Version 1.8.4.3 fixes a cross-site scripting vulnerability in the PMPro settings pages of the dashboard. This vulnerability was brought to our attention by High-Tech Bridge.
Version 1.8.4.4 includes a handful of bug fixes, most important is a bug that was keeping PMPro from canceling memberships when Stripe sent cancelation notices to the webhook.
Please update the Paid Memberships Pro from the plugins page of your WordPress dashboard. You can also get the latest version of PMPro here or version 1.8.4.4 specifically here.
If you would like to apply only the security patch, you can get version 1.84.3 specifically here.
The full list of updates for PMPro v1.8.4.3 and v1.8.4.4
1.8.4.3
- SECURITY PATCH: Fixes to Cross Site Scripting vulnerabilities in the PMPro settings pages in the WordPress dashboard. (Thanks, High-Tech Bridge Security Research Lab)
1.8.4.4
- BUG: Fixed issue where subscriptions cancelled at Stripe wouldn’t cancel the related PMPro membership if the membership was created after updating to v1.8. (Thank, Ninjami-Juho)
- BUG: Now tracking “views” when the
wp_headhook is fired instead of the “wp” hook. Previously page redirects and AJAX calls might have been counted as “views”. Usingwp_headwill result in more accurate numbers (compared to something like Google Analytics, e.g.). Also note that the number of views will now be much much lower than before on some sites. (Thanks, Michael Cummings) - BUG: Fixed loading of email templates from language folders in themes, child themes, and languages folder. (Thanks, Karel Martens)
- ENHANCEMENT: Added the
pmpro_format_phonefilter to change how phone numbers are formated. Param 1 is $r, the formatted phone number. Param 2 is $phone, the original phone number. - ENHANCEMENT: Added doc blocks to cleanPhone and formatPhone functions and the new
pmpro_format_phonefilter.
