Version 2.6.7 of Paid Memberships Pro is out with a single security fix. All users are advised to update as soon as possible.
Thanks to WPScan.com for the responsible disclosure of this vulnerability.
The fix in version 2.6.7 prevents against SQL injections that could be used in “distributed denial of service” (ddos) attacks. The vulnerability could also potentially be used by savvy attackers to get sensitive information from your WordPress database not meant to be public.
If you need to manually patch your copy of PMPro, the fix is to edit the
pmpro_getLevelAtCheckout function in the
includes/functions.php file and make sure that the
$level_id variables used in the SQL queries are wrapped with the
esc_sql function. There are 3 lines to edit. Further updates are coming out soon with more comprehensive edits, but these are the important ones to patch immediately.
If you have any questions or need help with this, please reach out to us for support.
The full list of updates is below:
- SECURITY: Updated escaping in the pmpro_getLevelAtCheckout and pmpro_checkDiscountCode functions as extra precaution against SQL injections. (Thanks, WPScan)