Version 2.6.7 of Paid Memberships Pro is out with a single security fix. All users are advised to update as soon as possible.
Thanks to WPScan.com for the responsible disclosure of this vulnerability.
The fix in version 2.6.7 prevents against SQL injections that could be used in “distributed denial of service” (ddos) attacks. The vulnerability could also potentially be used by savvy attackers to get sensitive information from your WordPress database not meant to be public.
Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 2.6.7 specifically here.
We have also released versions 2.5.11 and 2.4.5 for users of versions 2.5.x and 2.4.x respectively who cannot update to PMPro 2.6+ for some reason.
If you need to manually patch your copy of PMPro, the fix is to edit the pmpro_getLevelAtCheckout function in the includes/functions.php file and make sure that the $discount_code and $level_id variables used in the SQL queries are wrapped with the esc_sql function. There are 3 lines to edit. Further updates are coming out soon with more comprehensive edits, but these are the important ones to patch immediately.
If you have any questions or need help with this, please reach out to us for support.
The full list of updates is below:
- SECURITY: Updated escaping in the pmpro_getLevelAtCheckout and pmpro_checkDiscountCode functions as extra precaution against SQL injections. (Thanks, WPScan)
