Version 2.4.3 of Paid Memberships Pro is out with a security fix and a fix for the bundled Vietnamese language files.
Thank you to the WordPress.org plugin review team who discovered a cross-site scripting vulnerability. Full details can be found in the change log below.
Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 2.4.3 specifically here.
The full list of updates is below.
- SECURITY: Fixed a cross-site scripting vulnerability in the code that updates the Required Membership settings on a post. This vulnerability could have been used in conjunction with other security vulnerabilities to trick an admin into editing the membership settings for a page, potentially exposing members only content to non-members. It is unlikely that there was any active exploitation of this vulnerability. This issue may also have shown up as a bug on some sites using page builders, where the membership settings for a post would be cleared out when editing a post. (Thanks to the wp.org plugin review team for catching this issue.)
- SECURITY: Better escaping of variables shown in the Require Membership meta box and related SQL queries.
- BUG FIX/ENHANCEMENT: Renamed the Vietnamese language files to match what is expected.