Paid Memberships Pro - Version 1.8.4.3

Version Description

  • SECURITY PATCH: Fixes to Cross Site Scripting vulnerabilities in the PMPro settings pages in the WordPress dashboard. Advisory ID HTB23264. (Thanks, High-Tech Bridge Security Research Lab)
Download this release

Release Info

Developer strangerstudios
Plugin Icon 128x128 Paid Memberships Pro
Version 1.8.4.3
Comparing to
See all releases

Code changes from version 1.8.4.2 to 1.8.4.3

adminpages/advancedsettings.php CHANGED
@@ -227,10 +227,10 @@ if(pmpro_displayAds())
227
<th scope="row" valign="top">&nbsp;</th>
228
<td>
229
<label for="recaptcha_publickey"><?php _e('reCAPTCHA Public Key', 'pmpro');?>:</label>
230
- <input type="text" name="recaptcha_publickey" size="60" value="<?php echo $recaptcha_publickey?>" />
231
<br /><br />
232
<label for="recaptcha_privatekey"><?php _e('reCAPTCHA Private Key', 'pmpro');?>:</label>
233
- <input type="text" name="recaptcha_privatekey" size="60" value="<?php echo $recaptcha_privatekey?>" />
234
</td>
235
</tr>
236
<tr>
@@ -296,14 +296,14 @@ if(pmpro_displayAds())
296
<input id="<?php _e($field['field_name'], 'pmpro'); ?>"
297
name="<?php _e($field['field_name'], 'pmpro'); ?>"
298
type="<?php _e($field['field_type'], 'pmpro'); ?>"
299
- value="<?php echo pmpro_getOption($field['field_name']); ?> ">
300
<?php
301
break;
302
case 'textarea':
303
?>
304
<textarea id="<?php _e($field['field_name'], 'pmpro'); ?>"
305
name="<?php _e($field['field_name'], 'pmpro'); ?>">
306
- <?php echo pmpro_getOption($field['field_name']); ?>
307
</textarea>
308
<?php
309
break;
227
<th scope="row" valign="top">&nbsp;</th>
228
<td>
229
<label for="recaptcha_publickey"><?php _e('reCAPTCHA Public Key', 'pmpro');?>:</label>
230
+ <input type="text" name="recaptcha_publickey" size="60" value="<?php echo esc_attr($recaptcha_publickey);?>" />
231
<br /><br />
232
<label for="recaptcha_privatekey"><?php _e('reCAPTCHA Private Key', 'pmpro');?>:</label>
233
+ <input type="text" name="recaptcha_privatekey" size="60" value="<?php echo esc_attr($recaptcha_privatekey);?>" />
234
</td>
235
</tr>
236
<tr>
296
<input id="<?php _e($field['field_name'], 'pmpro'); ?>"
297
name="<?php _e($field['field_name'], 'pmpro'); ?>"
298
type="<?php _e($field['field_type'], 'pmpro'); ?>"
299
+ value="<?php echo esc_attr(pmpro_getOption($field['field_name'])); ?> ">
300
<?php
301
break;
302
case 'textarea':
303
?>
304
<textarea id="<?php _e($field['field_name'], 'pmpro'); ?>"
305
name="<?php _e($field['field_name'], 'pmpro'); ?>">
306
+ <?php echo esc_textarea(pmpro_getOption($field['field_name'])); ?>
307
</textarea>
308
<?php
309
break;
adminpages/discountcodes.php CHANGED
@@ -9,31 +9,31 @@
9
global $wpdb, $pmpro_currency_symbol;
10
11
if(isset($_REQUEST['edit']))
12
- $edit = $_REQUEST['edit'];
13
else
14
$edit = false;
15
16
if(isset($_REQUEST['delete']))
17
- $delete = $_REQUEST['delete'];
18
else
19
$delete = false;
20
21
if(isset($_REQUEST['saveid']))
22
- $saveid = $_POST['saveid'];
23
else
24
$saveid = false;
25
26
if($saveid)
27
{
28
//get vars
29
- $code = $_POST['code'];
30
- $starts_month = $_POST['starts_month'];
31
- $starts_day = $_POST['starts_day'];
32
- $starts_year = $_POST['starts_year'];
33
- $expires_month = $_POST['expires_month'];
34
- $expires_day = $_POST['expires_day'];
35
- $expires_year = $_POST['expires_year'];
36
- $uses = $_POST['uses'];
37
38
//fix up dates
39
$starts = date("Y-m-d", strtotime($starts_month . "/" . $starts_day . "/" . $starts_year, current_time("timestamp")));
@@ -110,7 +110,7 @@
110
{
111
//get the values ready
112
$n = array_search($level_id, $all_levels_a); //this is the key location of this level's values
113
- $initial_payment = $initial_payment_a[$n];
114
115
//is this recurring?
116
if(!empty($recurring_a))
@@ -125,10 +125,10 @@
125
126
if(!empty($recurring))
127
{
128
- $billing_amount = $billing_amount_a[$n];
129
- $cycle_number = $cycle_number_a[$n];
130
- $cycle_period = $cycle_period_a[$n];
131
- $billing_limit = $billing_limit_a[$n];
132
133
//custom trial
134
if(!empty($custom_trial_a))
@@ -143,8 +143,8 @@
143
144
if(!empty($custom_trial))
145
{
146
- $trial_amount = $trial_amount_a[$n];
147
- $trial_limit = $trial_limit_a[$n];
148
}
149
else
150
{
@@ -175,8 +175,8 @@
175
176
if(!empty($expiration))
177
{
178
- $expiration_number = $expiration_number_a[$n];
179
- $expiration_period = $expiration_period_a[$n];
180
}
181
else
182
{
9
global $wpdb, $pmpro_currency_symbol;
10
11
if(isset($_REQUEST['edit']))
12
+ $edit = intval($_REQUEST['edit']);
13
else
14
$edit = false;
15
16
if(isset($_REQUEST['delete']))
17
+ $delete = intval($_REQUEST['delete']);
18
else
19
$delete = false;
20
21
if(isset($_REQUEST['saveid']))
22
+ $saveid = intval($_POST['saveid']);
23
else
24
$saveid = false;
25
26
if($saveid)
27
{
28
//get vars
29
+ $code = sanitize_text_field($_POST['code']);
30
+ $starts_month = intval($_POST['starts_month']);
31
+ $starts_day = intval($_POST['starts_day']);
32
+ $starts_year = intval($_POST['starts_year']);
33
+ $expires_month = intval($_POST['expires_month']);
34
+ $expires_day = intval($_POST['expires_day']);
35
+ $expires_year = intval($_POST['expires_year']);
36
+ $uses = intval($_POST['uses']);
37
38
//fix up dates
39
$starts = date("Y-m-d", strtotime($starts_month . "/" . $starts_day . "/" . $starts_year, current_time("timestamp")));
110
{
111
//get the values ready
112
$n = array_search($level_id, $all_levels_a); //this is the key location of this level's values
113
+ $initial_payment = sanitize_text_field($initial_payment_a[$n]);
114
115
//is this recurring?
116
if(!empty($recurring_a))
125
126
if(!empty($recurring))
127
{
128
+ $billing_amount = sanitize_text_field($billing_amount_a[$n]);
129
+ $cycle_number = intval($cycle_number_a[$n]);
130
+ $cycle_period = sanitize_text_field($cycle_period_a[$n]);
131
+ $billing_limit = intval($billing_limit_a[$n]);
132
133
//custom trial
134
if(!empty($custom_trial_a))
143
144
if(!empty($custom_trial))
145
{
146
+ $trial_amount = sanitize_text_field($trial_amount_a[$n]);
147
+ $trial_limit = intval($trial_limit_a[$n]);
148
}
149
else
150
{
175
176
if(!empty($expiration))
177
{
178
+ $expiration_number = intval($expiration_number_a[$n]);
179
+ $expiration_period = sanitize_text_field($expiration_period_a[$n]);
180
}
181
else
182
{
adminpages/membershiplevels.php CHANGED
@@ -14,28 +14,28 @@
14
global $pmpro_stripe_error, $pmpro_braintree_error, $pmpro_payflow_error, $pmpro_twocheckout_error, $wp_version;
15
16
if(isset($_REQUEST['edit']))
17
- $edit = $_REQUEST['edit'];
18
else
19
$edit = false;
20
if(isset($_REQUEST['copy']))
21
- $copy = $_REQUEST['copy'];
22
if(isset($_REQUEST['s']))
23
- $s = $_REQUEST['s'];
24
else
25
$s = "";
26
27
if(isset($_REQUEST['action']))
28
- $action = $_REQUEST['action'];
29
else
30
$action = false;
31
32
if(isset($_REQUEST['saveandnext']))
33
- $saveandnext = $_REQUEST['saveandnext'];
34
35
if(isset($_REQUEST['saveid']))
36
- $saveid = $_REQUEST['saveid'];
37
if(isset($_REQUEST['deleteid']))
38
- $deleteid = $_REQUEST['deleteid'];
39
40
if($action == "save_membershiplevel")
41
{
@@ -155,7 +155,7 @@
155
{
156
global $wpdb;
157
158
- $ml_id = $_REQUEST['deleteid'];
159
160
if($ml_id > 0)
161
{
@@ -280,7 +280,7 @@
280
281
?>
282
<form action="" method="post" enctype="multipart/form-data">
283
- <input name="saveid" type="hidden" value="<?php echo $edit?>" />
284
<input type="hidden" name="action" value="save_membershiplevel" />
285
<table class="form-table">
286
<tbody>
@@ -571,7 +571,7 @@
571
<p class="search-box">
572
<label class="screen-reader-text" for="post-search-input"><?php _e('Search Levels', 'pmpro');?>:</label>
573
<input type="hidden" name="page" value="pmpro-membershiplevels" />
574
- <input id="post-search-input" type="text" value="<?php echo $s?>" name="s" size="30" />
575
<input class="button" type="submit" value="<?php _e('Search Levels', 'pmpro');?>" id="search-submit" />
576
</p>
577
</form>
14
global $pmpro_stripe_error, $pmpro_braintree_error, $pmpro_payflow_error, $pmpro_twocheckout_error, $wp_version;
15
16
if(isset($_REQUEST['edit']))
17
+ $edit = intval($_REQUEST['edit']);
18
else
19
$edit = false;
20
if(isset($_REQUEST['copy']))
21
+ $copy = intval($_REQUEST['copy']);
22
if(isset($_REQUEST['s']))
23
+ $s = sanitize_text_field($_REQUEST['s']);
24
else
25
$s = "";
26
27
if(isset($_REQUEST['action']))
28
+ $action = sanitize_text_field($_REQUEST['action']);
29
else
30
$action = false;
31
32
if(isset($_REQUEST['saveandnext']))
33
+ $saveandnext = intval($_REQUEST['saveandnext']);
34
35
if(isset($_REQUEST['saveid']))
36
+ $saveid = intval($_REQUEST['saveid']);
37
if(isset($_REQUEST['deleteid']))
38
+ $deleteid = intval($_REQUEST['deleteid']);
39
40
if($action == "save_membershiplevel")
41
{
155
{
156
global $wpdb;
157
158
+ $ml_id = intval($_REQUEST['deleteid']);
159
160
if($ml_id > 0)
161
{
280
281
?>
282
<form action="" method="post" enctype="multipart/form-data">
283
+ <input name="saveid" type="hidden" value="<?php echo esc_attr($edit); ?>" />
284
<input type="hidden" name="action" value="save_membershiplevel" />
285
<table class="form-table">
286
<tbody>
571
<p class="search-box">
572
<label class="screen-reader-text" for="post-search-input"><?php _e('Search Levels', 'pmpro');?>:</label>
573
<input type="hidden" name="page" value="pmpro-membershiplevels" />
574
+ <input id="post-search-input" type="text" value="<?php echo esc_attr($s); ?>" name="s" size="30" />
575
<input class="button" type="submit" value="<?php _e('Search Levels', 'pmpro');?>" id="search-submit" />
576
</p>
577
</form>
adminpages/memberslist-csv.php CHANGED
@@ -9,12 +9,12 @@
9
10
//get users
11
if(isset($_REQUEST['s']))
12
- $s = $_REQUEST['s'];
13
else
14
$s = "";
15
16
if(isset($_REQUEST['l']))
17
- $l = $_REQUEST['l'];
18
else
19
$l = false;
20
9
10
//get users
11
if(isset($_REQUEST['s']))
12
+ $s = sanitize_text_field($_REQUEST['s']);
13
else
14
$s = "";
15
16
if(isset($_REQUEST['l']))
17
+ $l = sanitize_text_field($_REQUEST['l']);
18
else
19
$l = false;
20
adminpages/memberslist.php CHANGED
@@ -8,12 +8,12 @@
8
//vars
9
global $wpdb;
10
if(isset($_REQUEST['s']))
11
- $s = trim($_REQUEST['s']);
12
else
13
$s = "";
14
15
if(isset($_REQUEST['l']))
16
- $l = $_REQUEST['l'];
17
else
18
$l = false;
19
@@ -23,7 +23,7 @@
23
<form id="posts-filter" method="get" action="">
24
<h2>
25
<?php _e('Members List', 'pmpro');?>
26
- <a target="_blank" href="<?php echo admin_url('admin-ajax.php');?>?action=memberslist_csv&s=<?php echo $s?>&l=<?php echo $l?>" class="add-new-h2"><?php _e('Export to CSV', 'pmpro');?></a>
27
</h2>
28
<ul class="subsubsub">
29
<li>
@@ -48,7 +48,7 @@
48
<p class="search-box">
49
<label class="hidden" for="post-search-input"><?php _e('Search Members', 'pmpro');?>:</label>
50
<input type="hidden" name="page" value="pmpro-memberslist" />
51
- <input id="post-search-input" type="text" value="<?php echo $s?>" name="s"/>
52
<input class="button" type="submit" value="<?php _e('Search Members', 'pmpro');?>"/>
53
</p>
54
<?php
@@ -211,7 +211,7 @@
211
</td>
212
<td><?php echo $theuser->first_name?></td>
213
<td><?php echo $theuser->last_name?></td>
214
- <td><a href="mailto:<?php echo $theuser->user_email?>"><?php echo $theuser->user_email?></a></td>
215
<?php do_action("pmpro_memberslist_extra_cols_body", $theuser);?>
216
<td>
217
<?php
@@ -248,7 +248,7 @@
248
{
249
?>
250
<tr>
251
- <td colspan="9"><p><?php _e("No members found.", "pmpro");?> <?php if($l) { ?><a href="?page=pmpro-memberslist&s=<?php echo $s?>"><?php _e("Search all levels", "pmpro");?></a>.<?php } ?></p></td>
252
</tr>
253
<?php
254
}
8
//vars
9
global $wpdb;
10
if(isset($_REQUEST['s']))
11
+ $s = sanitize_text_field(trim($_REQUEST['s']));
12
else
13
$s = "";
14
15
if(isset($_REQUEST['l']))
16
+ $l = sanitize_text_field($_REQUEST['l']);
17
else
18
$l = false;
19
23
<form id="posts-filter" method="get" action="">
24
<h2>
25
<?php _e('Members List', 'pmpro');?>
26
+ <a target="_blank" href="<?php echo admin_url('admin-ajax.php');?>?action=memberslist_csv&s=<?php echo esc_attr($s);?>&l=<?php echo $l?>" class="add-new-h2"><?php _e('Export to CSV', 'pmpro');?></a>
27
</h2>
28
<ul class="subsubsub">
29
<li>
48
<p class="search-box">
49
<label class="hidden" for="post-search-input"><?php _e('Search Members', 'pmpro');?>:</label>
50
<input type="hidden" name="page" value="pmpro-memberslist" />
51
+ <input id="post-search-input" type="text" value="<?php echo esc_attr($s);?>" name="s"/>
52
<input class="button" type="submit" value="<?php _e('Search Members', 'pmpro');?>"/>
53
</p>
54
<?php
211
</td>
212
<td><?php echo $theuser->first_name?></td>
213
<td><?php echo $theuser->last_name?></td>
214
+ <td><a href="mailto:<?php echo esc_attr($theuser->user_email)?>"><?php echo $theuser->user_email?></a></td>
215
<?php do_action("pmpro_memberslist_extra_cols_body", $theuser);?>
216
<td>
217
<?php
248
{
249
?>
250
<tr>
251
+ <td colspan="9"><p><?php _e("No members found.", "pmpro");?> <?php if($l) { ?><a href="?page=pmpro-memberslist&s=<?php echo esc_attr($s);?>"><?php _e("Search all levels", "pmpro");?></a>.<?php } ?></p></td>
252
</tr>
253
<?php
254
}
adminpages/orders-csv.php CHANGED
@@ -9,52 +9,52 @@
9
10
//get users
11
if(isset($_REQUEST['s']))
12
- $s = $_REQUEST['s'];
13
else
14
$s = "";
15
16
if(isset($_REQUEST['l']))
17
- $l = $_REQUEST['l'];
18
else
19
$l = false;
20
21
if(isset($_REQUEST['start-month']))
22
- $start_month = $_REQUEST['start-month'];
23
else
24
$start_month = "1";
25
26
if(isset($_REQUEST['start-day']))
27
- $start_day = $_REQUEST['start-day'];
28
else
29
$start_day = "1";
30
31
if(isset($_REQUEST['start-year']))
32
- $start_year = $_REQUEST['start-year'];
33
else
34
$start_year = date("Y");
35
36
if(isset($_REQUEST['end-month']))
37
- $end_month = $_REQUEST['end-month'];
38
else
39
$end_month = date("n");
40
41
if(isset($_REQUEST['end-day']))
42
- $end_day = $_REQUEST['end-day'];
43
else
44
$end_day = date("j");
45
46
if(isset($_REQUEST['end-year']))
47
- $end_year = $_REQUEST['end-year'];
48
else
49
$end_year = date("Y");
50
51
if(isset($_REQUEST['predefined-date']))
52
- $predefined_date = $_REQUEST['predefined-date'];
53
else
54
$predefined_date = "This Month";
55
56
if(isset($_REQUEST['status']))
57
- $status = $_REQUEST['status'];
58
else
59
$status = "";
60
9
10
//get users
11
if(isset($_REQUEST['s']))
12
+ $s = sanitize_text_field($_REQUEST['s']);
13
else
14
$s = "";
15
16
if(isset($_REQUEST['l']))
17
+ $l = intval($_REQUEST['l']);
18
else
19
$l = false;
20
21
if(isset($_REQUEST['start-month']))
22
+ $start_month = intval($_REQUEST['start-month']);
23
else
24
$start_month = "1";
25
26
if(isset($_REQUEST['start-day']))
27
+ $start_day = intval($_REQUEST['start-day']);
28
else
29
$start_day = "1";
30
31
if(isset($_REQUEST['start-year']))
32
+ $start_year = intval($_REQUEST['start-year']);
33
else
34
$start_year = date("Y");
35
36
if(isset($_REQUEST['end-month']))
37
+ $end_month = intval($_REQUEST['end-month']);
38
else
39
$end_month = date("n");
40
41
if(isset($_REQUEST['end-day']))
42
+ $end_day = intval($_REQUEST['end-day']);
43
else
44
$end_day = date("j");
45
46
if(isset($_REQUEST['end-year']))
47
+ $end_year = intval($_REQUEST['end-year']);
48
else
49
$end_year = date("Y");
50
51
if(isset($_REQUEST['predefined-date']))
52
+ $predefined_date = sanitize_text_field($_REQUEST['predefined-date']);
53
else
54
$predefined_date = "This Month";
55
56
if(isset($_REQUEST['status']))
57
+ $status = sanitize_text_field($_REQUEST['status']);
58
else
59
$status = "";
60
adminpages/orders.php CHANGED
@@ -8,52 +8,52 @@
8
//vars
9
global $wpdb;
10
if(isset($_REQUEST['s']))
11
- $s = trim($_REQUEST['s']);
12
else
13
$s = "";
14
15
if(isset($_REQUEST['l']))
16
- $l = $_REQUEST['l'];
17
else
18
$l = false;
19
20
if(isset($_REQUEST['start-month']))
21
- $start_month = $_REQUEST['start-month'];
22
else
23
$start_month = "1";
24
25
if(isset($_REQUEST['start-day']))
26
- $start_day = $_REQUEST['start-day'];
27
else
28
$start_day = "1";
29
30
if(isset($_REQUEST['start-year']))
31
- $start_year = $_REQUEST['start-year'];
32
else
33
$start_year = date("Y");
34
35
if(isset($_REQUEST['end-month']))
36
- $end_month = $_REQUEST['end-month'];
37
else
38
$end_month = date("n");
39
40
if(isset($_REQUEST['end-day']))
41
- $end_day = $_REQUEST['end-day'];
42
else
43
$end_day = date("j");
44
45
if(isset($_REQUEST['end-year']))
46
- $end_year = $_REQUEST['end-year'];
47
else
48
$end_year = date("Y");
49
50
if(isset($_REQUEST['predefined-date']))
51
- $predefined_date = $_REQUEST['predefined-date'];
52
else
53
$predefined_date = "This Month";
54
55
if(isset($_REQUEST['status']))
56
- $status = $_REQUEST['status'];
57
else
58
$status = "";
59
@@ -513,8 +513,8 @@
513
}
514
?>
515
</select>
516
- <input name="ts_day" type="text" size="2" value="<?php echo $day?>" />
517
- <input name="ts_year" type="text" size="4" value="<?php echo $year?>" />
518
<?php } ?>
519
</td>
520
</tr>
@@ -617,8 +617,8 @@
617
<?php } ?>
618
</select>
619
620
- <input id='start-day' name="start-day" type="text" size="2" value="<?php echo $start_day?>" />
621
- <input id='start-year' name="start-year" type="text" size="4" value="<?php echo $start_year?>" />
622
623
624
<span id="to"><?php _ex('To', 'Dropdown label', 'pmpro')?></span>
@@ -630,8 +630,8 @@
630
</select>
631
632
633
- <input id='end-day' name="end-day" type="text" size="2" value="<?php echo $end_day?>" />
634
- <input id='end-year' name="end-year" type="text" size="4" value="<?php echo $end_year?>" />
635
636
<span id="filterby"><?php _ex('filter by ', 'Dropdown label', 'pmpro')?></span>
637
@@ -776,7 +776,7 @@
776
<p class="search-box">
777
<label class="hidden" for="post-search-input"><?php _e('Search Orders', 'pmpro');?>:</label>
778
<input type="hidden" name="page" value="pmpro-orders" />
779
- <input id="post-search-input" type="text" value="<?php echo $s?>" name="s"/>
780
<input class="button" type="submit" value="<?php _e('Search Orders', 'pmpro');?>"/>
781
</p>
782
8
//vars
9
global $wpdb;
10
if(isset($_REQUEST['s']))
11
+ $s = sanitize_text_field(trim($_REQUEST['s']));
12
else
13
$s = "";
14
15
if(isset($_REQUEST['l']))
16
+ $l = intval($_REQUEST['l']);
17
else
18
$l = false;
19
20
if(isset($_REQUEST['start-month']))
21
+ $start_month = intval($_REQUEST['start-month']);
22
else
23
$start_month = "1";
24
25
if(isset($_REQUEST['start-day']))
26
+ $start_day = intval($_REQUEST['start-day']);
27
else
28
$start_day = "1";
29
30
if(isset($_REQUEST['start-year']))
31
+ $start_year = intval($_REQUEST['start-year']);
32
else
33
$start_year = date("Y");
34
35
if(isset($_REQUEST['end-month']))
36
+ $end_month = intval($_REQUEST['end-month']);
37
else
38
$end_month = date("n");
39
40
if(isset($_REQUEST['end-day']))
41
+ $end_day = intval($_REQUEST['end-day']);
42
else
43
$end_day = date("j");
44
45
if(isset($_REQUEST['end-year']))
46
+ $end_year = intval($_REQUEST['end-year']);
47
else
48
$end_year = date("Y");
49
50
if(isset($_REQUEST['predefined-date']))
51
+ $predefined_date = sanitize_text_field($_REQUEST['predefined-date']);
52
else
53
$predefined_date = "This Month";
54
55
if(isset($_REQUEST['status']))
56
+ $status = sanitize_text_field($_REQUEST['status']);
57
else
58
$status = "";
59
513
}
514
?>
515
</select>
516
+ <input name="ts_day" type="text" size="2" value="<?php echo esc_attr($day);?>" />
517
+ <input name="ts_year" type="text" size="4" value="<?php echo esc_attr($year);?>" />
518
<?php } ?>
519
</td>
520
</tr>
617
<?php } ?>
618
</select>
619
620
+ <input id='start-day' name="start-day" type="text" size="2" value="<?php echo esc_attr($start_day);?>" />
621
+ <input id='start-year' name="start-year" type="text" size="4" value="<?php echo esc_attr($start_year);?>" />
622
623
624
<span id="to"><?php _ex('To', 'Dropdown label', 'pmpro')?></span>
630
</select>
631
632
633
+ <input id='end-day' name="end-day" type="text" size="2" value="<?php echo esc_attr($end_day);?>" />
634
+ <input id='end-year' name="end-year" type="text" size="4" value="<?php echo esc_attr($end_year);?>" />
635
636
<span id="filterby"><?php _ex('filter by ', 'Dropdown label', 'pmpro')?></span>
637
776
<p class="search-box">
777
<label class="hidden" for="post-search-input"><?php _e('Search Orders', 'pmpro');?>:</label>
778
<input type="hidden" name="page" value="pmpro-orders" />
779
+ <input id="post-search-input" type="text" value="<?php echo esc_attr($s);?>" name="s"/>
780
<input class="button" type="submit" value="<?php _e('Search Orders', 'pmpro');?>"/>
781
</p>
782
adminpages/reports.php CHANGED
@@ -54,7 +54,7 @@
54
else
55
{
56
//view a single report
57
- $report = $_REQUEST['report'];
58
call_user_func("pmpro_report_" . $report . "_page");
59
}
60
54
else
55
{
56
//view a single report
57
+ $report = sanitize_text_field($_REQUEST['report']);
58
call_user_func("pmpro_report_" . $report . "_page");
59
}
60
paid-memberships-pro.php CHANGED
@@ -3,7 +3,7 @@
3
Plugin Name: Paid Memberships Pro
4
Plugin URI: http://www.paidmembershipspro.com
5
Description: Plugin to Handle Memberships
6
- Version: 1.8.4.2
7
Author: Stranger Studios
8
Author URI: http://www.strangerstudios.com
9
*/
@@ -13,7 +13,7 @@ Author URI: http://www.strangerstudios.com
13
*/
14
15
//version constant
16
- define("PMPRO_VERSION", "1.8.4.2");
17
18
//if the session has been started yet, start it (ignore if running from command line)
19
if(defined('STDIN') )
3
Plugin Name: Paid Memberships Pro
4
Plugin URI: http://www.paidmembershipspro.com
5
Description: Plugin to Handle Memberships
6
+ Version: 1.8.4.3
7
Author: Stranger Studios
8
Author URI: http://www.strangerstudios.com
9
*/
13
*/
14
15
//version constant
16
+ define("PMPRO_VERSION", "1.8.4.3");
17
18
//if the session has been started yet, start it (ignore if running from command line)
19
if(defined('STDIN') )
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: strangerstudios
3
Tags: memberships, membership, authorize.net, ecommerce, paypal, stripe, braintree, restrict access, restrict content, directory site, payflow
4
Requires at least: 3.5
5
Tested up to: 4.2.2
6
- Stable tag: 1.8.4.2
7
8
The easiest way to GET PAID with your WordPress site. Flexible content control by Membership Level, Reports, Affiliates and Discounts
9
@@ -102,6 +102,9 @@ Not sure? You can find out by doing a bit a research.
102
4. Offer Membership Discounts with specific price rules (restricted by level, unique pricing for each level, # of uses, expiration date.)
103
104
== Changelog ==
105
= 1.8.4.2 =
106
* BUG: Fixed bug where dropdown to set the account page in the page settings was showing up twice.
107
* BUG: Fixed warning in pmpro_account shortcode.
3
Tags: memberships, membership, authorize.net, ecommerce, paypal, stripe, braintree, restrict access, restrict content, directory site, payflow
4
Requires at least: 3.5
5
Tested up to: 4.2.2
6
+ Stable tag: 1.8.4.3
7
8
The easiest way to GET PAID with your WordPress site. Flexible content control by Membership Level, Reports, Affiliates and Discounts
9
102
4. Offer Membership Discounts with specific price rules (restricted by level, unique pricing for each level, # of uses, expiration date.)
103
104
== Changelog ==
105
+ = 1.8.4.3 =
106
+ * SECURITY PATCH: Fixes to Cross Site Scripting vulnerabilities in the PMPro settings pages in the WordPress dashboard. [Advisory ID HTB23264](https://www.htbridge.com/advisory/HTB23264). (Thanks, High-Tech Bridge Security Research Lab)
107
+
108
= 1.8.4.2 =
109
* BUG: Fixed bug where dropdown to set the account page in the page settings was showing up twice.
110
* BUG: Fixed warning in pmpro_account shortcode.