Version 2.4.3 of Paid Memberships Pro is out with a security fix and a fix for the bundled Vietnamese language files.
Thank you to the WordPress.org plugin review team who discovered a cross-site scripting vulnerability. Full details can be found in the change log below.
The full list of updates is below.
- SECURITY: Fixed a cross-site scripting vulnerability in the code that updates the Required Membership settings on a post. This vulnerability could have been used in conjunction with other security vulnerabilities to trick an admin into editing the membership settings for a page, potentially exposing members only content to non-members. It is unlikely that there was any active exploitation of this vulnerability. This issue may also have shown up as a bug on some sites using page builders, where the membership settings for a post would be cleared out when editing a post. (Thanks to the wp.org plugin review team for catching this issue.)
- SECURITY: Better escaping of variables shown in the Require Membership meta box and related SQL queries.
- BUG FIX/ENHANCEMENT: Renamed the Vietnamese language files to match what is expected.