Security Update 1.8.10

Version 1.8.10 of Paid Memberships Pro is out. This update includes a security fix for a cross-site scripting (XSS) vulnerability discovered by Burak Kelebek along with a handful of other bug fixes and minor enhancements.

XSS Vulnerability

Burak Kelebek discovered a XSS vulnerability on the Addons page of the PMPro dashboard during the Summer of Pwnage event this month. As described by Burak “This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators’ session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.”

This patch fixes the XSS vulnerability by properly validating the form data on the Addons page of the PMPro dashboard page. More details on the vulnerability can be found on the full advisory page here.

Skipping the PayPal Express Confirmation Step

This update also includes a new option to skip the confirmation step with PayPal Express. Previously, all PayPal Express checkouts required the member to 1) complete the membership checkout fields, 2) go to PayPal to specify payment, 3) return to your site to complete the checkout process. You can now skip that third step and members are immediately taken to the Membership Confirmation page upon successful payment via PayPal Express. Orders that previously would have been abandoned during the “review” status, will now complete to confirmation and process payment.

Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 1.8.10 specifically here.

---

The full list of updates is below.

• SECURITY: Patched a cross site scripting (XSS) vulnerability on the Memberships -> Addons page in the dashboard. Thanks to Burak Kelebek for the discovery and responsible disclosure of this vulnerability.
• BUG: Added pmpro_btn-submit-checkout class to the PayPal checkout buttons.
• BUG: Updated Stripe and Braintree gateways to load billing fields and JavaScript when it’s the default gateway (if not the current gateway specified).
• BUG: Fixed bug where cancelation emails weren’t being sent to users if they originated from PayPal.
• BUG: Fixed bug where unsucessful invoices were shown on the Membership Account page. We aren’t showing refunded invoices here now either, but plan to in the future.
• BUG: The update billing page now uses the pmpro_include_billing_address_fields filter so gateways and addons can properly override the payment fields when needed.
• BUG: The update billing page now uses the validatecreditcard.js script to set the Card Type in the background, just like checkout. Fixes some issues with updating credit cards on certain gateways.
• BUG: Reintroduced the pmpro_members_list_sql filter.
• BUG/ENHANCEMENT: Switched the Japanese Yen and South Korean Won to not use decimals by default. (Thanks, flatworld21 on w.org)
• ENHANCEMENT: Added an option to skip the confirmation step with PayPal Express.
• ENHANCEMENT: Added pmpro_hide_billing_cc_fields filter (false by default). Allows user to hide credit card section from billing page (only update billing address if needed).
• ENHANCEMENT: Added the checkout_id column to the pmpro_membership_orders table. This will be used by addons and possible core in the future to track multiple orders that happen during the same checkout process.
• ENHANCEMENT: Added support for the Serian language. (Thanks, Sasa Trifkovic)
• NOTE: We are planning to remove the certificate_id and certificate_amount columns from the pmpro_membership_orders table. Please contact us if you are using this column for something to come up with a work around.