wpeverest · MILAN88888 · May 25, 2026
diff --git a/includes/functions-ur-core.php b/includes/functions-ur-core.php
@@ -438,7 +438,7 @@
 	return sprintf( '<span class="%s" data-tip="%s"></span>', $classname, $tip );
 }

 function ur_render_premium_feature_gate_template( $args = array() ) {
 	if ( UR_PRO_ACTIVE ) {
 		return;
 	}
@@ -474,7 +474,7 @@
 	<?php
 }

 function ur_render_premium_feature_gate( $args = array() ) {
 	if ( UR_PRO_ACTIVE ) {
 		return;
 	}
@@ -495,7 +495,7 @@

 	$gate_attrs = 'data-feature-gate="tooltip" data-gate-placement="right" data-gate-interactive="true" data-gate-content="' . esc_attr( $args['template_id'] ) . '"';
 	?>
 	<span class="ur-premium-pro" <?php echo $gate_attrs; ?>><img src="<?php echo esc_url( UR()->plugin_url() . '/assets/images/icons/ur-pro-icon.png' ); ?>" alt="" /></span>
 	<?php
 }

@@ -588,7 +588,7 @@
 	}
 }

 /**
 * Set a cookie - wrapper for setcookie using WP constants.
 *
 * @param string  $name Name of the cookie being set.
@@ -1250,9 +1250,12 @@
 	/* Backward Compat since 1.4.0 */
 	if ( null != $class_path && file_exists( $class_path ) ) {
 		// Validate the resolved path to prevent directory traversal.
-		$real_class_path = realpath( $class_path );
-		$real_base_path  = realpath( UR_FORM_PATH );
-		if ( false === $real_class_path || false === $real_base_path || 0 !== strpos( $real_class_path, $real_base_path . DIRECTORY_SEPARATOR ) ) {
+		$real_class_path   = realpath( $class_path );
+		$real_base_path    = realpath( UR_FORM_PATH );
+		$real_plugins_path = realpath( WP_PLUGIN_DIR );
+		$in_form_path      = false !== $real_base_path && 0 === strpos( $real_class_path, $real_base_path . DIRECTORY_SEPARATOR );
+		$in_plugins_path   = false !== $real_plugins_path && 0 === strpos( $real_class_path, $real_plugins_path . DIRECTORY_SEPARATOR );
+		if ( false === $real_class_path || ( ! $in_form_path && ! $in_plugins_path ) ) {
 			return null;
 		}
 		$class_name = 'UR_' . join( '_', array_map( 'ucwords', $exploded_class ) );
@@ -3037,7 +3040,7 @@
 			$field_name = isset( $form_data['field_key'] ) ? $form_data['field_key'] : '';
 			$value      = isset( $form_data['default'] ) ? $form_data['default'] : '';
 			if ( 'checkbox' === $field_name && ! empty( $value ) ) {
 				$unserialized_value = unserialize( $form_data['default'] );

 				if ( is_array( $unserialized_value ) ) {
 					$value = implode( ', ', $unserialized_value );
@@ -4022,11 +4025,15 @@
 				);
 
 				if ( ! empty( $license_data->item_name ) ) {
-					$license_data->item_plan = strtolower( str_replace( 'LifeTime', '', str_replace( 'User Registration', '', $license_data->item_name ) ) );
+					$license_data->item_plan = trim( strtolower( str_replace( 'LifeTime', '', str_replace( 'User Registration', '', $license_data->item_name ) ) ) );
 					set_transient( 'ur_pro_license_plan', $license_data, WEEK_IN_SECONDS );
 				}
 			}
 
+			if ( ! empty( $license_data->item_plan ) ) {
+				$license_data->item_plan = trim( $license_data->item_plan );
+			}
+
 			return isset( $license_data ) ? $license_data : false;
 		}
 
@@ -4392,7 +4399,7 @@
 }

 if ( ! function_exists( 'ur_check_captch_keys' ) ) {
 	/**
 	 * Check the site key and secret key for the selected captcha type, are valid or not.
 	 *
 	 * @return bool
@@ -4855,7 +4862,7 @@

 if ( ! function_exists( 'ur_get_premium_settings_tab' ) ) {

 	/**
 	 * Premium settings tabs.
 	 *
 	 * @since 5.0
@@ -5034,7 +5041,7 @@
 						$description = sprintf( __( 'You have been subscribed to %s plan. Please upgrade to higher plans to use this feature.', 'user-registration' ), ucfirst( $license_plan ) );
 						$settings['sections']['premium_setting_section']['before_desc'] = $description;
 						$upgradable_plans                                        = implode( 'plan, ', $detail['plan'] );
 						$settings['sections']['premium_setting_section']['desc'] = sprintf( __( 'To unlock this setting, consider upgrading to %s', 'user-registration' ), $upgradable_plans );
 					} else {
 						$plugin_name = $detail['name'];
 						$action      = '';
@@ -5053,8 +5060,8 @@
 						$description = sprintf( __( 'Please %1$s %2$s addon to use this feature.', 'user-registration' ), $action, ucwords( str_replace( '-', ' ', $detail['plugin'] ) ) );

 						/*
 						translators: %s: Action Name. */
 						// $button = '<a href="#" class="user-registration-settings-addon-' . strtolower( $action ) . '" data-slug="' . $detail['plugin'] . '" data-name="' . $plugin_name . '">' . sprintf( esc_html__( '%s Addon', 'user-registration' ), $action ) . '</a>';
 						$button_class = 'user-registration-settings-addon-' . strtolower( $action );
 						$button_attrs = array(
 							'data-slug' => $detail['plugin'],
@@ -5364,7 +5371,7 @@
 				$message = $user->get_error_message();
 				$message = str_replace( '<strong>' . esc_html( $login_data['user_login'] ) . '</strong>', '<strong>' . esc_html( $username ) . '</strong>', $message );
 				throw new Exception( $message );
 			} elseif ( isset( $user->ID ) && $is_disabled = get_user_meta( $user->ID, 'ur_disable_users', true ) ) {
 				wp_logout();
 				throw new Exception( '<strong>' . esc_html__( 'ERROR: ', 'user-registration' ) . '</strong>' . $messages['user_disabled'] );

@@ -5452,7 +5459,7 @@

 				$redirect_url = wp_get_raw_referer() ? wp_get_raw_referer() : ur_get_my_account_url();
 				$redirect_url = add_query_arg( 'urm_error', $error_key, $redirect_url );
 				wp_redirect( $redirect_url );
 				exit;

 			}
@@ -6150,7 +6157,7 @@
 	 */
 	function ur_wrap_email_body_content( $body_content ) {
 		// Check if we're in editor context - exclude CSS when displaying editor on settings page.
 		$is_preview       = isset( $_GET['ur_email_preview'] );
 		$current_screen   = function_exists( 'get_current_screen' ) ? get_current_screen() : null;
 		$is_settings_page = $current_screen && 'user-registration_page_user-registration-settings' === $current_screen->id;
 		$is_email_action  = isset( $_REQUEST['action'] ) && ( // phpcs:ignore
@@ -6711,7 +6718,7 @@
 		 */
 		$redirect = apply_filters( 'user_registration_login_redirect', ur_get_my_account_url(), $user );
 		if ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) {
 			wp_redirect( esc_url_raw( $redirect ) );
 			exit();
 		} else {
 			wp_send_json_success(
@@ -6777,8 +6784,8 @@
 					touch( $destination_file_path );
 				}

 				$source_content = file_get_contents( $source_file_path );
 				file_put_contents( $destination_file_path, $source_content, FILE_APPEND );
 			}
 		}
 	}
@@ -7512,7 +7519,7 @@
 				if ( isset( $submitted_data[ $key . '_state' ] ) ) { // phpcs:ignore
 					$country_data['state'] = sanitize_text_field( wp_unslash( $submitted_data[ $key . '_state' ] ) ); // phpcs:ignore
 				}
 				$value = json_encode( $country_data );
 				break;
 			default:
 				$value = isset( $submitted_data[ $key ] ) ? $submitted_data[ $key ] : ''; // phpcs:ignore
@@ -7537,7 +7544,7 @@
 			array(
 				'post_type'  => 'ur_coupons',
 				'meta_key'   => 'ur_coupon_code',
 				'meta_query' => array(
 					array(
 						'key'     => 'ur_coupon_code',
 						'value'   => $coupon,