Version 1.9.3 of Paid Memberships Pro is out. This is an important security update, and we recommend everyone upgrade as soon as possible.
Security Improvements to Forms
We have improved the sanitization of form inputs in several places, which protects against Cross-site scripting (XSS) attacks. Part of this hardening includes sanitizing some settings like the SSL Seal code, level confirmation text, and non-member/logged-out text shown on restricted posts.
Some sites may be using JavaScript script tags in these settings or other values that would be stripped out by the sanitization. While it’s possible to use custom code to allow for new tags to be used, this will again open you up to certain XSS attacks. So we suggest that you use a custom plugin to insert JavaScript into your site. Feel free to reach out on our support team for help doing this.
Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 1.9.3 specifically here.
The full list of updates is below.
- SECURITY: Fixed sanitization of inputs and added nonces in several places to protect against XSS attacks.
- BUG FIX: Showing correct error message when trying to update a PMPro Plus add on with a Core license installed.
- BUG FIX: Fixed issue where subscription and payment transaction IDs were not being saved correctly when copying an order in the dashboard. (Thanks, Pippin Williamson)
- BUG FIX: Fixed fatal errors that occurred in certain PHP versions.
- BUG FIX: Fixed issue where ProfileStartDate was being calculated incorrectly in the test, check, and Cybersource (deprecated in v2.10+) gateways.(Thanks, David Parker)
- ENHANCEMENT: Added a pmpro_sanitize_with_safelist() function that is used to sanitize inputs that have a limited number of exact options.
- ENHANCEMENT: Updated the pmpro_setOption() and pmpro_getParam() functions to take a new last parameter $sanitize_function, which defaults to ‘sanitize_text_field’.