and makes my website unusable!

    I have noticed that the password-confirmation field is now there, but all other issues i described with my first posting are still in place.

    Please fix that ASAP!

    Plugin Support andrewshu

    (@andrewshu)

    2 years, 10 months ago

    Hello @jens2021

    1. There was a security update – these update ignores the automatic updates are disabling.
    2. Try to do a conflict test – https://docs.ultimatemember.com/article/96-how-to-do-a-plugin-theme-conflict-test. There were a lot of changes last time and conflicts could arise.

    Regards.

    Thread Starter jens2021

    (@jens2021)

    2 years, 10 months ago

    Thanks @andrewshu – will do the conflict test.. But will take a bit of time, because i need to do a clone first.. I will come back to you asap.

    Regards.

    Plugin Author Mykyta Synelnikov

    (@nsinelnikov)

    2 years, 10 months ago

    Hi @jens2021

    See my answer here:
    https://ww.wp.xz.cn/support/topic/not-working-with-ultimate-member-anymore/#post-16868911

    Best Regards!

    Plugin Author Mykyta Synelnikov

    (@nsinelnikov)

    2 years, 10 months ago

    Hi @jhan303

    May you provide us, maybe do you use some 3rd-party plugins for the Ultimate Member Login page? I’ll try to find the reason and contact with plugin authors if necessary.

    Also, I have resolved the issue inside the unsupported WPBruiser:
    https://ww.wp.xz.cn/support/topic/compatibility-with-a-latest-ultimate-member-2-6-7-version/#post-16868766

    Let me know,
    Best Regards!

    jhan303

    (@jhan303)

    2 years, 10 months ago

    Hi @nsinelnikov

    Thanks for the info. I do use WPBruiser (I didn’t realize it’s no longer supported), but I don’t see any mention of it in that forum post you linked to. Will this fix be part of the 2.6.8?

    Plugin Author Mykyta Synelnikov

    (@nsinelnikov)

    2 years, 10 months ago

    Hi @jhan303

    As you can see WPBruiser hasn’t had any new versions since 3 years ago.
    https://ww.wp.xz.cn/plugins/goodbye-captcha/

    There is my GitHub fork of their GitHub repo.
    https://github.com/nikitasinelnikov/goodbye-captcha/tree/master

    I already responded on how to fix the WPBruiser here:
    https://ww.wp.xz.cn/support/topic/cannot-log-in-76/#post-16868781

    It’s a confirmed fix for WPBruiser.

    Let me know if that works,
    Best Regards!

    Thread Starter jens2021

    (@jens2021)

    2 years, 10 months ago

    Hi @nsinelnikov

    many thanks for your help here and on the support-page of hCaptcha.

    Finally I could do some intensive testing and also did a conflict test.

    I am facing still the follwing issues:
    I put in some forwarding-settings within the user-role which worked great before the update.
    See: https://ibb.co/7zsRHYQ

    Now the follwing behavier occur:

    – After Registration of a new user, the forwarding to the specific site does not work, Instead a forwording to the regular WP-Login happens.
    See: https://ibb.co/jbm5jxb

    – If Users Login via Login-Button ( {login url} ) from the E-Mail after admin-confirmation, the forwarding also doesn´t work. Users get redirected to the main-page instead. But if Users Login via the Login-Butten I have directly on my site, the forwarding to the correct page is working fine.

    – If users Login after password-reset, the fowarding also doesn´t work. Users get redirected to the main page.

    I did a conflict test with all installed plugins with one exeption: “restrict for elementor”. This plugin is neccesary to handle the visibilty for logged in and not logged in users. But there where no issues before and I don´t think this plugin creates the forwading issues. all other plugins having no influence on this forwarding issue. Tested them all one-by-one.

    I noticed your hint for Version 2.6.8 on github, but I don´t no how do install that.

    I hope you can help fast.

    Many thanks & kind reagrds
    Jens

    jhan303

    (@jhan303)

    2 years, 10 months ago

    @nsinelnikov

    That worked great! Thanks!

    Plugin Author Mykyta Synelnikov

    (@nsinelnikov)

    2 years, 10 months ago

    Hi @jens2021

    For security enhancements, we started to use the wp_safe_redirect() function instead of just a wp_redirect(). Please add this code snippet if you need to redirect the users after registration to the 3rd-party website with a different hostname:

    function my_allowed_hosts( $hosts ) {
    $my_hosts = array(
        'google.com',
        'mail.google.com',
    );
    return array_merge( $hosts, $my_hosts );
}
add_filter( 'allowed_redirect_hosts', 'my_allowed_hosts' );

    Please let me know if that works,
    Best Regards!

    Thread Starter jens2021

    (@jens2021)

    2 years, 10 months ago

    Hi @nsinelnikov

    thanks for coming back to me.

    There is no redirect with a diffrent hostname on my site.

    My website is http://www.12345.de with a registration form at http://www.12345.de/register and i would like to redirect after registration to http://www.12345.de/ABC – that worked before the security update with no issues. Now it doesn´t work anymore at all.

    Can i send you the URL to my website in a private way, so you can check on my website directly?

    Many thanks & kind regards

    Plugin Author Mykyta Synelnikov

    (@nsinelnikov)

    2 years, 10 months ago

    Hi @jens2021

    Please try without www. when you type the redirect URL in the settings.

    Sorry, but better to support forum guidelines https://ww.wp.xz.cn/support/guidelines/#the-bad-stuff
    And I cannot share my private info for direct messages based on the rules above.
    You may contact me via Slack at wordpress.slack.com. with the same username nsinelnikov

    Best Regards!

Viewing 15 replies - 1 through 15 (of 42 total)
1 2 3

The topic ‘Several bugs since update’ is closed to new replies.