Paid Memberships Pro Security Update 2.12.9 and 2.12.10

Version 2.12.9 of Paid Memberships Pro is out with one enhancement and one security update. Thanks to Scott Kingsley Clark for the responsible disclosure of the security issue. Version 2.12.10 was released soon after with a fix for an issue introduced in 2.12.9.

Banner Image for Development Changelog Paid Memberships Pro Release Updates

About the Security Issue
- How to Audit Your Site For Shortcode Usage
Full Changelog For v2.12.9 and v2.12.10

About the Security Issue

The security issue addressed by this update is related to the pmpro_member shortcode. It’s a very useful and powerful shortcode to help membership site creators add personalization and build dashboard-like experiences for their members.

The pmpro_member shortcode can output any user or user meta field for the logged in user or a specific named user (by user ID).

For this reason and the potential privacy and security risks associated with displaying user info, since version 2.12.9, only administrators and users with the edit_users capability (given to people with the Administrator role) can add this shortcode to content.

Much like how WordPress core filters the script tag from content before updating the database, we also filter out this shortcode

If a user without the edit_users capability adds this shortcode to post content (like a page, post, or CPT), widgets, or menus, we will now remove it before saving to the database.
We will also remove the shortcode if it exists in post content and someone without this capability edits the post.

Upgrading to version 2.12.9 will NOT remove any existing uses of the shortcode on your site.

How to Audit Your Site For Shortcode Usage

If you are concerned with how this shortcode may have been used in your site, here’s how to audit your site:

Navigate to Posts > All Posts in the WordPress admin.
Search for "[pmpro_member ". Be sure to include the quotes and the space at the end.
This will show you any posts that include the pmpro_member shortcode. If you weren’t using this shortcode, there may be no results.

Repeat these steps to search your Pages and any other custom post types (if applicable).

Full Changelog For v2.12.9 and v2.12.10

SECURITY: Only users with the edit_users capability may add the pmpro_member shortcode to posts and widgets now. (Thanks, Scott Kingsley Clark)
ENHANCEMENT: Now simplifying the members and user search on sites where wp_is_large_user_count() is true.
BUG FIX/ENHANCEMENT: Removed the 24 option from the hours dropdown for expiration dates since the hours start with 00.

Author: Jason Coleman

Jason is co-founder of Paid Memberships Pro, the 100% open source membership plugin for WordPress. He has been pushing WordPress to its limits for many years and is an advocate for using WordPress as an application framework to build web sites and apps that go above and beyond the typical blog or CMS site.

Was this article helpful?

YesNo