Version 2.5.3 of Paid Memberships Pro is out with 2 very important security fixes.

Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 2.5.3 specifically here.

Development Changelog for Paid Memberships Pro Release Updates

About the Security Updates

One fix addresses a vulnerability that allowed non-admin WordPress users to download sensitive customer information including names, email addresses, and order numbers. This fix is applied immediately upon upgrading.

We highly recommend you upgrade to the latest version of PMPro, but if you are unable to, you can manually patch this vulnerability on your site by making the change shown here in the …/wp-content/plugins/paid-memberships-pro/includes/services.php file:

The other fix adds extra protections to keep bad actors from repeatedly testing credit cards on your checkout page. The reCAPTCHA v2 or v3 feature must be enabled from the Advanced Settings screen in your site’s WordPress admin.

The full list of updates is below.

  • SECURITY: Fixed indirect object reference vulnerability where order information, including customer names, email addresses, and order numbers could be accessed by non-admin WordPress users. (Thanks, WP Plugins Team)
  • SECURITY: Now checking reCAPTCHA validation before enabling the submit button on the checkout form when using reCAPTCHA v2. This helps to keep bad actors from testing credit cards on your checkout page. We were already doing a similar check when using reCAPTCHA v3. Further updates to rate limit credit card failures are planned.