Version 18.104.22.168 of Paid Memberships Pro is out with some important bug fixes. These bugs have the potential to hinder sales for PayPal and 2Checkout users, so be sure to upgrade.
Special note for PayPal users.
PMPro version 22.214.171.124 fixed a security hole where PMPro was NOT validating IPN requests properly. However, this also meant that sites which were operating fine with failing IPN validations stopped working.
Users would checkout with PayPal, the charge would go through in PayPal, but PMPro wouldn’t activate the member’s membership level because either (a) the IPN request was invalid do to invalid PayPal settings or (b) the IPN validation couldn’t be completed because of improper hosting/server settings.
If you are using PMPro with PayPal Website Payments Pro, PayPal Express, or PayPal Standard (and particularly PayPal standard), you should do the following:
- Upgrade PMPro to make sure your site will not process invalid IPN requests.
- Add the line
define('PMPRO_IPN_DEBUG', true);to your wp-config.php file and then test a PayPal checkout.
- You should get an email from PMPro with a lot of debug information.
- If you get an “VERIFIED” message in the IPN debug email and everything works fine, you are good to go.
- If you get an “HTTP ERROR” message in the IPN debug email, you should work with your host to enable “cURL” or otherwise make sure that Apache, PHP, and firewall settings are compatible so WordPress can make the remote request on this line of services/ipnhandler.php.
- If you get an “INAVLID” message in the IPN debug email, you should also see an error from PayPal explaining the problem. One common issue is that the “business” or “receive” email won’t match the email in your payment settings. To fix this you can sometimes change your email in the payment settings to match what PayPal suggests or use code like this to allow for an email different from your settings. (Sometimes the business email is different from the email you use to log into PayPal.)
If you are still having issues, you should reach out to us on the forums and we can figure out what is going on. You definitely want the IPN requests to be validated to prevent attacks, and we should be able to figure out what the issue is on your specific setup. If you want to tell PMPro to validate all requests as a temporary measure, you can use this code in your active theme’s functions.php or a custom plugin to tell PMPro to validate all IPN requests as true.
The full list of updates is below.
- SECURITY: No longer showing email addresses in output when cron jobs are processed by non-admins. (Thanks, Daniel Bachhuber)
- BUG: Better handling of errors when validating PayPal IPN requests. Added pmpro_ipn_validate filter.
- BUG: Fixed bug where both the return and first order INS would change membership and update the order twice, leading to unwanted cancellations and emails. (Thanks, Steffen Dressler)
- BUG: No longer using the $pmpro_levels global in pages/levels.php.