Please upgrade your versions of Paid Memberships Pro to the latest 1.7.15 version. This update includes a fix for a critical security hole that can be used to gain information about your web server and WordPress install which can be used to further attack your site. We will be releasing more information about the security vulnerability soon, but I wanted to give everyone a chance to update their version of the plugin ASAP.

If you are in a situation where you must use an older version of Paid Memberships Pro, we advise that you update the services/getfile.php script with the latest version here.

If you are using one of these methods to lock down files in your wp-content/uploads folder or a non-wordpress directory, you will need to add the following code to your wp-config.php to enable the getfile.php script:

define('PMPRO_GETFILE_ENABLED', true);

This update also includes important updates to the Stripe integration to avoid double billing situations and some other important bug fixes.

Please update the Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 1.7.15 specifically here.

The full list of updates is below.

  • SECURITY FIX: The /services/getfile.php script has been disabled by default. You must set the PMPRO_GETFILE_ENABLED constant to true or 1 to allow the script to run. Additionally, the script will strip ../ and /. type strings out of the URI when looking for files to get and will not read any files using the extensions set via the pmpro_getfile_extension_blacklist filter. By default inc, php, php3, php4, php5, phps, and phtml file types are not allowed. (Thanks, Kacper Szurek)
  • BUG: Fixed issue with Stripe integration where existing members checking out for new recurring subscriptions would receive extra charges. Now deleting the old Stripe subscription and any related open invoices and creating a new subscription instead of just updating the old subscription. (Thanks, Antonv and Thomas Sjolshagen)
  • BUG: Fixed issue with Braintree integration where the billing address associated with a credit card was not being updated via the update billing page. (Thanks, Keith Abramo)
  • BUG: Fixed issue where pmpro_next_payment() would return a 0 timestamp instead of false when there is no previous order. (Thanks, Thomas Sjolshagen)
  • ENHANCEMENT: Added pmpro_formatPrice() and pmpro_getCurrencyPosition() functions. Now using them to render prices with formatting. You can use the pmpro_format_price filter or pmpro_currecies filter to adjust the formatting of prices to support currency symbols after the price or to use commas instead of periods for separators.
  • ENAHNCEMENT: Added getSubscriptionStatus() to Authorize.net gateway class. Also fixed up some of the logic around checking the gateway environment.
  • BUG: Now urlencoding the API Username and Password sent through the PayPal APIs in case your values have + or other special characters in them. (Thanks, mrschmiddy)
  • BUG: Now showing cycle number in the Fee column of the members list. E.g. a level that is $10 every 3 months will now show up as $10.00 + $10.00/3 Months.
  • BUG: Fixed bug where user first_name and last_name were being overwritten by PayPal values when using PayPal Standard.
  • ENHANCEMENT: Added PMPRO_CRON_LIMIT constant, which can be used to limit the number of records processed by each scheduled cron job. This can for example, keep your server from going over PHP time limits or email limits. Use define(‘PMPRO_CRON_LIMIT’, 100); to set the limit to 100.
  • BUG: Discount code AJAX calls now going through admin-ajax.php, fixing issues where the Themed Profiles module of Theme My Login would block those calls. (Thanks, Tony)
  • ENHANCEMENT: Removed the “CardType” field at checkout and now using the jquery.creditCardValidator script to determine the card type on form submit.
  • BUG: No longer setting $order->subtotal and invoice total to the billing amount (vs the initial price) for recurring payments with Cybersource, PayPal Standard, PayPal Express or Twocheckout. (Thanks, Joce Nunes)
  • ENHANCEMENT: The search filter will no longer filter out a post that is in a category blocked by one membership level if the user also has access to that content through another category.
  • BUG/ENHANCEMENT: Running email body through wpautop if it doesn’t look like HTML.
  • ENHANCEMENT: Added pmpro_getfile_before_error hook in getfile.php.
  • ENHANCEMENT: Added pmpro_ipn_check_receiver_email filter if you want to change how the email is checked in the IPN log.
  • BUG: Fixed bug where reports would show duplicate month labels on the last day of the month.
  • BUG: Fixed some issues with logging in at checkout, especially when using FORCE_SSL_ADMIN. (Thanks, Wimans)
  • ENHANCEMENT: Added “pending” as a default status for orders available on the edit order page in the dashboard.

Comments (24)

Hi, I use PayPal Pro and with this update my payment started to fail. I get an error saying PayPal Instant Payment Notification Warning. Any ideas? Thanks.

Hi, since updating to PMPro v1.7.15, the £ sign now appears after the value e.g. 4.99£.

Is there any way this could be urgently fixed please?

Thanks.

I’m also concerned about this security hole, but am anxious to have the issue with the update that was discovered resolved before I go forward with any updates. I ended up having my PMP highly customized so would rather just make a small change to one file if possible to ensure user’s security is not compromised. Please let us know ASAP. Thanks!

Not sure. You might have to download the zip and update manually. (Delete the paid-memberships-pro folder via FTP and then install the plugin from the zip file.) DO NOT DELETE PAID MEMBERSHIPS PRO FROM THE PLUGINS PAGE IN YOUR DASHBOARD OR IT WILL ALSO DELETE ALL OF YOUR MEMBER DATA. 🙂

Hi, I have been trying for a membership of INR 1000. 2checkout said they are getting a comma in between because of which they are throwing an error. Please tell me how do I remove the comma settings. I entered the billing amount to be 1000. Seems a comma or a period is been appended. Please help..

What i figured out is that we are redirected to -> $tco_url = ‘https://www.2checkout.com/checkout/purchase’ . $ptpStr; This ptpStr contains all the information but I couldn’t figure out as to where i should remove the comma. Please help!

Uncaught TypeError: jQuery(…).validateCreditCard is not a function

Due to this i getting an error on checkout page “please fill all required fields”

because there is no value in below field

I have the same error –> “Uncaught TypeError: jQuery(…).validateCreditCard is not a function”. I have the latest 1.8.7.1 PMPro.

Check the console on Chrome on the Membership checkout page. This is preventing me to use JS on this page, due to this error.

Please advise!

I’d need more information to help with this. Can you share a link to your checkout page?

Make sure there are no other JS errors on the page (earlier JS errors can stop later JS from running).

That function is used to figure out the Card Type. Make sure that this JS file is in your PMPro folder and being loaded (https://github.com/strangerstudios/paid-memberships-pro/blob/dev/js/jquery.creditCardValidator.js).

If you are using a custom checkout template, there might be issues with that as well.

Thanks Jason.

I cant display a link in public (client site), is it possible to send in private?

I have de-activated all plugins and only left the Pmpro plugin on. The error is still there. When Pmpro is de-activated then error is gone.

Problem only occurs on Membership Checkout page, not Membership Levels page when creating an account. There are no JS errors on any other page. I checked the console (FF & Chrome).

The file jquery.creditCardValidator.js is on the JS folder for Pmpro.

I also see this on Firefox, doesn’t seem as a browser specific error.

I’m using TML (Theme my Login) as template. I de-activated this plugin but the problem is still there.

This is resolved for me. It was a jquery conflict with the built in jquery in WP and Google hosted version. Removed the Google version, problem solved.

I just updated PMP and now I am having the same Uncaught TypeError: jQuery(…).validateCreditCard is not a function as Surender and Gabriel.

I’ve checked to make sure the jquery.creditCardValidator.js file is loading. I am not loading the Google hosted version of jQuery. I, too, am using TML, and when I deactivate it, the problem persists.

@Jason, can you give any other indications where to look or what to look at to find the reason for this error? With this error, my users cannot sign up for my premium service, so I’d love to get this figured out as soon as possible.

We can help you in the member support forums. I’d have to check out the site to figure out exactly what is going on. Sounds like some kind of JS conflict with other plugins/themes on the site.

Hi Admin,
When in cancel a plan thorough frontend member panel, i got error message:
You do not have permissions to make this API call. Please contact the site owner or cancel your subscription from within PayPal to make sure you are not charged going forward.

Please help me how to solve this issue.
Thanks

Please use our support forum for support requests in the future. If you’re using PayPal Standard, you need to also enter PayPal Express API information into the payment gateway setup in PMPro (save, then switch back to PayPal Standard and save again) to cancel PP Standard subscriptions. Even this sometimes doesn’t work, in which case users will need to cancel on the PayPal side.

Leave a Reply

Your email address will not be published. Required fields are marked *