Version 2.3.3 of Paid Memberships Pro is out with a handful of bug fixes, including a security patch. All users are advised to update as soon as possible.
The security issue involves a SQL injection vulnerability on the add/edit orders page in the WP dashboard. A user must be logged in as an administrator to launch the attack. We do not suspect that this vulnerability is being actively exploited. Even so, it is important to fix this issue since it could be used in conjunction with other vulnerabilities to do damage to your site.
We have not yet patched older versions of the plugin which are available for download here or through wordpress.org, but may do that at some time. This would not automatically patch sites that are already running PMPro. It will only make sure that users who download an older version don’t have this vulnerability.
We encourage everyone to backup, test, and upgrade to the latest version. If you can’t do that, to patch the vulnerability yourself without upgrading, you can apply the changes done in this commit and this commit.
Thank you to Kenichi Okuno of Mitsui Bussan Secure Directions, Inc for his responsible disclosure of this vulnerability.
Thanks also to Mirco Babini for his first time contributions to Paid Memberships Pro.
The full list of updates is below.
- SECURITY: Fixed SQL injection vulnerability when logged in as an administrator and adding new orders in the dashboard. JVN#20248858 (Thanks, Kenichi Okuno of Mitsui Bussan Secure Directions, Inc)
- SECURITY: Making sure to properly escape all values on the add/edit order form in the dashboard.
- BUG FIX: Now properly setting the order status to “error” when an initial payment fails when using PayPal Express. Before the order status would be set as “cancelled”, which would count the order toward reports and make it harder to find orders that had errors. (Thanks, Mirco Babini)
- BUG FIX: Fixed issue with the PMPro logo and some other assets loading over the wrong schema (http vs https) in some cases.
- BUG FIX: Fixed issue where the chosen discount code was not shown after submitting when adding a new order through the dashboard.
- BUG FIX/ENHANCEMENT: Using “PMPro” in the admin activity email subject to keep the line shorter and avoid issues when replacing the word “member” via gettext.
- ENHANCEMENT: Added a
pmpro_allow_weak_passwordsfilter. You can set this to return true (like this https://gist.github.com/ideadude/5a12119b9ce1c2aad87b2d69cb8f9505) to allow weak passwords on the change password and reset password pages. Note that at this time, weak passwords are still allowed on the checkout page no matter the value of this filter. We expect to change that in the future. For now, you can use our PMPro Strong Passwords plugin to force strong passwords at checkout.
- REFACTOR: Updated the logic around checking the
PMPRO_IPN_DEBUGconstant in the IPN handler. (Thanks, Mirco Babini)