Version 2.12.4 of Paid Memberships Pro is out with a very important security fix.

This update fixes an issue where, in some cases, users could upload files at checkout with disallowed file types (e.g. .php files). These files could then be accessed to run arbitrary code on the server.

Thanks to István Márton and WordFence for the responsible disclosure of this issue.

While only sites with certain user field configurations are vulnerable to the security attack as disclosed, we are encouraging all sites to update. Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro v2.12.4 here.

Development Changelog for Paid Memberships Pro Release Updates

Table of contents

How to Confirm Whether This Impacted Your Site

The information below aims to help site owners identify whether this security issue specifically impacted their site. We’ve also included steps to clean up any potentially malicious files.

Who is Potentially Impacted

Any site with PMPro User Fields set in a profile only group, or otherwise marked to not appear at checkout, could be vulnerable to this attack.

The fields did not have to be file type fields.

How to Update and Protect Your Site

  1. The first thing to do is back up your site and then update to the latest version of PMPro (v2.12.4 or higher).
  2. Next, search for malicious files in the ../wp-content/uploads/pmpro-register-helper/ folder.
    • If you don’t have a pmpro-register-helper folder in your /wp-content/uploads/ folder, you have confirmed that this vulnerability hasn’t been used.
    • If you do have that folder, that means you likely have file type fields defined in PMPro.
  3. For sites with a small number of users: browse through the files to look for any malicious looking files. There should not be any .php, .js, or .html files in that folder.
  4. If you find a malicious file, back it up safely (it can be useful for identification), and then delete the file from your server.
    • At this point, you should assume your website has been hacked. You should work with your host or a company like WordFence to fully restore and secure your site.

Linux Command For Advanced Developers

Here is a Linux command you can run to scan for possible malicious files in the pmpro-register-helper folder. First navigate to your /wp-content/uploads folder under your web root, then run:

find pmpro-register-helper/ \( -name ".php" -o -name ".html" -o -name ".htm" -o -name ".js" -o -name ".exe" -o -name ".bat" -o -name ".sh" -o -name ".py" -o -name ".pl" -o -name ".cgi" -o -name ".asp" -o -name ".aspx" -o -name "*.jar" \)

The full list of updates in v2.12.4 is below.

  • SECURITY: Fixed security issue where in some cases users could upload files at checkout with disallowed file types, e.g. .php files that could then be accessed to run arbitrary code on the server. (Thanks, István Márton and WordFence)
  • ENHANCEMENT: New icons for LifterLMS and the GA4 Add On.
  • BUG FIX/ENHANCEMENT: Fixed issues with the notifications shown when updating billing details. (Thanks, dwanjuki on GitHub)
Jason Coleman

Author: Jason Coleman

Jason Coleman is the co-founder and CEO of Paid Memberships Pro, the most complete membership platform for WordPress. With a passion for pushing WordPress to its limits, Jason is the author of Building Web Apps With WordPress, published by O'Reilly Media.

Jason's entrepreneurial spirit is driven by uncertainty, risk, and the thrill of new opportunities. With over two decades of experience in development, management, and marketing, he is committed to Paid Memberships Pro: the only open source platform focused on helping creators get paid so they can find freedom in their life and fulfill their goals.

View more articles by Jason Coleman »

Was this article helpful?
YesNo