Version 2.9.9 of Paid Memberships Pro is out with a handful of bug fixes and enhancements. This version also includes security updates to prevent XSS issues and avoid similar issues in the future.

Development Changelog for Paid Memberships Pro Release Updates

In the version 2.9.8 release, we fixed a SQL injection vulnerability. It’s important to note that this particular vulnerability COULD NOT be used to delete data, change data, or otherwise update or gain access to your site.

As far as we know, the vulnerability could not be used to retrieve data from your database.

The vulnerability did, however, potentially allow malicious agents to execute complicated SQL queries that would slow down or crash a server. For this reason, we strongly encourage everyone to upgrade.

During the time we were resolving this vulnerability, we also devoted time to deep scan all of our core plugin and several Add Ons for potential security issues. Many of these updates are included in both the 2.9.8 and 2.9.9 updates, which are meant to prevent issues in the future.

As far as we know, there are no other active exploits in our latest releases. However, it’s important to upgrade as soon as possible. We will routinely make security updates, and other important updates, to our code. Users should always run the latest versions of WP, PMPro, other WP plugins, and all of our Add Ons.

The full list of updates for v2.9.9 is below:

Please update Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 2.9.9 specifically here.

  • SECURITY: Updated sanitization, escaping, and other security-related code across the plugin.
  • ENHANCEMENT: When using expirations on levels, the default date is now +1 year again.
  • ENHANCEMENT: Now showing option labels instead of values when displaying multiselect type fields using the pmpro_member shortcode.
  • ENHANCEMENT: Updated the user fields UI to say “Required at Checkout?”, which more accurately describes the behavior. Note: we don’t require these fields on profile updates because it can interfere with core user updates and other plugins.
  • BUG FIX/ENHANCEMENT: Fixed warning in cases where users were deleted or otherwise not found when processing Stripe Webhooks.
  • BUG FIX/ENHANCEMENT: Fixed some issues in notifications and messages related to previous escaping updates.
  • BUG FIX/ENHANCEMENT: The pmpro_checkout_box-{groupname} class given to divs on the frontend user profile is now sanitized to avoid spaces and special characters there.
  • BUG FIX: Fixed issues with CSV exports when filtered within a date range.