Development Changelog for Paid Memberships Pro Release Updates

Version 2.5.6 of Paid Memberships Pro is out with 1 security fix and a handful of other bug fixes.

Thank you to Gen Sato for the responsible disclosure of the security issue fixed in this release. This issue allowed users with user query access to execute a SQL injection, which could be used to update or damage the database.

All users should update to the latest version of PMPro. If you are unable to update at this time, you can edit the pmpro_sortable_column_query() function in includes/init.php per the commit here:

Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version specifically here.

The full list of updates is below.

  • SECURITY: Now sanitizing and escaping the order parameter when filtering the users table in the dashboard. (Thanks, Gen Sato)
  • BUG FIX/ENHANCEMENT: Now hiding the ApplePay/GooglePay “Payment Request” buttons when the main checkout form is submitted. This helps to prevent double checkouts.
  • BUG FIX: Fixed missing membership data in the billing failed email.