Version 1.9.3 of Paid Memberships Pro is out. This is an important security update, and we recommend everyone upgrade as soon as possible.


Security Improvements to Forms

We have improved the sanitization of form inputs in several places, which protects against Cross-site scripting (XSS) attacks. Part of this hardening includes sanitizing some settings like the SSL Seal code, level confirmation text, and non-member/logged-out text shown on restricted posts.

Some sites may be using JavaScript script tags in these settings or other values that would be stripped out by the sanitization. While it’s possible to use custom code to allow for new tags to be used, this will again open you up to certain XSS attacks. So we suggest that you use a custom plugin to insert JavaScript into your site. Feel free to reach out on our forums for help doing this.


Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 1.9.3 specifically here.


The full list of updates is below.

  • SECURITY: Fixed sanitization of inputs and added nonces in several places to protect against XSS attacks.
  • BUG FIX: Showing correct error message when trying to update a PMPro Plus add on with a Core license installed.
  • BUG FIX: Fixed issue where subscription and payment transaction IDs were not being saved correctly when copying an order in the dashboard. (Thanks, Pippin Williamson)
  • BUG FIX: Fixed fatal errors that occurred in certain PHP versions.
  • BUG FIX: Fixed issue where ProfileStartDate was being calculated incorrectly in the test, check, and Cybersource gateways.(Thanks, David Parker)
  • ENHANCEMENT: Added a pmpro_sanitize_with_safelist() function that is used to sanitize inputs that have a limited number of exact options.
  • ENHANCEMENT: Updated the pmpro_setOption() and pmpro_getParam() functions to take a new last parameter $sanitize_function, which defaults to ‘sanitize_text_field’.

Comments (2)

Hi
I am a developer, my customer site is using Paid Memberships Pro 1.9.5.3
they wanted Strip payment. After setting up every thing I keep having this errors below either on test or live mode.

There are JavaScript errors on the page. Please contact the webmaster.

Hi @wildme,

Thank you for getting in touch with us!

The best way to test this is to see if there is a conflict with your theme or other plugins. To test conflicts you may do the following:

1. Temporarily disable all plugins except for Paid Memberships Pro (Disable any Add Ons you may have for Paid Memberships Pro – DO NOT DELETE THE PLUGINS).
2. Temporarily set your theme to TwentySeventeen.
3. Retest your checkout to see if the issue persists – if not there was a conflict.
4. If in step 3 you could checkout okay, start activating one plugin at a time and see if the issue reappears. The last plugin or theme activated was the culprit.

Sometimes this issue could be caused by your site loading more than one instance of jQuery. I think if you are using any plugin that may heavily use JavaScript would be good to deactivate first before retesting your checkout.

I hope this helps.

If you need any further help with this kindly open up a forum support topic on our Member Support Forums so that we can take a closer look into this issue for you? Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *