This is a critical update. Update 1.5.4 fixes a hole whereby malicious users could add &gateway=check to the end of your checkout URLs to bypass your selected payment gateway and gain access to your site for free. This is obviously a huge potential issue and a big oversight on our part.

Development Changelog for Paid Memberships Pro Release Updates

So far as we know, this “hack” has not been public until now.  With the hack out in the open, you will want to upgrade your version of Paid Memberships Pro immediately and maybe check that your recently added members have indeed paid.

Users who have been using this &gateway=… as a feature to allow multiple gateway options can still do that if you use the pmpro_validated_gateways filter according to the instructions here.

Other fixes in this update are included below:

* Added a gateway check to preheaders/checkout.php. Mischivous users used to be able to bypass payment by passing &gateway=check or something similar to the checkout page. PMPro would then use the check gateway to checkout. Now only the active gateway option in the payments settings or gateways added via the new pmpro_valid_gateways filter (1 parameter is the array of gateways, add/edit the gateways and return the array). It is important that all PMPro users upgrade to keep mischivious users from accessing your site for free. Any site currently enabling multiple gateway options will need to add code to set the valid gateways. More info here:
* Fixed bug where level restrictions would be deleted if a page were updated via quick edit.
* Added if(!class_exists(“Stripe”)) to the Stripe class definition. This should help with some conflicts if other plugins have their own Stripe library. (Going to udate the Stripe library in the next version and work on supporting new Stripe functionality.)
* Fixed a bug where copying a level didn’t properly set recurring billing settings. (Thanks, AtheistsUnited)
* Fixed some typos. (Thanks, AtheistsUnited)
* Fixed some warnings.

Was this article helpful?