User Role Editor Pro v. 4.39 was published

User Role Editor Pro version 4.39 was published at November 27th, 2017. Pay attention that this version contains the security related update. It’s strongly recommended to install this version in a short term in spite of a low risk level of the discovered vulnerabilities.

Changes List

Core version: 4.38

  • New: Admin menu access add-on: It’s possible to manage the allowed URL parameters list via “White list of URLs parameters’ link. This link is located at “Settings->User Role Editor->Additional Module” tab, just under “Activate Administrator Menu Access module” checkbox.
  • New: Posts/pages edit restrictions add-on: ‘ure_post_edit_access_terms_list’ custom filter allows to set a categories (terms) list (CSV) programmatically.
  • Update: Meta boxes access add-on supports WPML meta boxes now.
  • Update: Settings->User Role Editor->Additional Modules: section with defaults for Content View Restrictions add-on is shown/hidden by click on “Show Defaults…/Hide Defaults…” link.
  • Update: “Force custom post types use its own capabilities” option: custom post types are selected by enhanced criteria. Permissions was not changed earlier for CPT with a ‘page’ capability type.
  • Fix: Posts/pages edit restrictions add-on: excluded the cases, when edit restrictions would be applied to a user with superadmin priveleges.
  • Core version was updated to 4.38
  • Security: XSS vulnerability was fixed at URE’s options page. Bug was discovered and fixed at tab index value numeric type checking. Tab index value is additionally escaped before output also.
  • Security: Deprecated code for debug output to the .log file in case of database query error was removed.
  • Security: Multiple select jQuery plugin ( was updated to the latest available version 1.2.1, which fixed XSS vulnerability, existed in earlier versions.