Version 18.104.22.168 fixes a cross-site scripting vulnerability in the PMPro settings pages of the dashboard. This vulnerability was brought to our attention by High-Tech Bridge. The advisory report can be found here: HTB23264 Security Advisory.
Version 22.214.171.124 includes a handful of bug fixes, most important is a bug that was keeping PMPro from canceling memberships when Stripe sent cancelation notices to the webhook.
If you would like to apply only the security patch, you can get version 1.84.3 specifically here.
The full list of updates is below.
- SECURITY PATCH: Fixes to Cross Site Scripting vulnerabilities in the PMPro settings pages in the WordPress dashboard. Advisory ID HTB23264. (Thanks, High-Tech Bridge Security Research Lab)
- BUG: Fixed issue where subscriptions cancelled at Stripe wouldn’t cancel the related PMPro membership if the membership was created after updating to v1.8. (Thank, Ninjami-Juho)
- BUG: Now tracking “views” when the wp_head hook is fired instead of the “wp” hook. Previously page redirects and AJAX calls might have been counted as “views”. Using wp_head will result in more accurate numbers (compared to something like Google Analytics, e.g.). Also note that the number of views will now be much much lower than before on some sites. (Thanks, Michael Cummings)
- BUG: Fixed loading of email templates from language folders in themes, child themes, and languages folder. (Thanks, Karel Martens)
- ENHANCEMENT: Added the pmpro_format_phone filter to change how phone numbers are formated. Param 1 is $r, the formatted phone number. Param 2 is $phone, the original phone number.
- ENHANCEMENT: Added doc blocks to cleanPhone and formatPhone functions and the new pmpro_format_phone filter.