Version 2.5.6 of Paid Memberships Pro is out with 1 security fix and a handful of other bug fixes.
Thank you to Gen Sato for the responsible disclosure of the security issue fixed in this release. This issue allowed users with user query access to execute a SQL injection, which could be used to update or damage the database.
All users should update to the latest version of PMPro. If you are unable to update at this time, you can edit the pmpro_sortable_column_query() function in includes/init.php per the commit here: https://github.com/strangerstudios/paid-memberships-pro/commit/3b6b9737bdb568598741708ed2552a1790633d9d
The full list of updates is below.
- SECURITY: Now sanitizing and escaping the
orderparameter when filtering the users table in the dashboard. (Thanks, Gen Sato)
- BUG FIX/ENHANCEMENT: Now hiding the ApplePay/GooglePay “Payment Request” buttons when the main checkout form is submitted. This helps to prevent double checkouts.
- BUG FIX: Fixed missing membership data in the billing failed email.