Paid Memberships Pro - Version 1.8.4.3

Version Description

SECURITY PATCH: Fixes to Cross Site Scripting vulnerabilities in the PMPro settings pages in the WordPress dashboard. Advisory ID HTB23264. (Thanks, High-Tech Bridge Security Research Lab)

Release Info

Developer	strangerstudios
Plugin	Paid Memberships Pro
Version	1.8.4.3
Comparing to
See all releases

Code changes from version 1.8.4.2 to 1.8.4.3

Files changed (10) hide show

adminpages/advancedsettings.php +4 -4
adminpages/discountcodes.php +20 -20
adminpages/membershiplevels.php +10 -10
adminpages/memberslist-csv.php +2 -2
adminpages/memberslist.php +6 -6
adminpages/orders-csv.php +10 -10
adminpages/orders.php +17 -17
adminpages/reports.php +1 -1
paid-memberships-pro.php +2 -2
readme.txt +4 -1

adminpages/advancedsettings.php CHANGED Viewed

	@@ -227,10 +227,10 @@ if(pmpro_displayAds())
227	<th scope="row" valign="top"> </th>
228	<td>
229	<label for="recaptcha_publickey"><?php _e('reCAPTCHA Public Key', 'pmpro');?>:</label>
230	- <input type="text" name="recaptcha_publickey" size="60" value="<?php echo $recaptcha_publickey?>" />
231	<br /><br />
232	<label for="recaptcha_privatekey"><?php _e('reCAPTCHA Private Key', 'pmpro');?>:</label>
233	- <input type="text" name="recaptcha_privatekey" size="60" value="<?php echo $recaptcha_privatekey?>" />
234	</td>
235	</tr>
236	<tr>
	@@ -296,14 +296,14 @@ if(pmpro_displayAds())
296	<input id="<?php _e($field['field_name'], 'pmpro'); ?>"
297	name="<?php _e($field['field_name'], 'pmpro'); ?>"
298	type="<?php _e($field['field_type'], 'pmpro'); ?>"
299	- value="<?php echo pmpro_getOption($field['field_name']); ?> ">
300	<?php
301	break;
302	case 'textarea':
303	?>
304	<textarea id="<?php _e($field['field_name'], 'pmpro'); ?>"
305	name="<?php _e($field['field_name'], 'pmpro'); ?>">
306	- <?php echo pmpro_getOption($field['field_name']); ?>
307	</textarea>
308	<?php
309	break;


227	<th scope="row" valign="top"> </th>
228	<td>
229	<label for="recaptcha_publickey"><?php _e('reCAPTCHA Public Key', 'pmpro');?>:</label>
230	+ <input type="text" name="recaptcha_publickey" size="60" value="<?php echo esc_attr($recaptcha_publickey);?>" />
231	<br /><br />
232	<label for="recaptcha_privatekey"><?php _e('reCAPTCHA Private Key', 'pmpro');?>:</label>
233	+ <input type="text" name="recaptcha_privatekey" size="60" value="<?php echo esc_attr($recaptcha_privatekey);?>" />
234	</td>
235	</tr>
236	<tr>

296	<input id="<?php _e($field['field_name'], 'pmpro'); ?>"
297	name="<?php _e($field['field_name'], 'pmpro'); ?>"
298	type="<?php _e($field['field_type'], 'pmpro'); ?>"
299	+ value="<?php echo esc_attr(pmpro_getOption($field['field_name'])); ?> ">
300	<?php
301	break;
302	case 'textarea':
303	?>
304	<textarea id="<?php _e($field['field_name'], 'pmpro'); ?>"
305	name="<?php _e($field['field_name'], 'pmpro'); ?>">
306	+ <?php echo esc_textarea(pmpro_getOption($field['field_name'])); ?>
307	</textarea>
308	<?php
309	break;

adminpages/discountcodes.php CHANGED Viewed

	@@ -9,31 +9,31 @@
9	global $wpdb, $pmpro_currency_symbol;
10
11	if(isset($_REQUEST['edit']))
12	- $edit = $_REQUEST['edit'];
13	else
14	$edit = false;
15
16	if(isset($_REQUEST['delete']))
17	- $delete = $_REQUEST['delete'];
18	else
19	$delete = false;
20
21	if(isset($_REQUEST['saveid']))
22	- $saveid = $_POST['saveid'];
23	else
24	$saveid = false;
25
26	if($saveid)
27	{
28	//get vars
29	- $code = $_POST['code'];
30	- $starts_month = $_POST['starts_month'];
31	- $starts_day = $_POST['starts_day'];
32	- $starts_year = $_POST['starts_year'];
33	- $expires_month = $_POST['expires_month'];
34	- $expires_day = $_POST['expires_day'];
35	- $expires_year = $_POST['expires_year'];
36	- $uses = $_POST['uses'];
37
38	//fix up dates
39	$starts = date("Y-m-d", strtotime($starts_month . "/" . $starts_day . "/" . $starts_year, current_time("timestamp")));
	@@ -110,7 +110,7 @@
110	{
111	//get the values ready
112	$n = array_search($level_id, $all_levels_a); //this is the key location of this level's values
113	- $initial_payment = $initial_payment_a[$n];
114
115	//is this recurring?
116	if(!empty($recurring_a))
	@@ -125,10 +125,10 @@
125
126	if(!empty($recurring))
127	{
128	- $billing_amount = $billing_amount_a[$n];
129	- $cycle_number = $cycle_number_a[$n];
130	- $cycle_period = $cycle_period_a[$n];
131	- $billing_limit = $billing_limit_a[$n];
132
133	//custom trial
134	if(!empty($custom_trial_a))
	@@ -143,8 +143,8 @@
143
144	if(!empty($custom_trial))
145	{
146	- $trial_amount = $trial_amount_a[$n];
147	- $trial_limit = $trial_limit_a[$n];
148	}
149	else
150	{
	@@ -175,8 +175,8 @@
175
176	if(!empty($expiration))
177	{
178	- $expiration_number = $expiration_number_a[$n];
179	- $expiration_period = $expiration_period_a[$n];
180	}
181	else
182	{


9	global $wpdb, $pmpro_currency_symbol;
10
11	if(isset($_REQUEST['edit']))
12	+ $edit = intval($_REQUEST['edit']);
13	else
14	$edit = false;
15
16	if(isset($_REQUEST['delete']))
17	+ $delete = intval($_REQUEST['delete']);
18	else
19	$delete = false;
20
21	if(isset($_REQUEST['saveid']))
22	+ $saveid = intval($_POST['saveid']);
23	else
24	$saveid = false;
25
26	if($saveid)
27	{
28	//get vars
29	+ $code = sanitize_text_field($_POST['code']);
30	+ $starts_month = intval($_POST['starts_month']);
31	+ $starts_day = intval($_POST['starts_day']);
32	+ $starts_year = intval($_POST['starts_year']);
33	+ $expires_month = intval($_POST['expires_month']);
34	+ $expires_day = intval($_POST['expires_day']);
35	+ $expires_year = intval($_POST['expires_year']);
36	+ $uses = intval($_POST['uses']);
37
38	//fix up dates
39	$starts = date("Y-m-d", strtotime($starts_month . "/" . $starts_day . "/" . $starts_year, current_time("timestamp")));

110	{
111	//get the values ready
112	$n = array_search($level_id, $all_levels_a); //this is the key location of this level's values
113	+ $initial_payment = sanitize_text_field($initial_payment_a[$n]);
114
115	//is this recurring?
116	if(!empty($recurring_a))

125
126	if(!empty($recurring))
127	{
128	+ $billing_amount = sanitize_text_field($billing_amount_a[$n]);
129	+ $cycle_number = intval($cycle_number_a[$n]);
130	+ $cycle_period = sanitize_text_field($cycle_period_a[$n]);
131	+ $billing_limit = intval($billing_limit_a[$n]);
132
133	//custom trial
134	if(!empty($custom_trial_a))

143
144	if(!empty($custom_trial))
145	{
146	+ $trial_amount = sanitize_text_field($trial_amount_a[$n]);
147	+ $trial_limit = intval($trial_limit_a[$n]);
148	}
149	else
150	{

175
176	if(!empty($expiration))
177	{
178	+ $expiration_number = intval($expiration_number_a[$n]);
179	+ $expiration_period = sanitize_text_field($expiration_period_a[$n]);
180	}
181	else
182	{

adminpages/membershiplevels.php CHANGED Viewed

	@@ -14,28 +14,28 @@
14	global $pmpro_stripe_error, $pmpro_braintree_error, $pmpro_payflow_error, $pmpro_twocheckout_error, $wp_version;
15
16	if(isset($_REQUEST['edit']))
17	- $edit = $_REQUEST['edit'];
18	else
19	$edit = false;
20	if(isset($_REQUEST['copy']))
21	- $copy = $_REQUEST['copy'];
22	if(isset($_REQUEST['s']))
23	- $s = $_REQUEST['s'];
24	else
25	$s = "";
26
27	if(isset($_REQUEST['action']))
28	- $action = $_REQUEST['action'];
29	else
30	$action = false;
31
32	if(isset($_REQUEST['saveandnext']))
33	- $saveandnext = $_REQUEST['saveandnext'];
34
35	if(isset($_REQUEST['saveid']))
36	- $saveid = $_REQUEST['saveid'];
37	if(isset($_REQUEST['deleteid']))
38	- $deleteid = $_REQUEST['deleteid'];
39
40	if($action == "save_membershiplevel")
41	{
	@@ -155,7 +155,7 @@
155	{
156	global $wpdb;
157
158	- $ml_id = $_REQUEST['deleteid'];
159
160	if($ml_id > 0)
161	{
	@@ -280,7 +280,7 @@
280
281	?>
282	<form action="" method="post" enctype="multipart/form-data">
283	- <input name="saveid" type="hidden" value="<?php echo $edit?>" />
284	<input type="hidden" name="action" value="save_membershiplevel" />
285	<table class="form-table">
286	<tbody>
	@@ -571,7 +571,7 @@
571	<p class="search-box">
572	<label class="screen-reader-text" for="post-search-input"><?php _e('Search Levels', 'pmpro');?>:</label>
573	<input type="hidden" name="page" value="pmpro-membershiplevels" />
574	- <input id="post-search-input" type="text" value="<?php echo $s?>" name="s" size="30" />
575	<input class="button" type="submit" value="<?php _e('Search Levels', 'pmpro');?>" id="search-submit" />
576	</p>
577	</form>


14	global $pmpro_stripe_error, $pmpro_braintree_error, $pmpro_payflow_error, $pmpro_twocheckout_error, $wp_version;
15
16	if(isset($_REQUEST['edit']))
17	+ $edit = intval($_REQUEST['edit']);
18	else
19	$edit = false;
20	if(isset($_REQUEST['copy']))
21	+ $copy = intval($_REQUEST['copy']);
22	if(isset($_REQUEST['s']))
23	+ $s = sanitize_text_field($_REQUEST['s']);
24	else
25	$s = "";
26
27	if(isset($_REQUEST['action']))
28	+ $action = sanitize_text_field($_REQUEST['action']);
29	else
30	$action = false;
31
32	if(isset($_REQUEST['saveandnext']))
33	+ $saveandnext = intval($_REQUEST['saveandnext']);
34
35	if(isset($_REQUEST['saveid']))
36	+ $saveid = intval($_REQUEST['saveid']);
37	if(isset($_REQUEST['deleteid']))
38	+ $deleteid = intval($_REQUEST['deleteid']);
39
40	if($action == "save_membershiplevel")
41	{

155	{
156	global $wpdb;
157
158	+ $ml_id = intval($_REQUEST['deleteid']);
159
160	if($ml_id > 0)
161	{

280
281	?>
282	<form action="" method="post" enctype="multipart/form-data">
283	+ <input name="saveid" type="hidden" value="<?php echo esc_attr($edit); ?>" />
284	<input type="hidden" name="action" value="save_membershiplevel" />
285	<table class="form-table">
286	<tbody>

571	<p class="search-box">
572	<label class="screen-reader-text" for="post-search-input"><?php _e('Search Levels', 'pmpro');?>:</label>
573	<input type="hidden" name="page" value="pmpro-membershiplevels" />
574	+ <input id="post-search-input" type="text" value="<?php echo esc_attr($s); ?>" name="s" size="30" />
575	<input class="button" type="submit" value="<?php _e('Search Levels', 'pmpro');?>" id="search-submit" />
576	</p>
577	</form>

adminpages/memberslist-csv.php CHANGED Viewed

	@@ -9,12 +9,12 @@
9
10	//get users
11	if(isset($_REQUEST['s']))
12	- $s = $_REQUEST['s'];
13	else
14	$s = "";
15
16	if(isset($_REQUEST['l']))
17	- $l = $_REQUEST['l'];
18	else
19	$l = false;
20


9
10	//get users
11	if(isset($_REQUEST['s']))
12	+ $s = sanitize_text_field($_REQUEST['s']);
13	else
14	$s = "";
15
16	if(isset($_REQUEST['l']))
17	+ $l = sanitize_text_field($_REQUEST['l']);
18	else
19	$l = false;
20

adminpages/memberslist.php CHANGED Viewed

	@@ -8,12 +8,12 @@
8	//vars
9	global $wpdb;
10	if(isset($_REQUEST['s']))
11	- $s = trim($_REQUEST['s']);
12	else
13	$s = "";
14
15	if(isset($_REQUEST['l']))
16	- $l = $_REQUEST['l'];
17	else
18	$l = false;
19
	@@ -23,7 +23,7 @@
23	<form id="posts-filter" method="get" action="">
24	<h2>
25	<?php _e('Members List', 'pmpro');?>
26	- <a target="_blank" href="<?php echo admin_url('admin-ajax.php');?>?action=memberslist_csv&s=<?php echo $s~~?>&~~l=<?php echo $l?>" class="add-new-h2"><?php _e('Export to CSV', 'pmpro');?></a>
27	</h2>
28	<ul class="subsubsub">
29	<li>
	@@ -48,7 +48,7 @@
48	<p class="search-box">
49	<label class="hidden" for="post-search-input"><?php _e('Search Members', 'pmpro');?>:</label>
50	<input type="hidden" name="page" value="pmpro-memberslist" />
51	- <input id="post-search-input" type="text" value="<?php echo $s?>" name="s"/>
52	<input class="button" type="submit" value="<?php _e('Search Members', 'pmpro');?>"/>
53	</p>
54	<?php
	@@ -211,7 +211,7 @@
211	</td>
212	<td><?php echo $theuser->first_name?></td>
213	<td><?php echo $theuser->last_name?></td>
214	- <td><a href="mailto:<?php echo $theuser->user_email?>"><?php echo $theuser->user_email?></a></td>
215	<?php do_action("pmpro_memberslist_extra_cols_body", $theuser);?>
216	<td>
217	<?php
	@@ -248,7 +248,7 @@
248	{
249	?>
250	<tr>
251	- <td colspan="9"><p><?php _e("No members found.", "pmpro");?> <?php if($l) { ?><a href="?page=pmpro-memberslist&s=<?php echo $s?>"><?php _e("Search all levels", "pmpro");?></a>.<?php } ?></p></td>
252	</tr>
253	<?php
254	}


8	//vars
9	global $wpdb;
10	if(isset($_REQUEST['s']))
11	+ $s = sanitize_text_field(trim($_REQUEST['s']));
12	else
13	$s = "";
14
15	if(isset($_REQUEST['l']))
16	+ $l = sanitize_text_field($_REQUEST['l']);
17	else
18	$l = false;
19

23	<form id="posts-filter" method="get" action="">
24	<h2>
25	<?php _e('Members List', 'pmpro');?>
26	+ <a target="_blank" href="<?php echo admin_url('admin-ajax.php');?>?action=memberslist_csv&s=<?php echo esc_attr($s);?>&l=<?php echo $l?>" class="add-new-h2"><?php _e('Export to CSV', 'pmpro');?></a>
27	</h2>
28	<ul class="subsubsub">
29	<li>

48	<p class="search-box">
49	<label class="hidden" for="post-search-input"><?php _e('Search Members', 'pmpro');?>:</label>
50	<input type="hidden" name="page" value="pmpro-memberslist" />
51	+ <input id="post-search-input" type="text" value="<?php echo esc_attr($s);?>" name="s"/>
52	<input class="button" type="submit" value="<?php _e('Search Members', 'pmpro');?>"/>
53	</p>
54	<?php

211	</td>
212	<td><?php echo $theuser->first_name?></td>
213	<td><?php echo $theuser->last_name?></td>
214	+ <td><a href="mailto:<?php echo esc_attr($theuser->user_email)?>"><?php echo $theuser->user_email?></a></td>
215	<?php do_action("pmpro_memberslist_extra_cols_body", $theuser);?>
216	<td>
217	<?php

248	{
249	?>
250	<tr>
251	+ <td colspan="9"><p><?php _e("No members found.", "pmpro");?> <?php if($l) { ?><a href="?page=pmpro-memberslist&s=<?php echo esc_attr($s);?>"><?php _e("Search all levels", "pmpro");?></a>.<?php } ?></p></td>
252	</tr>
253	<?php
254	}

adminpages/orders-csv.php CHANGED Viewed

	@@ -9,52 +9,52 @@
9
10	//get users
11	if(isset($_REQUEST['s']))
12	- $s = $_REQUEST['s'];
13	else
14	$s = "";
15
16	if(isset($_REQUEST['l']))
17	- $l = $_REQUEST['l'];
18	else
19	$l = false;
20
21	if(isset($_REQUEST['start-month']))
22	- $start_month = $_REQUEST['start-month'];
23	else
24	$start_month = "1";
25
26	if(isset($_REQUEST['start-day']))
27	- $start_day = $_REQUEST['start-day'];
28	else
29	$start_day = "1";
30
31	if(isset($_REQUEST['start-year']))
32	- $start_year = $_REQUEST['start-year'];
33	else
34	$start_year = date("Y");
35
36	if(isset($_REQUEST['end-month']))
37	- $end_month = $_REQUEST['end-month'];
38	else
39	$end_month = date("n");
40
41	if(isset($_REQUEST['end-day']))
42	- $end_day = $_REQUEST['end-day'];
43	else
44	$end_day = date("j");
45
46	if(isset($_REQUEST['end-year']))
47	- $end_year = $_REQUEST['end-year'];
48	else
49	$end_year = date("Y");
50
51	if(isset($_REQUEST['predefined-date']))
52	- $predefined_date = $_REQUEST['predefined-date'];
53	else
54	$predefined_date = "This Month";
55
56	if(isset($_REQUEST['status']))
57	- $status = $_REQUEST['status'];
58	else
59	$status = "";
60


9
10	//get users
11	if(isset($_REQUEST['s']))
12	+ $s = sanitize_text_field($_REQUEST['s']);
13	else
14	$s = "";
15
16	if(isset($_REQUEST['l']))
17	+ $l = intval($_REQUEST['l']);
18	else
19	$l = false;
20
21	if(isset($_REQUEST['start-month']))
22	+ $start_month = intval($_REQUEST['start-month']);
23	else
24	$start_month = "1";
25
26	if(isset($_REQUEST['start-day']))
27	+ $start_day = intval($_REQUEST['start-day']);
28	else
29	$start_day = "1";
30
31	if(isset($_REQUEST['start-year']))
32	+ $start_year = intval($_REQUEST['start-year']);
33	else
34	$start_year = date("Y");
35
36	if(isset($_REQUEST['end-month']))
37	+ $end_month = intval($_REQUEST['end-month']);
38	else
39	$end_month = date("n");
40
41	if(isset($_REQUEST['end-day']))
42	+ $end_day = intval($_REQUEST['end-day']);
43	else
44	$end_day = date("j");
45
46	if(isset($_REQUEST['end-year']))
47	+ $end_year = intval($_REQUEST['end-year']);
48	else
49	$end_year = date("Y");
50
51	if(isset($_REQUEST['predefined-date']))
52	+ $predefined_date = sanitize_text_field($_REQUEST['predefined-date']);
53	else
54	$predefined_date = "This Month";
55
56	if(isset($_REQUEST['status']))
57	+ $status = sanitize_text_field($_REQUEST['status']);
58	else
59	$status = "";
60

adminpages/orders.php CHANGED Viewed

	@@ -8,52 +8,52 @@
8	//vars
9	global $wpdb;
10	if(isset($_REQUEST['s']))
11	- $s = trim($_REQUEST['s']);
12	else
13	$s = "";
14
15	if(isset($_REQUEST['l']))
16	- $l = $_REQUEST['l'];
17	else
18	$l = false;
19
20	if(isset($_REQUEST['start-month']))
21	- $start_month = $_REQUEST['start-month'];
22	else
23	$start_month = "1";
24
25	if(isset($_REQUEST['start-day']))
26	- $start_day = $_REQUEST['start-day'];
27	else
28	$start_day = "1";
29
30	if(isset($_REQUEST['start-year']))
31	- $start_year = $_REQUEST['start-year'];
32	else
33	$start_year = date("Y");
34
35	if(isset($_REQUEST['end-month']))
36	- $end_month = $_REQUEST['end-month'];
37	else
38	$end_month = date("n");
39
40	if(isset($_REQUEST['end-day']))
41	- $end_day = $_REQUEST['end-day'];
42	else
43	$end_day = date("j");
44
45	if(isset($_REQUEST['end-year']))
46	- $end_year = $_REQUEST['end-year'];
47	else
48	$end_year = date("Y");
49
50	if(isset($_REQUEST['predefined-date']))
51	- $predefined_date = $_REQUEST['predefined-date'];
52	else
53	$predefined_date = "This Month";
54
55	if(isset($_REQUEST['status']))
56	- $status = $_REQUEST['status'];
57	else
58	$status = "";
59
	@@ -513,8 +513,8 @@
513	}
514	?>
515	</select>
516	- <input name="ts_day" type="text" size="2" value="<?php echo $day?>" />
517	- <input name="ts_year" type="text" size="4" value="<?php echo $year?>" />
518	<?php } ?>
519	</td>
520	</tr>
	@@ -617,8 +617,8 @@
617	<?php } ?>
618	</select>
619
620	- <input id='start-day' name="start-day" type="text" size="2" value="<?php echo $start_day?>" />
621	- <input id='start-year' name="start-year" type="text" size="4" value="<?php echo $start_year?>" />
622
623
624	<span id="to"><?php _ex('To', 'Dropdown label', 'pmpro')?></span>
	@@ -630,8 +630,8 @@
630	</select>
631
632
633	- <input id='end-day' name="end-day" type="text" size="2" value="<?php echo $end_day?>" />
634	- <input id='end-year' name="end-year" type="text" size="4" value="<?php echo $end_year?>" />
635
636	<span id="filterby"><?php _ex('filter by ', 'Dropdown label', 'pmpro')?></span>
637
	@@ -776,7 +776,7 @@
776	<p class="search-box">
777	<label class="hidden" for="post-search-input"><?php _e('Search Orders', 'pmpro');?>:</label>
778	<input type="hidden" name="page" value="pmpro-orders" />
779	- <input id="post-search-input" type="text" value="<?php echo $s?>" name="s"/>
780	<input class="button" type="submit" value="<?php _e('Search Orders', 'pmpro');?>"/>
781	</p>
782


8	//vars
9	global $wpdb;
10	if(isset($_REQUEST['s']))
11	+ $s = sanitize_text_field(trim($_REQUEST['s']));
12	else
13	$s = "";
14
15	if(isset($_REQUEST['l']))
16	+ $l = intval($_REQUEST['l']);
17	else
18	$l = false;
19
20	if(isset($_REQUEST['start-month']))
21	+ $start_month = intval($_REQUEST['start-month']);
22	else
23	$start_month = "1";
24
25	if(isset($_REQUEST['start-day']))
26	+ $start_day = intval($_REQUEST['start-day']);
27	else
28	$start_day = "1";
29
30	if(isset($_REQUEST['start-year']))
31	+ $start_year = intval($_REQUEST['start-year']);
32	else
33	$start_year = date("Y");
34
35	if(isset($_REQUEST['end-month']))
36	+ $end_month = intval($_REQUEST['end-month']);
37	else
38	$end_month = date("n");
39
40	if(isset($_REQUEST['end-day']))
41	+ $end_day = intval($_REQUEST['end-day']);
42	else
43	$end_day = date("j");
44
45	if(isset($_REQUEST['end-year']))
46	+ $end_year = intval($_REQUEST['end-year']);
47	else
48	$end_year = date("Y");
49
50	if(isset($_REQUEST['predefined-date']))
51	+ $predefined_date = sanitize_text_field($_REQUEST['predefined-date']);
52	else
53	$predefined_date = "This Month";
54
55	if(isset($_REQUEST['status']))
56	+ $status = sanitize_text_field($_REQUEST['status']);
57	else
58	$status = "";
59

513	}
514	?>
515	</select>
516	+ <input name="ts_day" type="text" size="2" value="<?php echo esc_attr($day);?>" />
517	+ <input name="ts_year" type="text" size="4" value="<?php echo esc_attr($year);?>" />
518	<?php } ?>
519	</td>
520	</tr>

617	<?php } ?>
618	</select>
619
620	+ <input id='start-day' name="start-day" type="text" size="2" value="<?php echo esc_attr($start_day);?>" />
621	+ <input id='start-year' name="start-year" type="text" size="4" value="<?php echo esc_attr($start_year);?>" />
622
623
624	<span id="to"><?php _ex('To', 'Dropdown label', 'pmpro')?></span>

630	</select>
631
632
633	+ <input id='end-day' name="end-day" type="text" size="2" value="<?php echo esc_attr($end_day);?>" />
634	+ <input id='end-year' name="end-year" type="text" size="4" value="<?php echo esc_attr($end_year);?>" />
635
636	<span id="filterby"><?php _ex('filter by ', 'Dropdown label', 'pmpro')?></span>
637

776	<p class="search-box">
777	<label class="hidden" for="post-search-input"><?php _e('Search Orders', 'pmpro');?>:</label>
778	<input type="hidden" name="page" value="pmpro-orders" />
779	+ <input id="post-search-input" type="text" value="<?php echo esc_attr($s);?>" name="s"/>
780	<input class="button" type="submit" value="<?php _e('Search Orders', 'pmpro');?>"/>
781	</p>
782

adminpages/reports.php CHANGED Viewed

	@@ -54,7 +54,7 @@
54	else
55	{
56	//view a single report
57	- $report = $_REQUEST['report'];
58	call_user_func("pmpro_report_" . $report . "_page");
59	}
60


54	else
55	{
56	//view a single report
57	+ $report = sanitize_text_field($_REQUEST['report']);
58	call_user_func("pmpro_report_" . $report . "_page");
59	}
60

paid-memberships-pro.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: Paid Memberships Pro
4	Plugin URI: http://www.paidmembershipspro.com
5	Description: Plugin to Handle Memberships
6	- Version: 1.8.4.2
7	Author: Stranger Studios
8	Author URI: http://www.strangerstudios.com
9	*/
	@@ -13,7 +13,7 @@ Author URI: http://www.strangerstudios.com
13	*/
14
15	//version constant
16	- define("PMPRO_VERSION", "1.8.4.2");
17
18	//if the session has been started yet, start it (ignore if running from command line)
19	if(defined('STDIN') )


3	Plugin Name: Paid Memberships Pro
4	Plugin URI: http://www.paidmembershipspro.com
5	Description: Plugin to Handle Memberships
6	+ Version: 1.8.4.3
7	Author: Stranger Studios
8	Author URI: http://www.strangerstudios.com
9	*/

13	*/
14
15	//version constant
16	+ define("PMPRO_VERSION", "1.8.4.3");
17
18	//if the session has been started yet, start it (ignore if running from command line)
19	if(defined('STDIN') )

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: strangerstudios
3	Tags: memberships, membership, authorize.net, ecommerce, paypal, stripe, braintree, restrict access, restrict content, directory site, payflow
4	Requires at least: 3.5
5	Tested up to: 4.2.2
6	- Stable tag: 1.8.4.2
7
8	The easiest way to GET PAID with your WordPress site. Flexible content control by Membership Level, Reports, Affiliates and Discounts
9
	@@ -102,6 +102,9 @@ Not sure? You can find out by doing a bit a research.
102	4. Offer Membership Discounts with specific price rules (restricted by level, unique pricing for each level, # of uses, expiration date.)
103
104	== Changelog ==



105	= 1.8.4.2 =
106	* BUG: Fixed bug where dropdown to set the account page in the page settings was showing up twice.
107	* BUG: Fixed warning in pmpro_account shortcode.


3	Tags: memberships, membership, authorize.net, ecommerce, paypal, stripe, braintree, restrict access, restrict content, directory site, payflow
4	Requires at least: 3.5
5	Tested up to: 4.2.2
6	+ Stable tag: 1.8.4.3
7
8	The easiest way to GET PAID with your WordPress site. Flexible content control by Membership Level, Reports, Affiliates and Discounts
9

102	4. Offer Membership Discounts with specific price rules (restricted by level, unique pricing for each level, # of uses, expiration date.)
103
104	== Changelog ==
105	+ = 1.8.4.3 =
106	+ * SECURITY PATCH: Fixes to Cross Site Scripting vulnerabilities in the PMPro settings pages in the WordPress dashboard. [Advisory ID HTB23264](https://www.htbridge.com/advisory/HTB23264). (Thanks, High-Tech Bridge Security Research Lab)
107	+
108	= 1.8.4.2 =
109	* BUG: Fixed bug where dropdown to set the account page in the page settings was showing up twice.
110	* BUG: Fixed warning in pmpro_account shortcode.