Version 18.104.22.168 of Paid Memberships Pro is out with a handful of bug fixes. Included are fixes for Theme My Login 7, Stripe and TwoCheckout integration, and a few others.
About the Update
In addition to the improvements mentioned above, we added some SQL escaping to our reports pages. While this work is marked as a SECURITY update, we do not believe there were any related vulnerabilities in the prior code. It’s just good practice to be extra cautious here to harden the code for future updates.
In addition to the PMPro team, this update includes work by many third party authors including Jeff Farthing, Charl P. Botha, and David Cervantes Caballero.
About the Level Description and Confirmation Message
As of version 22.214.171.124, we are no longer using the WordPress
the_content filter when displaying the membership level’s description or confirmation message. Using the the_content filter in these areas allowed you to use shortcodes and other post styling that relied on that filter. However, some sites (depending on the other plugins installed) would get caught in an infinite loop while rendering this text and crash. If you need to revert your site, please copy and paste this code recipe into a helper PMPro Customizations plugin.
Note that these filters only affect the level description and confirmation message when displayed on your site. If your level description or confirmation message appear in emails to your members, shortcodes and other styles may not work even with the above gist installed.
The full list of updates is below.
- SECURITY: Some values used in SQL queries in our reporting code were sanitized but not later escaped via
esc_sql(). All variables added to SQL queries in the reports are now wrapped in
esc_sql(). The previous code was not vulnerable to any known attack, but this change hardens the code against vulnerabilities in the case other parts of the code change in the future.
- BUG FIX: Fixed issue with lost passwords when Theme My Login 7 is active. (Thanks, Jeff Farthing)
- BUG FIX: No longer sending an “error canceling the subscription” email when subscriptions are cancelled from Stripe.
- BUG FIX: Fixed issue where TwoCheckout orders were not correctly updating the TOS consent data. (Thanks, Charl P. Botha)
- BUG FIX: Fixed issue where privacy function weren’t defaulting to $current_user correctly. In practice, we were always passing a user_id anyway.
- BUG FIX/ENHANCEMENT: Changed the confirmation message to use
apply_filters('the_content'). If you were relying on shortcodes or other content that required that filter, you must use the custom functions outlined earlier in this post to revert this for your site.
- BUG FIX/ENHANCEMENT: Using the strict parameter of
sanitize_userwhen getting usernames. This will prevent some special characters from being used in usernames at checkout. This is inline with WP core and other plugins. (Thanks, David Cervantes Caballero).
- ENHANCEMENT: Added a breakdown of orders at each price point to the Sales Report widget.
- ENHANCEMENT: Showing the Stripe version we use on the Payment Settings page.
- ENHANCEMENT: Updated Copyright date and GPLv2 link in license.txt.