Version 1.9.3 of Paid Memberships Pro is out. This is an important security update, and we recommend everyone upgrade as soon as possible.
Security Improvements to Forms
We have improved the sanitization of form inputs in several places, which protects against Cross-site scripting (XSS) attacks. Part of this hardening includes sanitizing some settings like the SSL Seal code, level confirmation text, and non-member/logged-out text shown on restricted posts.
The full list of updates is below.
- SECURITY: Fixed sanitization of inputs and added nonces in several places to protect against XSS attacks.
- BUG FIX: Showing correct error message when trying to update a PMPro Plus add on with a Core license installed.
- BUG FIX: Fixed issue where subscription and payment transaction IDs were not being saved correctly when copying an order in the dashboard. (Thanks, Pippin Williamson)
- BUG FIX: Fixed fatal errors that occurred in certain PHP versions.
- BUG FIX: Fixed issue where ProfileStartDate was being calculated incorrectly in the test, check, and Cybersource gateways.(Thanks, David Parker)
- ENHANCEMENT: Added a pmpro_sanitize_with_safelist() function that is used to sanitize inputs that have a limited number of exact options.
- ENHANCEMENT: Updated the pmpro_setOption() and pmpro_getParam() functions to take a new last parameter $sanitize_function, which defaults to ‘sanitize_text_field’.