A very large security hole in the Paid Memberships Pro plugin has been brought to our attention by Charlie Eriksen via Secunia SVCRP.

In versions of PMPro prior to 1.5, the /adminpages/memberslist-csv.php file in the plugin could be called directly via a web browser and would serve a CSV file including all of your active members information without first checking for a valid admin user.

Needless to say, this is a huge issue that needs to be fixed on any site with the Paid Memberships Plugin installed. (It should be noted that deactivating the plugin is not enough to fix this vulnerability.)

The best way to fix this vulnerability is to update your copy of Paid Memberships Pro to the latest version (currently 1.5). Go do it now.

If you are running a version prior to 1.5 and do not see an update button in your WP dashboard, deactivating and reactivating the plugin may force WP to find the update.

If you are unable to update your version of the plugin (because you have made edits to the plugin files, etc), you can patch this vulnerability by adding this code the top of the /adminpages/memberslist-csv.php file, just below the require(‘…’) line (around line 8).

//only admins can get this (PATCH!)
if(!function_exists("current_user_can") || !current_user_can("manage_options"))
{
	die("You do not have permissions to perform this action.");
}

There really is no excuse for not catching this vulnerability sooner. I am deeply sorry to have put your member information at risk. I can only hope that knowledge of this hole has not been used on any site running our plugin.

Again, please please update immediately.

We have already updated or patched PMPro for any client that we currently work with or have worked with in the past and still have FTP access for.

If you need any help updating your version of Paid Memberships Pro or otherwise addressing this vulnerability, contact us right now and we will help you free of charge. Preference will be given to our PMPro members, but we will help anyone who has installed our plugin prior to version 1.5 and cannot update the plugin themselves.

Let us know if you have any other questions or concerns in the comments below or via phone/email.


Anyone who manually applies the patch can edit the paid-memberships-pro.php line 46 to define(“PMPRO_VERSION”, “1.5”);

The script will then know it’s been updated.

Leave a Reply

Your email address will not be published. Required fields are marked *