Version 2.12.4 of Paid Memberships Pro is out with a very important security fix.
This update fixes an issue where, in some cases, users could upload files at checkout with disallowed file types (e.g.
.php files). These files could then be accessed to run arbitrary code on the server.
Thanks to István Márton and WordFence for the responsible disclosure of this issue.
While only sites with certain user field configurations are vulnerable to the security attack as disclosed, we are encouraging all sites to update. Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro v2.12.4 here.
How to Confirm Whether This Impacted Your Site
The information below aims to help site owners identify whether this security issue specifically impacted their site. We’ve also included steps to clean up any potentially malicious files.
Who is Potentially Impacted
Any site with PMPro User Fields set in a
profile only group, or otherwise marked to not appear at checkout, could be vulnerable to this attack.
The fields did not have to be file type fields.
How to Update and Protect Your Site
- The first thing to do is back up your site and then update to the latest version of PMPro (v2.12.4 or higher).
- Next, search for malicious files in the
- If you don’t have a
pmpro-register-helperfolder in your
/wp-content/uploads/folder, you have confirmed that this vulnerability hasn’t been used.
- If you do have that folder, that means you likely have file type fields defined in PMPro.
- If you don’t have a
- For sites with a small number of users: browse through the files to look for any malicious looking files. There should not be any
.htmlfiles in that folder.
- If you find a malicious file, back it up safely (it can be useful for identification), and then delete the file from your server.
- At this point, you should assume your website has been hacked. You should work with your host or a company like WordFence to fully restore and secure your site.
Linux Command For Advanced Developers
Here is a Linux command you can run to scan for possible malicious files in the
pmpro-register-helper folder. First navigate to your
/wp-content/uploads folder under your web root, then run:
find pmpro-register-helper/ \( -name ".php" -o -name ".html" -o -name ".htm" -o -name ".js" -o -name ".exe" -o -name ".bat" -o -name ".sh" -o -name ".py" -o -name ".pl" -o -name ".cgi" -o -name ".asp" -o -name ".aspx" -o -name "*.jar" \)
The full list of updates in v2.12.4 is below.
- SECURITY: Fixed security issue where in some cases users could upload files at checkout with disallowed file types, e.g.
.phpfiles that could then be accessed to run arbitrary code on the server. (Thanks, István Márton and WordFence)
- ENHANCEMENT: New icons for LifterLMS and the GA4 Add On.
- BUG FIX/ENHANCEMENT: Fixed issues with the notifications shown when updating billing details. (Thanks, dwanjuki on GitHub)