Please update your copies of Paid Memberships Pro to v1.8.3. This update includes a fix for a bug that allowed malicious users to override PMPro settings on single page loads allowing them to inject text into pages and do other “bad things”. Thanks to Charles Hill who found this bug and suggested a fix for it.
UPDATE: If you are using PMPro on a multisite install (on one site or as a network) be sure to update to the v220.127.116.11 fix.
If you wish to patch an older version of Paid Memberships Pro, here is a link to the commit that fixes the main security issue. The pmpro_getOption function needs to be updated. Also a few uses of pmpro_getOption(“gateway”) should be changed to pmpro_getGateway().
The full list of updates for PMPro v1.8.3
- SECURITY PATCH: The pmpro_getOption function has been updated to not set values from $_REQUEST when available. This allowed malicious users to override PMPro settings on single page loads allowing them to inject text into pages and do other “bad things”. (Thanks, Charles Hill)
- SECURITY PATCH: Many calls to pmpro_getOption(“gateway”) were changed to use pmpro_getGateway which specifically allowed for overriding that one value via a request parameter (the validity of the gateway is double checked).
- BUG: No longer showing the number of visits/views/logins “this month” when the user hasn’t visited in over a month. (Thanks, Kenneth)
- BUG: Fix for email from names with apostrophes and quotes in them.
- BUG: Using current_time() and escaping form values better in logins report.
- BUG: Fixed issue in pmpro_generateUsername() when checking for duplicates. (Thanks, Ruslan)
- BUG: Fixed issue where $user var wasn’t set for emails sent out in the Braintree webhook script. (Thanks, Charles Hill)
- ENHANCEMENT: Added pmpro_account_bullets_top and pmpro_account_bullets_bottom hooks to add content to the accounts page.
- ENHANCEMENT: Added pmpro_get_recurring_payments_profile_details_nvpstr, pmpro_manage_recurring_payments_profile_status_nvpstr, pmpro_create_recurring_payments_profile_nvpstr, pmpro_do_express_checkout_payment_nvpstr, and pmpro_get_express_checkout_details_nvpstr hooks to filter specific nvp strings in the PayPal Express integration.
- ENHANCEMENT: Added labels to checkboxes in the dashboard settings pages.
- ENHANCEMENT: Can now use the pmpro_account shortcode or block on other pages/widgets/etc. Can also limit to specific sections in shortcode attributes or block settings to remove sections from that list.
- ENHANCEMENT: Changed all uses of the global $table_prefix to use $wpdb->base_prefix to aid in compatibility when loading WordPress with other PHP code (e.g. phpBB). (Thanks, Dion)
- ENHANCEMENT: The notification script was updated to point to
notifications.paidmembershipspro.com. This allows us to keep our notification script on a different server. This script is used to insert notifications into the PMPro admin pages when important updates are available.