Version 2.9.8 of Paid Memberships Pro is out with a handful of bug fixes and enhancements. This version also includes security updates that help to prevent denial of service attacks through malicious REST API queries.
Update July 12, 2023: It was original thought that the vulnerabilities found in our REST API code only allowed for denial of service attacks, however security researchers have recently demonstrated attacks that could use the same vulnerability to read arbitrary data from the WordPress database, including email addresses and password hashes, which could be used to gain further access to the compromised site. Because of this, we strongly recommend upgrading to the latest version of Paid Memberships Pro to keep your site as safe as possible.
The full list of updates in 2.9.8 is below:
- SECURITY: Updated many queries to use
esc_sqlfor better security. In almost all of these cases, the variables uses in the queries were escaped earlier or otherwise trusted, but it’s good practice to escape in the query anyway to be extra safe and avoid issues when code is updated in the future.
- BUG FIX/ENHANCEMENT: Fixed some notices in the Authorize.net Gateway class.
- BUG FIX/ENHANCEMENT: Fixed HTML in the
- BUG FIX/ENHANCEMENT: Added the
!!membership_level_confirmation_message!!replacement variable to admin checkout emails.
- BUG FIX/ENHANCEMENT: Fixed typo “could” in error message shown when an Add On cannot be installed.
- ENHANCEMENT: Removed duplicate
display_namedefinition in the PMPro Email class.
- ENHANCEMENT: Fixed
PMPRO_MIN_PHP_VERSIONconstant name in a few places.
- ENHANCEMENT: Including the Akismet Integration and MailPoet Integration icons for use on the Memberships > Add Ons page in the WordPress admin.