Paid Memberships Pro - Version 1.9.3

Version Description

  • SECURITY: Fixed sanitization of inputs and added nonces in several places to protect against XSS attacks.
  • BUG FIX: Showing correct error message when trying to update a PMPro Plus add on with a Core license installed.
  • BUG FIX: Fixed issue where subscription and payment transaction IDs were not being saved correctly when copying an order in the dashboard. (Thanks, Pippin Williamson)
  • BUG FIX: Fixed fatal errors that occurred in certain PHP versions.
  • BUG FIX: Fixed issue where ProfileStartDate was being calculated incorrectly in the test, check, and Cybersource gateways.(Thanks, David Parker)
  • ENHANCEMENT: Added a pmpro_sanitize_with_safelist() function that is used to sanitize inputs that have a limited number of exact options.
  • ENHANCEMENT: Updated the pmpro_setOption() and pmpro_getParam() functions to take a new last parameter $sanitize_function, which defaults to 'sanitize_text_field'.
Download this release

Release Info

Developer strangerstudios
Plugin Icon 128x128 Paid Memberships Pro
Version 1.9.3
Comparing to
See all releases

Code changes from version 1.9.2.2 to 1.9.3

adminpages/addons.php CHANGED
@@ -30,7 +30,7 @@
30
31
//get plugin status for filters
32
if(!empty($_REQUEST['plugin_status']))
33
- $status = $_REQUEST['plugin_status'];
34
35
//make sure we have an approved status
36
$approved_statuses = array('all', 'active', 'inactive', 'update', 'uninstalled');
30
31
//get plugin status for filters
32
if(!empty($_REQUEST['plugin_status']))
33
+ $status = pmpro_sanitize_with_safelist($_REQUEST['plugin_status'], array('', 'all', 'active', 'inactive', 'update', 'uninstalled'));
34
35
//make sure we have an approved status
36
$approved_statuses = array('all', 'active', 'inactive', 'update', 'uninstalled');
adminpages/admin_header.php CHANGED
@@ -2,7 +2,7 @@
2
require_once(dirname(__FILE__) . "/functions.php");
3
4
if(isset($_REQUEST['page']))
5
- $view = $_REQUEST['page'];
6
else
7
$view = "";
8
@@ -14,7 +14,7 @@
14
if(!isset($edit))
15
{
16
if(isset($_REQUEST['edit']))
17
- $edit = $_REQUEST['edit'];
18
else
19
$edit = false;
20
}
2
require_once(dirname(__FILE__) . "/functions.php");
3
4
if(isset($_REQUEST['page']))
5
+ $view = sanitize_text_field($_REQUEST['page']);
6
else
7
$view = "";
8
14
if(!isset($edit))
15
{
16
if(isset($_REQUEST['edit']))
17
+ $edit = intval($_REQUEST['edit']);
18
else
19
$edit = false;
20
}
adminpages/advancedsettings.php CHANGED
@@ -5,15 +5,29 @@
5
die(__("You do not have permissions to perform this action.", 'paid-memberships-pro' ));
6
}
7
8
- global $wpdb, $msg, $msgt;
9
10
//get/set settings
11
if(!empty($_REQUEST['savesettings']))
12
{
13
//other settings
14
- pmpro_setOption("nonmembertext");
15
- pmpro_setOption("notloggedintext");
16
- pmpro_setOption("rsstext");
17
pmpro_setOption("filterqueries");
18
pmpro_setOption("showexcerpts");
19
pmpro_setOption("hideads");
@@ -88,6 +102,8 @@
88
?>
89
90
<form action="" method="post" enctype="multipart/form-data">
91
<h2><?php _e('Advanced Settings', 'paid-memberships-pro' );?></h2>
92
93
<table class="form-table">
5
die(__("You do not have permissions to perform this action.", 'paid-memberships-pro' ));
6
}
7
8
+ global $wpdb, $msg, $msgt, $allowedposttags;
9
10
+ //check nonce for saving settings
11
+ if (!empty($_REQUEST['savesettings']) && (empty($_REQUEST['pmpro_advancedsettings_nonce']) || !check_admin_referer('savesettings', 'pmpro_advancedsettings_nonce'))) {
12
+ $msg = -1;
13
+ $msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
14
+ unset($_REQUEST['savesettings']);
15
+ }
16
+
17
//get/set settings
18
if(!empty($_REQUEST['savesettings']))
19
{
20
+ //handle the text settings for better security handling
21
+ $nonmembertext = wp_kses(wp_unslash($_POST['nonmembertext']), $allowedposttags);
22
+ update_option('pmpro_nonmembertext', $nonmembertext);
23
+
24
+ $notloggedintext = wp_kses(wp_unslash($_POST['notloggedintext']), $allowedposttags);
25
+ update_option('pmpro_notloggedintext', $notloggedintext);
26
+
27
+ $rsstext = wp_kses(wp_unslash($_POST['rsstext']), $allowedposttags);
28
+ update_option('pmpro_rsstext', $rsstext);
29
+
30
//other settings
31
pmpro_setOption("filterqueries");
32
pmpro_setOption("showexcerpts");
33
pmpro_setOption("hideads");
102
?>
103
104
<form action="" method="post" enctype="multipart/form-data">
105
+ <?php wp_nonce_field('savesettings', 'pmpro_advancedsettings_nonce');?>
106
+
107
<h2><?php _e('Advanced Settings', 'paid-memberships-pro' );?></h2>
108
109
<table class="form-table">
adminpages/discountcodes.php CHANGED
@@ -28,6 +28,13 @@
28
else
29
$s = "";
30
31
if($saveid)
32
{
33
//get vars
@@ -127,6 +134,8 @@
127
{
128
foreach($levels_a as $level_id)
129
{
130
//get the values ready
131
$n = array_search($level_id, $all_levels_a); //this is the key location of this level's values
132
$initial_payment = sanitize_text_field($initial_payment_a[$n]);
@@ -253,18 +262,25 @@
253
if(!empty($level_errors))
254
{
255
$pmpro_msg = __("There were errors updating the level values: ", 'paid-memberships-pro' ) . implode(" ", $level_errors);
256
- $pmpro_msgt = "error";
257
}
258
else
259
{
260
- //all good. set edit = NULL so we go back to the overview page
261
- $edit = NULL;
262
-
263
do_action("pmpro_save_discount_code", $saveid);
264
}
265
}
266
}
267
268
//are we deleting?
269
if(!empty($delete))
270
{
@@ -375,6 +391,7 @@
375
?>
376
<form action="" method="post">
377
<input name="saveid" type="hidden" value="<?php echo $edit?>" />
378
<table class="form-table">
379
<tbody>
380
<tr>
@@ -735,7 +752,7 @@
735
<a href="?page=pmpro-discountcodes&edit=<?php echo $code->id?>"><?php _e('edit', 'paid-memberships-pro' );?></a>
736
</td>
737
<td>
738
- <a href="javascript:askfirst('<?php echo str_replace("'", "\'", sprintf(__('Are you sure you want to delete the %s discount code? The subscriptions for existing users will not change, but new users will not be able to use this code anymore.', 'paid-memberships-pro' ), $code->code));?>', '?page=pmpro-discountcodes&delete=<?php echo $code->id?>'); void(0);"><?php _e('delete', 'paid-memberships-pro' );?></a>
739
</td>
740
</tr>
741
<?php
28
else
29
$s = "";
30
31
+ //check nonce for saving codes
32
+ if (!empty($_REQUEST['saveid']) && (empty($_REQUEST['pmpro_discountcodes_nonce']) || !check_admin_referer('save', 'pmpro_discountcodes_nonce'))) {
33
+ $pmpro_msgt = 'error';
34
+ $pmpro_msg = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
35
+ $saveid = false;
36
+ }
37
+
38
if($saveid)
39
{
40
//get vars
134
{
135
foreach($levels_a as $level_id)
136
{
137
+ $level_id = intval($level_id); //sanitized
138
+
139
//get the values ready
140
$n = array_search($level_id, $all_levels_a); //this is the key location of this level's values
141
$initial_payment = sanitize_text_field($initial_payment_a[$n]);
262
if(!empty($level_errors))
263
{
264
$pmpro_msg = __("There were errors updating the level values: ", 'paid-memberships-pro' ) . implode(" ", $level_errors);
265
+ $pmpro_msgt = "error";
266
}
267
else
268
{
269
+ //all good. set edit = false so we go back to the overview page
270
+ $edit = false;
271
+
272
do_action("pmpro_save_discount_code", $saveid);
273
}
274
}
275
}
276
277
+ //check nonce for deleting codes
278
+ if (!empty($_REQUEST['delete']) && (empty($_REQUEST['pmpro_discountcodes_nonce']) || !check_admin_referer('delete', 'pmpro_discountcodes_nonce'))) {
279
+ $pmpro_msgt = 'error';
280
+ $pmpro_msg = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
281
+ $delete = false;
282
+ }
283
+
284
//are we deleting?
285
if(!empty($delete))
286
{
391
?>
392
<form action="" method="post">
393
<input name="saveid" type="hidden" value="<?php echo $edit?>" />
394
+ <?php wp_nonce_field('save', 'pmpro_discountcodes_nonce');?>
395
<table class="form-table">
396
<tbody>
397
<tr>
752
<a href="?page=pmpro-discountcodes&edit=<?php echo $code->id?>"><?php _e('edit', 'paid-memberships-pro' );?></a>
753
</td>
754
<td>
755
+ <a href="javascript:askfirst('<?php echo str_replace("'", "\'", sprintf(__('Are you sure you want to delete the %s discount code? The subscriptions for existing users will not change, but new users will not be able to use this code anymore.', 'paid-memberships-pro' ), $code->code));?>', '<?php echo wp_nonce_url(admin_url('admin.php?page=pmpro-discountcodes&delete=' . $code->id), 'delete', 'pmpro_discountcodes_nonce');?>'); void(0);"><?php _e('delete', 'paid-memberships-pro' );?></a>
756
</td>
757
</tr>
758
<?php
adminpages/emailsettings.php CHANGED
@@ -9,6 +9,14 @@
9
10
//get/set settings
11
global $pmpro_pages;
12
if(!empty($_REQUEST['savesettings']))
13
{
14
//email options
@@ -66,6 +74,8 @@
66
?>
67
68
<form action="" method="post" enctype="multipart/form-data">
69
<h2><?php _e('Email Settings', 'paid-memberships-pro' );?></h2>
70
<p><?php _e('By default, system generated emails are sent from <em><strong>wordpress@yourdomain.com</strong></em>. You can update this from address using the fields below.', 'paid-memberships-pro' );?></p>
71
9
10
//get/set settings
11
global $pmpro_pages;
12
+
13
+ //check nonce for saving settings
14
+ if (!empty($_REQUEST['savesettings']) && (empty($_REQUEST['pmpro_emailsettings_nonce']) || !check_admin_referer('savesettings', 'pmpro_emailsettings_nonce'))) {
15
+ $msg = -1;
16
+ $msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
17
+ unset($_REQUEST['savesettings']);
18
+ }
19
+
20
if(!empty($_REQUEST['savesettings']))
21
{
22
//email options
74
?>
75
76
<form action="" method="post" enctype="multipart/form-data">
77
+ <?php wp_nonce_field('savesettings', 'pmpro_emailsettings_nonce');?>
78
+
79
<h2><?php _e('Email Settings', 'paid-memberships-pro' );?></h2>
80
<p><?php _e('By default, system generated emails are sent from <em><strong>wordpress@yourdomain.com</strong></em>. You can update this from address using the fields below.', 'paid-memberships-pro' );?></p>
81
adminpages/membershiplevels.php CHANGED
@@ -5,7 +5,7 @@
5
die(__("You do not have permissions to perform this action.", 'paid-memberships-pro' ));
6
}
7
8
- global $wpdb, $msg, $msgt, $pmpro_currency_symbol;
9
10
//some vars
11
$gateway = pmpro_getOption("gateway");
@@ -37,31 +37,40 @@
37
if(isset($_REQUEST['deleteid']))
38
$deleteid = intval($_REQUEST['deleteid']);
39
40
- if($action == "save_membershiplevel") {
41
- $ml_name = stripslashes($_REQUEST['name']);
42
- $ml_description = stripslashes($_REQUEST['description']);
43
- $ml_confirmation = stripslashes($_REQUEST['confirmation']);
44
- $ml_initial_payment = stripslashes($_REQUEST['initial_payment']);
45
if(!empty($_REQUEST['recurring']))
46
$ml_recurring = 1;
47
else
48
$ml_recurring = 0;
49
- $ml_billing_amount = stripslashes($_REQUEST['billing_amount']);
50
- $ml_cycle_number = stripslashes($_REQUEST['cycle_number']);
51
- $ml_cycle_period = stripslashes($_REQUEST['cycle_period']);
52
- $ml_billing_limit = stripslashes($_REQUEST['billing_limit']);
53
if(!empty($_REQUEST['custom_trial']))
54
$ml_custom_trial = 1;
55
else
56
$ml_custom_trial = 0;
57
- $ml_trial_amount = stripslashes($_REQUEST['trial_amount']);
58
- $ml_trial_limit = stripslashes($_REQUEST['trial_limit']);
59
if(!empty($_REQUEST['expiration']))
60
$ml_expiration = 1;
61
else
62
$ml_expiration = 0;
63
- $ml_expiration_number = stripslashes($_REQUEST['expiration_number']);
64
- $ml_expiration_period = stripslashes($_REQUEST['expiration_period']);
65
$ml_categories = array();
66
67
//reversing disable to allow here
@@ -306,6 +315,7 @@
306
<form action="" method="post" enctype="multipart/form-data">
307
<input name="saveid" type="hidden" value="<?php echo esc_attr($edit); ?>" />
308
<input type="hidden" name="action" value="save_membershiplevel" />
309
<table class="form-table">
310
<tbody>
311
<tr>
@@ -683,7 +693,7 @@
683
</td>
684
<td><?php if($level->allow_signups) { ?><a href="<?php echo add_query_arg( 'level', $level->id, pmpro_url("checkout") );?>"><?php _e('Yes', 'paid-memberships-pro' );?></a><?php } else { ?><?php _e('No', 'paid-memberships-pro' );?><?php } ?></td>
685
686
- <td><a title="<?php _e('edit', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => $level->id ), admin_url('admin.php' ) ); ?>" class="button-primary"><?php _e('edit', 'paid-memberships-pro' ); ?></a>&nbsp;<a title="<?php _e('copy', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => -1, 'copy' => $level->id ), admin_url( 'admin.php' ) ); ?>" class="button-secondary"><?php _e('copy', 'paid-memberships-pro' ); ?></a>&nbsp;<a title="<?php _e('delete', 'paid-memberships-pro' ); ?>" href="javascript:askfirst('<?php echo str_replace("'", "\'", sprintf(__("Are you sure you want to delete membership level %s? All subscriptions will be cancelled.", 'paid-memberships-pro' ), $level->name));?>', '<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'action' => 'delete_membership_level', 'deleteid' => $level->id ), admin_url( 'admin.php' ) ); ?>'); void(0);" class="button-secondary"><?php _e('delete', 'paid-memberships-pro' ); ?></a></td>
687
</tr>
688
<?php
689
}
5
die(__("You do not have permissions to perform this action.", 'paid-memberships-pro' ));
6
}
7
8
+ global $wpdb, $msg, $msgt, $pmpro_currency_symbol, $allowedposttags;
9
10
//some vars
11
$gateway = pmpro_getOption("gateway");
37
if(isset($_REQUEST['deleteid']))
38
$deleteid = intval($_REQUEST['deleteid']);
39
40
+ //check nonce
41
+ if(!empty($action) && (empty($_REQUEST['pmpro_membershiplevels_nonce']) || !check_admin_referer($action, 'pmpro_membershiplevels_nonce'))) {
42
+ $msg = -1;
43
+ $msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
44
+ $action = false;
45
+ }
46
+
47
+ if($action == "save_membershiplevel") {
48
+
49
+ $ml_name = wp_kses(wp_unslash($_REQUEST['name']), $allowedposttags);
50
+ $ml_description = wp_kses(wp_unslash($_REQUEST['description']), $allowedposttags);
51
+ $ml_confirmation = wp_kses(wp_unslash($_REQUEST['confirmation']), $allowedposttags);
52
+
53
+ $ml_initial_payment = sanitize_text_field($_REQUEST['initial_payment']);
54
if(!empty($_REQUEST['recurring']))
55
$ml_recurring = 1;
56
else
57
$ml_recurring = 0;
58
+ $ml_billing_amount = sanitize_text_field($_REQUEST['billing_amount']);
59
+ $ml_cycle_number = intval($_REQUEST['cycle_number']);
60
+ $ml_cycle_period = sanitize_text_field($_REQUEST['cycle_period']);
61
+ $ml_billing_limit = intval($_REQUEST['billing_limit']);
62
if(!empty($_REQUEST['custom_trial']))
63
$ml_custom_trial = 1;
64
else
65
$ml_custom_trial = 0;
66
+ $ml_trial_amount = sanitize_text_field($_REQUEST['trial_amount']);
67
+ $ml_trial_limit = intval($_REQUEST['trial_limit']);
68
if(!empty($_REQUEST['expiration']))
69
$ml_expiration = 1;
70
else
71
$ml_expiration = 0;
72
+ $ml_expiration_number = intval($_REQUEST['expiration_number']);
73
+ $ml_expiration_period = sanitize_text_field($_REQUEST['expiration_period']);
74
$ml_categories = array();
75
76
//reversing disable to allow here
315
<form action="" method="post" enctype="multipart/form-data">
316
<input name="saveid" type="hidden" value="<?php echo esc_attr($edit); ?>" />
317
<input type="hidden" name="action" value="save_membershiplevel" />
318
+ <?php wp_nonce_field('save_membershiplevel', 'pmpro_membershiplevels_nonce'); ?>
319
<table class="form-table">
320
<tbody>
321
<tr>
693
</td>
694
<td><?php if($level->allow_signups) { ?><a href="<?php echo add_query_arg( 'level', $level->id, pmpro_url("checkout") );?>"><?php _e('Yes', 'paid-memberships-pro' );?></a><?php } else { ?><?php _e('No', 'paid-memberships-pro' );?><?php } ?></td>
695
696
+ <td><a title="<?php _e('edit', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => $level->id ), admin_url('admin.php' ) ); ?>" class="button-primary"><?php _e('edit', 'paid-memberships-pro' ); ?></a>&nbsp;<a title="<?php _e('copy', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => -1, 'copy' => $level->id ), admin_url( 'admin.php' ) ); ?>" class="button-secondary"><?php _e('copy', 'paid-memberships-pro' ); ?></a>&nbsp;<a title="<?php _e('delete', 'paid-memberships-pro' ); ?>" href="javascript:askfirst('<?php echo str_replace("'", "\'", sprintf(__("Are you sure you want to delete membership level %s? All subscriptions will be cancelled.", 'paid-memberships-pro' ), $level->name));?>', '<?php echo wp_nonce_url(add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'action' => 'delete_membership_level', 'deleteid' => $level->id ), admin_url( 'admin.php' ) ), 'delete_membership_level', 'pmpro_membershiplevels_nonce'); ?>'); void(0);" class="button-secondary"><?php _e('delete', 'paid-memberships-pro' ); ?></a></td>
697
</tr>
698
<?php
699
}
adminpages/orders.php CHANGED
@@ -140,7 +140,7 @@ if ( empty( $filter ) || $filter === "all" ) {
140
//emailing?
141
if ( ! empty( $_REQUEST['email'] ) && ! empty( $_REQUEST['order'] ) ) {
142
$email = new PMProEmail();
143
- $user = get_user_by( 'email', $_REQUEST['email'] );
144
$order = new MemberOrder( $_REQUEST['order'] );
145
if ( $email->sendBillableInvoiceEmail( $user, $order ) ) {
146
$pmpro_msg = __( "Invoice emailed successfully.", 'paid-memberships-pro' );
@@ -176,6 +176,11 @@ $read_only_fields = apply_filters( "pmpro_orders_read_only_fields", array(
176
"subscription_transaction_id"
177
) );
178
179
//saving?
180
if ( ! empty( $_REQUEST['save'] ) ) {
181
//start with old order if applicable
@@ -189,7 +194,7 @@ if ( ! empty( $_REQUEST['save'] ) ) {
189
190
//update values
191
if ( ! in_array( "code", $read_only_fields ) && isset( $_POST['code'] ) ) {
192
- $order->code = $_POST['code'];
193
}
194
if ( ! in_array( "user_id", $read_only_fields ) && isset( $_POST['user_id'] ) ) {
195
$order->user_id = intval( $_POST['user_id'] );
@@ -198,90 +203,95 @@ if ( ! empty( $_REQUEST['save'] ) ) {
198
$order->membership_id = intval( $_POST['membership_id'] );
199
}
200
if ( ! in_array( "billing_name", $read_only_fields ) && isset( $_POST['billing_name'] ) ) {
201
- $order->billing->name = stripslashes( $_POST['billing_name'] );
202
}
203
if ( ! in_array( "billing_street", $read_only_fields ) && isset( $_POST['billing_street'] ) ) {
204
- $order->billing->street = stripslashes( $_POST['billing_street'] );
205
}
206
if ( ! in_array( "billing_city", $read_only_fields ) && isset( $_POST['billing_city'] ) ) {
207
- $order->billing->city = stripslashes( $_POST['billing_city'] );
208
}
209
if ( ! in_array( "billing_state", $read_only_fields ) && isset( $_POST['billing_state'] ) ) {
210
- $order->billing->state = stripslashes( $_POST['billing_state'] );
211
}
212
if ( ! in_array( "billing_zip", $read_only_fields ) && isset( $_POST['billing_zip'] ) ) {
213
- $order->billing->zip = $_POST['billing_zip'];
214
}
215
if ( ! in_array( "billing_country", $read_only_fields ) && isset( $_POST['billing_country'] ) ) {
216
- $order->billing->country = stripslashes( $_POST['billing_country'] );
217
}
218
if ( ! in_array( "billing_phone", $read_only_fields ) && isset( $_POST['billing_phone'] ) ) {
219
- $order->billing->phone = $_POST['billing_phone'];
220
}
221
if ( ! in_array( "subtotal", $read_only_fields ) && isset( $_POST['subtotal'] ) ) {
222
- $order->subtotal = $_POST['subtotal'];
223
}
224
if ( ! in_array( "tax", $read_only_fields ) && isset( $_POST['tax'] ) ) {
225
- $order->tax = $_POST['tax'];
226
}
227
if ( ! in_array( "couponamount", $read_only_fields ) && isset( $_POST['couponamount'] ) ) {
228
- $order->couponamount = $_POST['couponamount'];
229
}
230
if ( ! in_array( "total", $read_only_fields ) && isset( $_POST['total'] ) ) {
231
- $order->total = $_POST['total'];
232
}
233
if ( ! in_array( "payment_type", $read_only_fields ) && isset( $_POST['payment_type'] ) ) {
234
- $order->payment_type = $_POST['payment_type'];
235
}
236
if ( ! in_array( "cardtype", $read_only_fields ) && isset( $_POST['cardtype'] ) ) {
237
- $order->cardtype = $_POST['cardtype'];
238
}
239
if ( ! in_array( "accountnumber", $read_only_fields ) && isset( $_POST['accountnumber'] ) ) {
240
- $order->accountnumber = $_POST['accountnumber'];
241
}
242
if ( ! in_array( "expirationmonth", $read_only_fields ) && isset( $_POST['expirationmonth'] ) ) {
243
- $order->expirationmonth = $_POST['expirationmonth'];
244
}
245
if ( ! in_array( "expirationyear", $read_only_fields ) && isset( $_POST['expirationyear'] ) ) {
246
- $order->expirationyear = $_POST['expirationyear'];
247
- }
248
- if ( ! in_array( "ExpirationDate", $read_only_fields ) && isset( $_POST['ExpirationDate'] ) ) {
249
- $order->ExpirationDate = $order->expirationmonth . $order->expirationyear;
250
}
251
if ( ! in_array( "status", $read_only_fields ) && isset( $_POST['status'] ) ) {
252
- $order->status = stripslashes( $_POST['status'] );
253
}
254
if ( ! in_array( "gateway", $read_only_fields ) && isset( $_POST['gateway'] ) ) {
255
- $order->gateway = $_POST['gateway'];
256
}
257
if ( ! in_array( "gateway_environment", $read_only_fields ) && isset( $_POST['gateway_environment'] ) ) {
258
- $order->gateway_environment = $_POST['gateway_environment'];
259
}
260
if ( ! in_array( "payment_transaction_id", $read_only_fields ) && isset( $_POST['payment_transaction_id'] ) ) {
261
- $order->payment_transaction_id = $_POST['payment_transaction_id'];
262
}
263
if ( ! in_array( "subscription_transaction_id", $read_only_fields ) && isset( $_POST['subscription_transaction_id'] ) ) {
264
- $order->subscription_transaction_id = $_POST['subscription_transaction_id'];
265
}
266
if ( ! in_array( "notes", $read_only_fields ) && isset( $_POST['notes'] ) ) {
267
- $order->notes = stripslashes( $_POST['notes'] );
268
}
269
270
//affiliate stuff
271
$affiliates = apply_filters( "pmpro_orders_show_affiliate_ids", false );
272
if ( ! empty( $affiliates ) ) {
273
if ( ! in_array( "affiliate_id", $read_only_fields ) ) {
274
- $order->affiliate_id = $_POST['affiliate_id'];
275
}
276
if ( ! in_array( "affiliate_subid", $read_only_fields ) ) {
277
- $order->affiliate_subid = $_POST['affiliate_subid'];
278
}
279
}
280
281
//save
282
- if ( $order->saveOrder() !== false ) {
283
//handle timestamp
284
- if ( $order->updateTimestamp( $_POST['ts_year'], $_POST['ts_month'], $_POST['ts_day'] ) !== false ) {
285
$pmpro_msg = __( "Order saved successfully.", 'paid-memberships-pro' );
286
$pmpro_msgt = "success";
287
} else {
@@ -364,6 +374,7 @@ require_once( dirname( __FILE__ ) . "/admin_header.php" );
364
<?php } ?>
365
366
<form method="post" action="">
367
368
<table class="form-table">
369
<tbody>
@@ -944,13 +955,8 @@ require_once( dirname( __FILE__ ) . "/admin_header.php" );
944
945
</select>
946
947
- <?php
948
- $statuses = array();
949
- $default_statuses = array( "", "success", "cancelled", "review", "token", "refunded" );
950
- $used_statuses = $wpdb->get_col( "SELECT DISTINCT(status) FROM $wpdb->pmpro_membership_orders" );
951
- $statuses = array_unique( array_merge( $default_statuses, $used_statuses ) );
952
- asort( $statuses );
953
- $statuses = apply_filters( "pmpro_order_statuses", $statuses );
954
?>
955
<select id="status" name="status">
956
<?php foreach ( $statuses as $the_status ) { ?>
140
//emailing?
141
if ( ! empty( $_REQUEST['email'] ) && ! empty( $_REQUEST['order'] ) ) {
142
$email = new PMProEmail();
143
+ $user = get_user_by( 'email', sanitize_email($_REQUEST['email']) );
144
$order = new MemberOrder( $_REQUEST['order'] );
145
if ( $email->sendBillableInvoiceEmail( $user, $order ) ) {
146
$pmpro_msg = __( "Invoice emailed successfully.", 'paid-memberships-pro' );
176
"subscription_transaction_id"
177
) );
178
179
+ //if this is a new order or copy of one, let's make all fields editable
180
+ if( ! empty( $_REQUEST['order'] ) && $_REQUEST['order'] < 0 ) {
181
+ $read_only_fields = array();
182
+ }
183
+
184
//saving?
185
if ( ! empty( $_REQUEST['save'] ) ) {
186
//start with old order if applicable
194
195
//update values
196
if ( ! in_array( "code", $read_only_fields ) && isset( $_POST['code'] ) ) {
197
+ $order->code = sanitize_text_field( $_POST['code'] );
198
}
199
if ( ! in_array( "user_id", $read_only_fields ) && isset( $_POST['user_id'] ) ) {
200
$order->user_id = intval( $_POST['user_id'] );
203
$order->membership_id = intval( $_POST['membership_id'] );
204
}
205
if ( ! in_array( "billing_name", $read_only_fields ) && isset( $_POST['billing_name'] ) ) {
206
+ $order->billing->name = sanitize_text_field(wp_unslash( $_POST['billing_name'] ));
207
}
208
if ( ! in_array( "billing_street", $read_only_fields ) && isset( $_POST['billing_street'] ) ) {
209
+ $order->billing->street = sanitize_text_field(wp_unslash( $_POST['billing_street'] ));
210
}
211
if ( ! in_array( "billing_city", $read_only_fields ) && isset( $_POST['billing_city'] ) ) {
212
+ $order->billing->city = sanitize_text_field(wp_unslash( $_POST['billing_city'] ));
213
}
214
if ( ! in_array( "billing_state", $read_only_fields ) && isset( $_POST['billing_state'] ) ) {
215
+ $order->billing->state = sanitize_text_field(wp_unslash( $_POST['billing_state'] ));
216
}
217
if ( ! in_array( "billing_zip", $read_only_fields ) && isset( $_POST['billing_zip'] ) ) {
218
+ $order->billing->zip = sanitize_text_field( $_POST['billing_zip'] );
219
}
220
if ( ! in_array( "billing_country", $read_only_fields ) && isset( $_POST['billing_country'] ) ) {
221
+ $order->billing->country = sanitize_text_field(wp_unslash( $_POST['billing_country'] ));
222
}
223
if ( ! in_array( "billing_phone", $read_only_fields ) && isset( $_POST['billing_phone'] ) ) {
224
+ $order->billing->phone = sanitize_text_field( $_POST['billing_phone'] );
225
}
226
if ( ! in_array( "subtotal", $read_only_fields ) && isset( $_POST['subtotal'] ) ) {
227
+ $order->subtotal = sanitize_text_field( $_POST['subtotal'] );
228
}
229
if ( ! in_array( "tax", $read_only_fields ) && isset( $_POST['tax'] ) ) {
230
+ $order->tax = sanitize_text_field( $_POST['tax'] );
231
}
232
if ( ! in_array( "couponamount", $read_only_fields ) && isset( $_POST['couponamount'] ) ) {
233
+ $order->couponamount = sanitize_text_field( $_POST['couponamount'] );
234
}
235
if ( ! in_array( "total", $read_only_fields ) && isset( $_POST['total'] ) ) {
236
+ $order->total = sanitize_text_field( $_POST['total'] );
237
}
238
if ( ! in_array( "payment_type", $read_only_fields ) && isset( $_POST['payment_type'] ) ) {
239
+ $order->payment_type = sanitize_text_field( $_POST['payment_type'] );
240
}
241
if ( ! in_array( "cardtype", $read_only_fields ) && isset( $_POST['cardtype'] ) ) {
242
+ $order->cardtype = sanitize_text_field( $_POST['cardtype'] );
243
}
244
if ( ! in_array( "accountnumber", $read_only_fields ) && isset( $_POST['accountnumber'] ) ) {
245
+ $order->accountnumber = sanitize_text_field( $_POST['accountnumber'] );
246
}
247
if ( ! in_array( "expirationmonth", $read_only_fields ) && isset( $_POST['expirationmonth'] ) ) {
248
+ $order->expirationmonth = sanitize_text_field( $_POST['expirationmonth'] );
249
}
250
if ( ! in_array( "expirationyear", $read_only_fields ) && isset( $_POST['expirationyear'] ) ) {
251
+ $order->expirationyear = sanitize_text_field( $_POST['expirationyear'] );
252
}
253
+
254
if ( ! in_array( "status", $read_only_fields ) && isset( $_POST['status'] ) ) {
255
+ $order->status = pmpro_sanitize_with_safelist( $_POST['status'], pmpro_getOrderStatuses() );
256
}
257
if ( ! in_array( "gateway", $read_only_fields ) && isset( $_POST['gateway'] ) ) {
258
+ $order->gateway = sanitize_text_field( $_POST['gateway'] );
259
}
260
if ( ! in_array( "gateway_environment", $read_only_fields ) && isset( $_POST['gateway_environment'] ) ) {
261
+ $order->gateway_environment = sanitize_text_field( $_POST['gateway_environment'] );
262
}
263
if ( ! in_array( "payment_transaction_id", $read_only_fields ) && isset( $_POST['payment_transaction_id'] ) ) {
264
+ $order->payment_transaction_id = sanitize_text_field( $_POST['payment_transaction_id'] );
265
}
266
if ( ! in_array( "subscription_transaction_id", $read_only_fields ) && isset( $_POST['subscription_transaction_id'] ) ) {
267
+ $order->subscription_transaction_id = sanitize_text_field( $_POST['subscription_transaction_id'] );
268
}
269
if ( ! in_array( "notes", $read_only_fields ) && isset( $_POST['notes'] ) ) {
270
+ global $allowedposttags;
271
+ $order->notes = wp_kses(wp_unslash($_REQUEST['notes']), $allowedposttags);
272
}
273
274
//affiliate stuff
275
$affiliates = apply_filters( "pmpro_orders_show_affiliate_ids", false );
276
if ( ! empty( $affiliates ) ) {
277
if ( ! in_array( "affiliate_id", $read_only_fields ) ) {
278
+ $order->affiliate_id = sanitize_text_field( $_POST['affiliate_id'] );
279
}
280
if ( ! in_array( "affiliate_subid", $read_only_fields ) ) {
281
+ $order->affiliate_subid = sanitize_text_field( $_POST['affiliate_subid'] );
282
}
283
}
284
285
+ //check nonce for saving
286
+ $nonceokay = true;
287
+ if (empty($_REQUEST['pmpro_orders_nonce']) || !check_admin_referer('save', 'pmpro_orders_nonce')) {
288
+ $nonceokay = false;
289
+ }
290
+
291
//save
292
+ if ( $order->saveOrder() !== false && $nonceokay) {
293
//handle timestamp
294
+ if ( $order->updateTimestamp( intval($_POST['ts_year']), intval($_POST['ts_month']), intval($_POST['ts_day']) ) !== false ) {
295
$pmpro_msg = __( "Order saved successfully.", 'paid-memberships-pro' );
296
$pmpro_msgt = "success";
297
} else {
374
<?php } ?>
375
376
<form method="post" action="">
377
+ <?php wp_nonce_field('save', 'pmpro_orders_nonce');?>
378
379
<table class="form-table">
380
<tbody>
955
956
</select>
957
958
+ <?php
959
+ $statuses = pmpro_getOrderStatuses();
960
?>
961
<select id="status" name="status">
962
<?php foreach ( $statuses as $the_status ) { ?>
adminpages/pagesettings.php CHANGED
@@ -23,15 +23,22 @@ global $pmpro_pages;
23
$extra_pages = apply_filters('pmpro_extra_page_settings', array());
24
$post_types = apply_filters('pmpro_admin_pagesetting_post_type_array', array( 'page' ) );
25
26
if (!empty($_REQUEST['savesettings'])) {
27
//page ids
28
- pmpro_setOption("account_page_id");
29
- pmpro_setOption("billing_page_id");
30
- pmpro_setOption("cancel_page_id");
31
- pmpro_setOption("checkout_page_id");
32
- pmpro_setOption("confirmation_page_id");
33
- pmpro_setOption("invoice_page_id");
34
- pmpro_setOption("levels_page_id");
35
36
//update the pages array
37
$pmpro_pages["account"] = pmpro_getOption("account_page_id");
@@ -45,7 +52,7 @@ if (!empty($_REQUEST['savesettings'])) {
45
//save additional pages
46
if (!empty($extra_pages)) {
47
foreach ($extra_pages as $name => $label) {
48
- pmpro_setOption($name . '_page_id');
49
$pmpro_pages[$name] = pmpro_getOption($name . '_page_id');
50
}
51
}
@@ -55,6 +62,13 @@ if (!empty($_REQUEST['savesettings'])) {
55
$msgt = __("Your page settings have been updated.", 'paid-memberships-pro' );
56
}
57
58
//are we generating pages?
59
if (!empty($_REQUEST['createpages'])) {
60
@@ -72,7 +86,7 @@ if (!empty($_REQUEST['createpages'])) {
72
73
} else {
74
//generate extra pages one at a time
75
- $pmpro_page_name = $_REQUEST['page_name'];
76
$pmpro_page_id = $pmpro_pages[$pmpro_page_name];
77
$pages[$pmpro_page_name] = $extra_pages[$pmpro_page_name];
78
}
@@ -89,8 +103,9 @@ require_once(dirname(__FILE__) . "/admin_header.php");
89
?>
90
91
92
- <form action="" method="post" enctype="multipart/form-data">
93
- <h2><?php _e('Pages', 'paid-memberships-pro' ); ?></h2>
94
<?php
95
global $pmpro_pages_ready;
96
if ($pmpro_pages_ready) {
@@ -100,7 +115,7 @@ require_once(dirname(__FILE__) . "/admin_header.php");
100
} else {
101
?>
102
<p><?php _e('Assign the WordPress pages for each required Paid Memberships Pro page or', 'paid-memberships-pro' ); ?> <a
103
- href="?page=pmpro-pagesettings&createpages=1"><?php _e('click here to let us generate them for you', 'paid-memberships-pro' ); ?></a>.
104
</p>
105
<?php
106
}
23
$extra_pages = apply_filters('pmpro_extra_page_settings', array());
24
$post_types = apply_filters('pmpro_admin_pagesetting_post_type_array', array( 'page' ) );
25
26
+ //check nonce for saving settings
27
+ if (!empty($_REQUEST['savesettings']) && (empty($_REQUEST['pmpro_pagesettings_nonce']) || !check_admin_referer('savesettings', 'pmpro_pagesettings_nonce'))) {
28
+ $msg = -1;
29
+ $msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
30
+ unset($_REQUEST['savesettings']);
31
+ }
32
+
33
if (!empty($_REQUEST['savesettings'])) {
34
//page ids
35
+ pmpro_setOption("account_page_id", NULL, 'intval');
36
+ pmpro_setOption("billing_page_id", NULL, 'intval');
37
+ pmpro_setOption("cancel_page_id", NULL, 'intval');
38
+ pmpro_setOption("checkout_page_id", NULL, 'intval');
39
+ pmpro_setOption("confirmation_page_id", NULL, 'intval');
40
+ pmpro_setOption("invoice_page_id", NULL, 'intval');
41
+ pmpro_setOption("levels_page_id", NULL, 'intval');
42
43
//update the pages array
44
$pmpro_pages["account"] = pmpro_getOption("account_page_id");
52
//save additional pages
53
if (!empty($extra_pages)) {
54
foreach ($extra_pages as $name => $label) {
55
+ pmpro_setOption($name . '_page_id', NULL, 'intval');
56
$pmpro_pages[$name] = pmpro_getOption($name . '_page_id');
57
}
58
}
62
$msgt = __("Your page settings have been updated.", 'paid-memberships-pro' );
63
}
64
65
+ //check nonce for generating pages
66
+ if (!empty($_REQUEST['createpages']) && (empty($_REQUEST['pmpro_pagesettings_nonce']) || !check_admin_referer('createpages', 'pmpro_pagesettings_nonce'))) {
67
+ $msg = -1;
68
+ $msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
69
+ unset($_REQUEST['createpages']);
70
+ }
71
+
72
//are we generating pages?
73
if (!empty($_REQUEST['createpages'])) {
74
86
87
} else {
88
//generate extra pages one at a time
89
+ $pmpro_page_name = sanitize_text_field($_REQUEST['page_name']);
90
$pmpro_page_id = $pmpro_pages[$pmpro_page_name];
91
$pages[$pmpro_page_name] = $extra_pages[$pmpro_page_name];
92
}
103
?>
104
105
106
+ <form action="<?php echo admin_url('admin.php?page=pmpro-pagesettings');?>" method="post" enctype="multipart/form-data">
107
+ <?php wp_nonce_field('savesettings', 'pmpro_pagesettings_nonce');?>
108
+ <h2><?php _e('Pages', 'paid-memberships-pro' ); ?></h2>
109
<?php
110
global $pmpro_pages_ready;
111
if ($pmpro_pages_ready) {
115
} else {
116
?>
117
<p><?php _e('Assign the WordPress pages for each required Paid Memberships Pro page or', 'paid-memberships-pro' ); ?> <a
118
+ href="<?php echo wp_nonce_url(admin_url('admin.php?page=pmpro-pagesettings&createpages=1'), 'createpages', 'pmpro_pagesettings_nonce');?>"><?php _e('click here to let us generate them for you', 'paid-memberships-pro' ); ?></a>.
119
</p>
120
<?php
121
}
adminpages/paymentsettings.php CHANGED
@@ -13,14 +13,29 @@
13
//define options
14
$payment_options = array_unique(apply_filters("pmpro_payment_options", array('gateway')));
15
16
//get/set settings
17
if(!empty($_REQUEST['savesettings']))
18
{
19
/*
20
Save any value that might have been passed in
21
*/
22
- foreach($payment_options as $option)
23
- pmpro_setOption($option);
24
25
/*
26
Some special case options still worked out here
@@ -90,6 +105,8 @@
90
?>
91
92
<form action="" method="post" enctype="multipart/form-data">
93
<h2><?php _e('Payment Gateway', 'paid-memberships-pro' );?> &amp; <?php _e('SSL Settings', 'paid-memberships-pro' );?></h2>
94
95
<p><?php _e('Learn more about <a title="Paid Memberships Pro - SSL Settings" target="_blank" href="http://www.paidmembershipspro.com/support/initial-plugin-setup/ssl/">SSL</a> or <a title="Paid Memberships Pro - Payment Gateway Settings" target="_blank" href="http://www.paidmembershipspro.com/support/initial-plugin-setup/payment-gateway/">Payment Gateway Settings</a>.', 'paid-memberships-pro' ); ?></p>
13
//define options
14
$payment_options = array_unique(apply_filters("pmpro_payment_options", array('gateway')));
15
16
+ //check nonce for saving settings
17
+ if (!empty($_REQUEST['savesettings']) && (empty($_REQUEST['pmpro_paymentsettings_nonce']) || !check_admin_referer('savesettings', 'pmpro_paymentsettings_nonce'))) {
18
+ $msg = -1;
19
+ $msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
20
+ unset($_REQUEST['savesettings']);
21
+ }
22
+
23
//get/set settings
24
if(!empty($_REQUEST['savesettings']))
25
{
26
/*
27
Save any value that might have been passed in
28
*/
29
+ foreach($payment_options as $option) {
30
+ //for now we make a special case for sslseal, but we need a way to specify sanitize functions for other fields
31
+ if($option == 'sslseal') {
32
+ global $allowedposttags;
33
+ $sslseal = wp_kses(wp_unslash($_POST['sslseal']), $allowedposttags);
34
+ update_option('pmpro_sslseal', $sslseal);
35
+ } else {
36
+ pmpro_setOption($option);
37
+ }
38
+ }
39
40
/*
41
Some special case options still worked out here
105
?>
106
107
<form action="" method="post" enctype="multipart/form-data">
108
+ <?php wp_nonce_field('savesettings', 'pmpro_paymentsettings_nonce');?>
109
+
110
<h2><?php _e('Payment Gateway', 'paid-memberships-pro' );?> &amp; <?php _e('SSL Settings', 'paid-memberships-pro' );?></h2>
111
112
<p><?php _e('Learn more about <a title="Paid Memberships Pro - SSL Settings" target="_blank" href="http://www.paidmembershipspro.com/support/initial-plugin-setup/ssl/">SSL</a> or <a title="Paid Memberships Pro - Payment Gateway Settings" target="_blank" href="http://www.paidmembershipspro.com/support/initial-plugin-setup/payment-gateway/">Payment Gateway Settings</a>.', 'paid-memberships-pro' ); ?></p>
adminpages/reports/login.php CHANGED
@@ -65,14 +65,18 @@ function pmpro_report_login_page()
65
66
//vars
67
if(!empty($_REQUEST['s']))
68
- $s = $_REQUEST['s'];
69
else
70
$s = "";
71
72
- if(!empty($_REQUEST['l']))
73
- $l = intval($_REQUEST['l']);
74
- else
75
$l = "";
76
?>
77
<form id="posts-filter" method="get" action="">
78
<h1>
@@ -124,7 +128,7 @@ function pmpro_report_login_page()
124
if($l == "all")
125
$sqlQuery .= " AND mu.status = 'active' AND mu.membership_id > 0 ";
126
elseif($l)
127
- $sqlQuery .= " AND mu.membership_id = '" . $l . "' ";
128
129
$sqlQuery .= "GROUP BY u.ID ORDER BY user_registered DESC LIMIT $start, $limit";
130
}
@@ -136,7 +140,7 @@ function pmpro_report_login_page()
136
if($l == "all")
137
$sqlQuery .= " AND mu.membership_id > 0 AND mu.status = 'active' ";
138
elseif($l)
139
- $sqlQuery .= " AND mu.membership_id = '" . $l . "' ";
140
$sqlQuery .= "GROUP BY u.ID ORDER BY user_registered DESC LIMIT $start, $limit";
141
}
142
@@ -273,11 +277,11 @@ function pmpro_report_login_wp_visits()
273
$visits = array("last"=>"N/A", "thisdate"=>NULL, "month"=>0, "thismonth"=>NULL, "alltime"=>0);
274
275
//track logins for user
276
- $visits['last'] = date_i18n(get_option("date_format"));
277
- $visits['alltime']++;
278
$thismonth = date_i18n("n", $now);
279
if($thismonth == $visits['thismonth'])
280
- $visits['month']++;
281
else
282
{
283
$visits['month'] = 1;
@@ -293,17 +297,17 @@ function pmpro_report_login_wp_visits()
293
if(empty($visits))
294
$visits = array("today"=>0, "thisdate"=>NULL, "month"=>0, "thismonth"=> NULL, "alltime"=>0);
295
296
- $visits['alltime']++;
297
$thisdate = date_i18n("Y-d-m", $now);
298
if($thisdate == $visits['thisdate'])
299
- $visits['today']++;
300
else
301
{
302
$visits['today'] = 1;
303
$visits['thisdate'] = $thisdate;
304
}
305
if($thismonth == $visits['thismonth'])
306
- $visits['month']++;
307
else
308
{
309
$visits['month'] = 1;
65
66
//vars
67
if(!empty($_REQUEST['s']))
68
+ $s = sanitize_text_field($_REQUEST['s']);
69
else
70
$s = "";
71
72
+ if(!empty($_REQUEST['l'])) {
73
+ if($_REQUEST['l'] == 'all')
74
+ $l = 'all';
75
+ else
76
+ $l = intval($_REQUEST['l']);
77
+ } else {
78
$l = "";
79
+ }
80
?>
81
<form id="posts-filter" method="get" action="">
82
<h1>
128
if($l == "all")
129
$sqlQuery .= " AND mu.status = 'active' AND mu.membership_id > 0 ";
130
elseif($l)
131
+ $sqlQuery .= " AND mu.membership_id = '" . esc_sql($l) . "' ";
132
133
$sqlQuery .= "GROUP BY u.ID ORDER BY user_registered DESC LIMIT $start, $limit";
134
}
140
if($l == "all")
141
$sqlQuery .= " AND mu.membership_id > 0 AND mu.status = 'active' ";
142
elseif($l)
143
+ $sqlQuery .= " AND mu.membership_id = '" . esc_sql($l) . "' ";
144
$sqlQuery .= "GROUP BY u.ID ORDER BY user_registered DESC LIMIT $start, $limit";
145
}
146
277
$visits = array("last"=>"N/A", "thisdate"=>NULL, "month"=>0, "thismonth"=>NULL, "alltime"=>0);
278
279
//track logins for user
280
+ $visits['last'] = date_i18n(get_option("date_format"), $now);
281
+ $visits['alltime'] = $visits['alltime'] + 1; // BUG FIX: Caused fatal error in certain PHP versions
282
$thismonth = date_i18n("n", $now);
283
if($thismonth == $visits['thismonth'])
284
+ $visits['month'] = $visits['month'] + 1; // BUG FIX: Caused fatal error in certain PHP versions
285
else
286
{
287
$visits['month'] = 1;
297
if(empty($visits))
298
$visits = array("today"=>0, "thisdate"=>NULL, "month"=>0, "thismonth"=> NULL, "alltime"=>0);
299
300
+ $visits['alltime'] = $visits['alltime'] + 1; // BUG FIX: Caused fatal error in certain PHP versions
301
$thisdate = date_i18n("Y-d-m", $now);
302
if($thisdate == $visits['thisdate'])
303
+ $visits['today'] = $visits['today'] + 1; // BUG FIX: Caused fatal error in certain PHP versions
304
else
305
{
306
$visits['today'] = 1;
307
$visits['thisdate'] = $thisdate;
308
}
309
if($thismonth == $visits['thismonth'])
310
+ $visits['month'] = $visits['month'] + 1;// BUG FIX: Caused fatal error in certain PHP versions
311
else
312
{
313
$visits['month'] = 1;
adminpages/reports/memberships.php CHANGED
@@ -60,8 +60,10 @@ function pmpro_report_memberships_widget() {
60
<?php
61
//level stats
62
$count = 0;
63
foreach($levels as $level) {
64
- if($count++ > 2) break;
65
?>
66
<tr class="pmpro_report_tr_sub" style="display: none;">
67
<th scope="row">- <?php echo $level->name;?></th>
60
<?php
61
//level stats
62
$count = 0;
63
+ $max_level_count = apply_filters( 'pmpro_admin_reports_included_levels', 3 );
64
+
65
foreach($levels as $level) {
66
+ if($count++ >= $max_level_count) break;
67
?>
68
<tr class="pmpro_report_tr_sub" style="display: none;">
69
<th scope="row">- <?php echo $level->name;?></th>
classes/class-deny-network-activation.php CHANGED
@@ -27,7 +27,7 @@ class PMPro_Deny_Network_Activation {
27
global $current_screen;
28
if ( !empty($_REQUEST['pmpro_deny_network_activation']) && ( 'sites-network' === $current_screen->id || 'plugins-network' === $current_screen->id ) ) {
29
//get plugin data
30
- $plugin = isset($_REQUEST['pmpro_deny_network_activation']) ? $_REQUEST['pmpro_deny_network_activation'] : '';
31
$plugin_path = WP_PLUGIN_DIR . '/' . urldecode($plugin);
32
$plugin_data = get_plugin_data($plugin_path);
33
@@ -49,7 +49,7 @@ class PMPro_Deny_Network_Activation {
49
return;
50
}
51
52
- $plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
53
54
deactivate_plugins( $plugin, true, true );
55
if ( ! isset( $_REQUEST['pmpro_deny_network_activation']) ) {
27
global $current_screen;
28
if ( !empty($_REQUEST['pmpro_deny_network_activation']) && ( 'sites-network' === $current_screen->id || 'plugins-network' === $current_screen->id ) ) {
29
//get plugin data
30
+ $plugin = isset($_REQUEST['pmpro_deny_network_activation']) ? sanitize_file_name($_REQUEST['pmpro_deny_network_activation']) : '';
31
$plugin_path = WP_PLUGIN_DIR . '/' . urldecode($plugin);
32
$plugin_data = get_plugin_data($plugin_path);
33
49
return;
50
}
51
52
+ $plugin = isset($_REQUEST['plugin']) ? sanitize_file_name($_REQUEST['plugin']) : '';
53
54
deactivate_plugins( $plugin, true, true );
55
if ( ! isset( $_REQUEST['pmpro_deny_network_activation']) ) {
classes/class.memberorder.php CHANGED
@@ -478,8 +478,8 @@
478
else {
479
$total = (float)$amount + (float)$tax;
480
$this->total = $total;
481
- }
482
-
483
//these fix some warnings/notices
484
if(empty($this->billing))
485
{
@@ -508,6 +508,10 @@
508
$this->accountnumber = "";
509
if(empty($this->cardtype))
510
$this->cardtype = "";
511
if(empty($this->ExpirationDate))
512
$this->ExpirationDate = "";
513
if (empty($this->status))
@@ -583,6 +587,13 @@
583
//set up actions
584
$before_action = "pmpro_add_order";
585
$after_action = "pmpro_added_order";
586
//insert
587
$this->sqlQuery = "INSERT INTO $wpdb->pmpro_membership_orders
588
(`code`, `session_id`, `user_id`, `membership_id`, `paypal_token`, `billing_name`, `billing_street`, `billing_city`, `billing_state`, `billing_zip`, `billing_country`, `billing_phone`, `subtotal`, `tax`, `couponamount`, `certificate_id`, `certificateamount`, `total`, `payment_type`, `cardtype`, `accountnumber`, `expirationmonth`, `expirationyear`, `status`, `gateway`, `gateway_environment`, `payment_transaction_id`, `subscription_transaction_id`, `timestamp`, `affiliate_id`, `affiliate_subid`, `notes`, `checkout_id`)
@@ -607,8 +618,8 @@
607
'" . $this->payment_type . "',
608
'" . $this->cardtype . "',
609
'" . hideCardNumber($this->accountnumber, false) . "',
610
- '" . substr($this->ExpirationDate, 0, 2) . "',
611
- '" . substr($this->ExpirationDate, 2, 4) . "',
612
'" . esc_sql($this->status) . "',
613
'" . $this->gateway . "',
614
'" . $this->gateway_environment . "',
478
else {
479
$total = (float)$amount + (float)$tax;
480
$this->total = $total;
481
+ }
482
+
483
//these fix some warnings/notices
484
if(empty($this->billing))
485
{
508
$this->accountnumber = "";
509
if(empty($this->cardtype))
510
$this->cardtype = "";
511
+ if(empty($this->expirationmonth))
512
+ $this->expirationmonth = "";
513
+ if(empty($this->expirationyear))
514
+ $this->expirationyear = "";
515
if(empty($this->ExpirationDate))
516
$this->ExpirationDate = "";
517
if (empty($this->status))
587
//set up actions
588
$before_action = "pmpro_add_order";
589
$after_action = "pmpro_added_order";
590
+
591
+ //only on inserts, we might want to set the expirationmonth and expirationyear from ExpirationDate
592
+ if( (empty($this->expirationmonth) || empty($this->expirationyear)) && !empty($this->ExpirationDate)) {
593
+ $this->expirationmonth = substr($this->ExpirationDate, 0, 2);
594
+ $this->expirationyear = substr($this->ExpirationDate, 2, 4);
595
+ }
596
+
597
//insert
598
$this->sqlQuery = "INSERT INTO $wpdb->pmpro_membership_orders
599
(`code`, `session_id`, `user_id`, `membership_id`, `paypal_token`, `billing_name`, `billing_street`, `billing_city`, `billing_state`, `billing_zip`, `billing_country`, `billing_phone`, `subtotal`, `tax`, `couponamount`, `certificate_id`, `certificateamount`, `total`, `payment_type`, `cardtype`, `accountnumber`, `expirationmonth`, `expirationyear`, `status`, `gateway`, `gateway_environment`, `payment_transaction_id`, `subscription_transaction_id`, `timestamp`, `affiliate_id`, `affiliate_subid`, `notes`, `checkout_id`)
618
'" . $this->payment_type . "',
619
'" . $this->cardtype . "',
620
'" . hideCardNumber($this->accountnumber, false) . "',
621
+ '" . $this->expirationmonth . "',
622
+ '" . $this->expirationyear . "',
623
'" . esc_sql($this->status) . "',
624
'" . $this->gateway . "',
625
'" . $this->gateway_environment . "',
classes/gateways/class.pmprogateway.php CHANGED
@@ -90,7 +90,7 @@
90
else
91
{
92
//add a period to the start date to account for the initial payment
93
- $order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $this->BillingFrequency . " " . $this->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
94
}
95
96
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
90
else
91
{
92
//add a period to the start date to account for the initial payment
93
+ $order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $order->BillingFrequency . " " . $order->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
94
}
95
96
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
classes/gateways/class.pmprogateway_braintree.php CHANGED
@@ -286,17 +286,17 @@
286
{
287
//load up values
288
if(isset($_REQUEST['number']))
289
- $braintree_number = $_REQUEST['number'];
290
else
291
$braintree_number = "";
292
293
if(isset($_REQUEST['expiration_date']))
294
- $braintree_expiration_date = $_REQUEST['expiration_date'];
295
else
296
$braintree_expiration_date = "";
297
298
if(isset($_REQUEST['cvv']))
299
- $braintree_cvv = $_REQUEST['cvv'];
300
else
301
$braintree_cvv = "";
302
@@ -453,7 +453,7 @@
453
?>
454
<div class="pmpro_payment-cvv">
455
<label for="CVV"><?php _e('CVV', 'paid-memberships-pro' );?></label>
456
- <input class="input" id="CVV" name="cvv" type="text" size="4" value="<?php if(!empty($_REQUEST['CVV'])) { echo esc_attr($_REQUEST['CVV']); }?>" class=" <?php echo pmpro_getClassForField("CVV");?>" data-encrypted-name="cvv" /> <small>(<a href="javascript:void(0);" onclick="javascript:window.open('<?php echo pmpro_https_filter(PMPRO_URL)?>/pages/popup-cvv.html','cvv','toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=600, height=475');"><?php _e("what's this?", 'paid-memberships-pro' );?></a>)</small>
457
</div>
458
<?php
459
}
286
{
287
//load up values
288
if(isset($_REQUEST['number']))
289
+ $braintree_number = sanitize_text_field($_REQUEST['number']);
290
else
291
$braintree_number = "";
292
293
if(isset($_REQUEST['expiration_date']))
294
+ $braintree_expiration_date = sanitize_text_field($_REQUEST['expiration_date']);
295
else
296
$braintree_expiration_date = "";
297
298
if(isset($_REQUEST['cvv']))
299
+ $braintree_cvv = sanitize_text_field($_REQUEST['cvv']);
300
else
301
$braintree_cvv = "";
302
453
?>
454
<div class="pmpro_payment-cvv">
455
<label for="CVV"><?php _e('CVV', 'paid-memberships-pro' );?></label>
456
+ <input class="input" id="CVV" name="cvv" type="text" size="4" value="<?php if(!empty($_REQUEST['CVV'])) { echo esc_attr(sanitize_text_field($_REQUEST['CVV'])); }?>" class=" <?php echo pmpro_getClassForField("CVV");?>" data-encrypted-name="cvv" /> <small>(<a href="javascript:void(0);" onclick="javascript:window.open('<?php echo pmpro_https_filter(PMPRO_URL)?>/pages/popup-cvv.html','cvv','toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=600, height=475');"><?php _e("what's this?", 'paid-memberships-pro' );?></a>)</small>
457
</div>
458
<?php
459
}
classes/gateways/class.pmprogateway_check.php CHANGED
@@ -245,7 +245,7 @@
245
else
246
{
247
//add a period to the start date to account for the initial payment
248
- $order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $this->BillingFrequency . " " . $this->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
249
}
250
251
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
245
else
246
{
247
//add a period to the start date to account for the initial payment
248
+ $order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $order->BillingFrequency . " " . $order->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
249
}
250
251
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
classes/gateways/class.pmprogateway_cybersource.php CHANGED
@@ -206,7 +206,7 @@
206
else
207
{
208
//add a period to the start date to account for the initial payment
209
- $order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $this->BillingFrequency . " " . $this->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
210
}
211
212
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
206
else
207
{
208
//add a period to the start date to account for the initial payment
209
+ $order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $order->BillingFrequency . " " . $order->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
210
}
211
212
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
classes/gateways/class.pmprogateway_paypalexpress.php CHANGED
@@ -238,15 +238,15 @@
238
{
239
//get values from post
240
if(isset($_REQUEST['username']))
241
- $username = trim($_REQUEST['username']);
242
else
243
$username = "";
244
if(isset($_REQUEST['password']))
245
- $password = $_REQUEST['password'];
246
else
247
$password = "";
248
if(isset($_REQUEST['bemail']))
249
- $bemail = $_REQUEST['bemail'];
250
else
251
$bemail = "";
252
@@ -273,16 +273,16 @@
273
if(!empty($_REQUEST['review']))
274
{
275
if(!empty($_REQUEST['PayerID']))
276
- $_SESSION['payer_id'] = $_REQUEST['PayerID'];
277
if(!empty($_REQUEST['paymentAmount']))
278
- $_SESSION['paymentAmount'] = $_REQUEST['paymentAmount'];
279
if(!empty($_REQUEST['currencyCodeType']))
280
- $_SESSION['currCodeType'] = $_REQUEST['currencyCodeType'];
281
if(!empty($_REQUEST['paymentType']))
282
- $_SESSION['paymentType'] = $_REQUEST['paymentType'];
283
284
$morder = new MemberOrder();
285
- $morder->getMemberOrderByPayPalToken($_REQUEST['token']);
286
$morder->Token = $morder->paypal_token; $pmpro_paypal_token = $morder->paypal_token;
287
if($morder->Token)
288
{
@@ -309,7 +309,7 @@
309
)
310
{
311
$morder = new MemberOrder();
312
- $morder->getMemberOrderByPayPalToken($_REQUEST['token']);
313
$morder->Token = $morder->paypal_token; $pmpro_paypal_token = $morder->paypal_token;
314
if($morder->Token)
315
{
238
{
239
//get values from post
240
if(isset($_REQUEST['username']))
241
+ $username = trim(sanitize_text_field($_REQUEST['username']));
242
else
243
$username = "";
244
if(isset($_REQUEST['password']))
245
+ $password = sanitize_text_field($_REQUEST['password']);
246
else
247
$password = "";
248
if(isset($_REQUEST['bemail']))
249
+ $bemail = sanitize_email($_REQUEST['bemail']);
250
else
251
$bemail = "";
252
273
if(!empty($_REQUEST['review']))
274
{
275
if(!empty($_REQUEST['PayerID']))
276
+ $_SESSION['payer_id'] = sanitize_text_field($_REQUEST['PayerID']);
277
if(!empty($_REQUEST['paymentAmount']))
278
+ $_SESSION['paymentAmount'] = sanitize_text_field($_REQUEST['paymentAmount']);
279
if(!empty($_REQUEST['currencyCodeType']))
280
+ $_SESSION['currCodeType'] = sanitize_text_field($_REQUEST['currencyCodeType']);
281
if(!empty($_REQUEST['paymentType']))
282
+ $_SESSION['paymentType'] = sanitize_text_field($_REQUEST['paymentType']);
283
284
$morder = new MemberOrder();
285
+ $morder->getMemberOrderByPayPalToken(sanitize_text_field($_REQUEST['token']));
286
$morder->Token = $morder->paypal_token; $pmpro_paypal_token = $morder->paypal_token;
287
if($morder->Token)
288
{
309
)
310
{
311
$morder = new MemberOrder();
312
+ $morder->getMemberOrderByPayPalToken(sanitize_text_field($_REQUEST['token']));
313
$morder->Token = $morder->paypal_token; $pmpro_paypal_token = $morder->paypal_token;
314
if($morder->Token)
315
{
classes/gateways/class.pmprogateway_stripe.php CHANGED
@@ -444,7 +444,7 @@
444
foreach($_REQUEST as $key => $param) {
445
if(preg_match('/stripeToken(\d+)/', $key, $matches)) {
446
if(intval($matches[1])>$tokennum) {
447
- $thetoken = $param;
448
$tokennum = intval($matches[1]);
449
}
450
}
@@ -464,8 +464,8 @@
464
}
465
elseif(!empty($_REQUEST['first_name']) && !empty($_REQUEST['last_name']))
466
{
467
- $morder->FirstName = $_REQUEST['first_name'];
468
- $morder->LastName = $_REQUEST['last_name'];
469
}
470
}
471
@@ -627,7 +627,7 @@
627
?>
628
<div class="pmpro_payment-cvv">
629
<label for="CVV"><?php _e('CVV', 'paid-memberships-pro' );?></label>
630
- <input id="CVV" type="text" size="4" value="<?php if(!empty($_REQUEST['CVV'])) { echo esc_attr($_REQUEST['CVV']); }?>" class="input <?php echo pmpro_getClassForField("CVV");?>" /> <small>(<a href="javascript:void(0);" onclick="javascript:window.open('<?php echo pmpro_https_filter(PMPRO_URL)?>/pages/popup-cvv.html','cvv','toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=600, height=475');"><?php _e("what's this?", 'paid-memberships-pro' );?></a>)</small>
631
</div>
632
<?php
633
}
@@ -870,17 +870,17 @@
870
$update = array();
871
872
//all updates have these values
873
- $update['when'] = $_POST['updates_when'][$i];
874
- $update['billing_amount'] = $_POST['updates_billing_amount'][$i];
875
- $update['cycle_number'] = $_POST['updates_cycle_number'][$i];
876
- $update['cycle_period'] = $_POST['updates_cycle_period'][$i];
877
878
//these values only for on date updates
879
if($_POST['updates_when'][$i] == "date")
880
{
881
- $update['date_month'] = str_pad($_POST['updates_date_month'][$i], 2, "0", STR_PAD_LEFT);
882
- $update['date_day'] = str_pad($_POST['updates_date_day'][$i], 2, "0", STR_PAD_LEFT);
883
- $update['date_year'] = $_POST['updates_date_year'][$i];
884
}
885
886
//make sure the update is valid
444
foreach($_REQUEST as $key => $param) {
445
if(preg_match('/stripeToken(\d+)/', $key, $matches)) {
446
if(intval($matches[1])>$tokennum) {
447
+ $thetoken = sanitize_text_field($param);
448
$tokennum = intval($matches[1]);
449
}
450
}
464
}
465
elseif(!empty($_REQUEST['first_name']) && !empty($_REQUEST['last_name']))
466
{
467
+ $morder->FirstName = sanitize_text_field($_REQUEST['first_name']);
468
+ $morder->LastName = sanitize_text_field($_REQUEST['last_name']);
469
}
470
}
471
627
?>
628
<div class="pmpro_payment-cvv">
629
<label for="CVV"><?php _e('CVV', 'paid-memberships-pro' );?></label>
630
+ <input id="CVV" type="text" size="4" value="<?php if(!empty($_REQUEST['CVV'])) { echo esc_attr(sanitize_text_field($_REQUEST['CVV'])); }?>" class="input <?php echo pmpro_getClassForField("CVV");?>" /> <small>(<a href="javascript:void(0);" onclick="javascript:window.open('<?php echo pmpro_https_filter(PMPRO_URL)?>/pages/popup-cvv.html','cvv','toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=600, height=475');"><?php _e("what's this?", 'paid-memberships-pro' );?></a>)</small>
631
</div>
632
<?php
633
}
870
$update = array();
871
872
//all updates have these values
873
+ $update['when'] = pmpro_sanitize_with_safelist($_POST['updates_when'][$i], array('now', 'payment', 'date'));
874
+ $update['billing_amount'] = sanitize_text_field($_POST['updates_billing_amount'][$i]);
875
+ $update['cycle_number'] = intval($_POST['updates_cycle_number'][$i]);
876
+ $update['cycle_period'] = sanitize_text_field($_POST['updates_cycle_period'][$i]);
877
878
//these values only for on date updates
879
if($_POST['updates_when'][$i] == "date")
880
{
881
+ $update['date_month'] = str_pad(intval($_POST['updates_date_month'][$i]), 2, "0", STR_PAD_LEFT);
882
+ $update['date_day'] = str_pad(intval($_POST['updates_date_day'][$i]), 2, "0", STR_PAD_LEFT);
883
+ $update['date_year'] = intval($_POST['updates_date_year'][$i]);
884
}
885
886
//make sure the update is valid
includes/addons.php CHANGED
@@ -269,7 +269,7 @@ function pmpro_admin_init_updating_plugins() {
269
unset($plugin);
270
271
//if Plus addons found, check license key
272
- if(!empty($plus_plugins) && !pmpro_license_isValid()) {
273
//show error
274
$msg = __('You must have a <a href="https://www.paidmembershipspro.com/pricing/?utm_source=wp-admin&utm_pluginlink=bulkupdate">valid PMPro Plus License Key</a> to update PMPro Plus add ons. The following plugins will not be updated:', 'paid-memberships-pro');
275
echo '<div class="error"><p>' . $msg . ' <strong>' . implode(', ', $plus_addons) . '</strong></p></div>';
269
unset($plugin);
270
271
//if Plus addons found, check license key
272
+ if(!empty($plus_plugins) && !pmpro_license_isValid(NULL, 'plus')) {
273
//show error
274
$msg = __('You must have a <a href="https://www.paidmembershipspro.com/pricing/?utm_source=wp-admin&utm_pluginlink=bulkupdate">valid PMPro Plus License Key</a> to update PMPro Plus add ons. The following plugins will not be updated:', 'paid-memberships-pro');
275
echo '<div class="error"><p>' . $msg . ' <strong>' . implode(', ', $plus_addons) . '</strong></p></div>';
includes/functions.php CHANGED
@@ -93,11 +93,11 @@ function pmpro_getOption($s, $force = false)
93
return "";
94
}
95
96
- function pmpro_setOption($s, $v = NULL)
97
{
98
//no value is given, set v to the p var
99
if($v === NULL && isset($_POST[$s]))
100
- $v = $_POST[$s];
101
102
if(is_array($v))
103
$v = implode(",", $v);
@@ -2238,22 +2238,22 @@ function pmpro_getClassForField($field)
2238
}
2239
2240
//get a var from $_GET or $_POST
2241
- function pmpro_getParam($index, $method = "REQUEST", $default = "")
2242
{
2243
if($method == "REQUEST")
2244
{
2245
if(!empty($_REQUEST[$index]))
2246
- return $_REQUEST[$index];
2247
}
2248
elseif($method == "POST")
2249
{
2250
if(!empty($_POST[$index]))
2251
- return $_POST[$index];
2252
}
2253
elseif($method == "GET")
2254
{
2255
if(!empty($_GET[$index]))
2256
- return $_GET[$index];
2257
}
2258
2259
return $default;
@@ -2618,3 +2618,38 @@ function pmpro_getMemberOrdersByCheckoutID($checkout_id) {
2618
2619
return $r;
2620
}
93
return "";
94
}
95
96
+ function pmpro_setOption($s, $v = NULL, $sanitize_function = 'sanitize_text_field')
97
{
98
//no value is given, set v to the p var
99
if($v === NULL && isset($_POST[$s]))
100
+ $v = call_user_func($sanitize_function, $_POST[$s]);
101
102
if(is_array($v))
103
$v = implode(",", $v);
2238
}
2239
2240
//get a var from $_GET or $_POST
2241
+ function pmpro_getParam($index, $method = "REQUEST", $default = "", $sanitize_function = 'sanitize_text_field')
2242
{
2243
if($method == "REQUEST")
2244
{
2245
if(!empty($_REQUEST[$index]))
2246
+ return call_user_func($sanitize_function, $_REQUEST[$index]);
2247
}
2248
elseif($method == "POST")
2249
{
2250
if(!empty($_POST[$index]))
2251
+ return call_user_func($sanitize_function, $_POST[$index]);
2252
}
2253
elseif($method == "GET")
2254
{
2255
if(!empty($_GET[$index]))
2256
+ return call_user_func($sanitize_function, $_GET[$index]);
2257
}
2258
2259
return $default;
2618
2619
return $r;
2620
}
2621
+
2622
+ /**
2623
+ * Check that the test value is a member of a specific array for sanitization purposes.
2624
+ *
2625
+ * @param mixed $needle Value to be tested.
2626
+ * @param array $safe Array of safelist values.
2627
+ * @since 1.9.3
2628
+ */
2629
+ function pmpro_sanitize_with_safelist($needle, $safelist) {
2630
+ if(!in_array($needle, $safelist))
2631
+ return false;
2632
+ else
2633
+ return $needle;
2634
+ }
2635
+
2636
+ /**
2637
+ * Return an array of allowed order statuses
2638
+ *
2639
+ * @since 1.9.3
2640
+ */
2641
+ function pmpro_getOrderStatuses($force = false) {
2642
+ global $pmpro_order_statuses;
2643
+
2644
+ if(!isset($pmpro_order_statuses) || $force) {
2645
+ global $wpdb;
2646
+ $statuses = array();
2647
+ $default_statuses = array( "", "success", "cancelled", "review", "token", "refunded" );
2648
+ $used_statuses = $wpdb->get_col( "SELECT DISTINCT(status) FROM $wpdb->pmpro_membership_orders" );
2649
+ $statuses = array_unique( array_merge( $default_statuses, $used_statuses ) );
2650
+ asort( $statuses );
2651
+ $statuses = apply_filters( "pmpro_order_statuses", $statuses );
2652
+ }
2653
+
2654
+ return $statuses;
2655
+ }
paid-memberships-pro.php CHANGED
@@ -3,7 +3,7 @@
3
Plugin Name: Paid Memberships Pro
4
Plugin URI: http://www.paidmembershipspro.com
5
Description: Plugin to Handle Memberships
6
- Version: 1.9.2.2
7
Author: Stranger Studios
8
Author URI: http://www.strangerstudios.com
9
Text Domain: paid-memberships-pro
@@ -15,7 +15,7 @@ Domain Path: /languages
15
*/
16
17
// version constant
18
- define( 'PMPRO_VERSION', '1.9.2.2' );
19
define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
20
define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
21
3
Plugin Name: Paid Memberships Pro
4
Plugin URI: http://www.paidmembershipspro.com
5
Description: Plugin to Handle Memberships
6
+ Version: 1.9.3
7
Author: Stranger Studios
8
Author URI: http://www.strangerstudios.com
9
Text Domain: paid-memberships-pro
15
*/
16
17
// version constant
18
+ define( 'PMPRO_VERSION', '1.9.3' );
19
define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
20
define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
21
preheaders/billing.php CHANGED
@@ -36,12 +36,12 @@ wp_enqueue_script( 'jquery.creditCardValidator', plugins_url( '/js/jquery.credit
36
37
//_x stuff in case they clicked on the image button with their mouse
38
if (isset($_REQUEST['update-billing']))
39
- $submit = $_REQUEST['update-billing'];
40
else
41
$submit = false;
42
43
if (!$submit && isset($_REQUEST['update-billing_x']))
44
- $submit = $_REQUEST['update-billing_x'];
45
46
if ($submit === "0")
47
$submit = true;
@@ -50,39 +50,39 @@ if ($submit === "0")
50
if ($submit) {
51
//load em up (other fields)
52
if (isset($_REQUEST['bfirstname']))
53
- $bfirstname = trim(stripslashes($_REQUEST['bfirstname']));
54
if (isset($_REQUEST['blastname']))
55
- $blastname = trim(stripslashes($_REQUEST['blastname']));
56
if (isset($_REQUEST['fullname']))
57
- $fullname = $_REQUEST['fullname']; //honeypot for spammers
58
if (isset($_REQUEST['baddress1']))
59
- $baddress1 = trim(stripslashes($_REQUEST['baddress1']));
60
if (isset($_REQUEST['baddress2']))
61
- $baddress2 = trim(stripslashes($_REQUEST['baddress2']));
62
if (isset($_REQUEST['bcity']))
63
- $bcity = trim(stripslashes($_REQUEST['bcity']));
64
if (isset($_REQUEST['bstate']))
65
- $bstate = trim(stripslashes($_REQUEST['bstate']));
66
if (isset($_REQUEST['bzipcode']))
67
- $bzipcode = trim(stripslashes($_REQUEST['bzipcode']));
68
if (isset($_REQUEST['bcountry']))
69
- $bcountry = trim(stripslashes($_REQUEST['bcountry']));
70
if (isset($_REQUEST['bphone']))
71
- $bphone = trim(stripslashes($_REQUEST['bphone']));
72
if (isset($_REQUEST['bemail']))
73
- $bemail = trim(stripslashes($_REQUEST['bemail']));
74
if (isset($_REQUEST['bconfirmemail']))
75
- $bconfirmemail = trim(stripslashes($_REQUEST['bconfirmemail']));
76
if (isset($_REQUEST['CardType']))
77
- $CardType = $_REQUEST['CardType'];
78
if (isset($_REQUEST['AccountNumber']))
79
- $AccountNumber = trim($_REQUEST['AccountNumber']);
80
if (isset($_REQUEST['ExpirationMonth']))
81
- $ExpirationMonth = $_REQUEST['ExpirationMonth'];
82
if (isset($_REQUEST['ExpirationYear']))
83
- $ExpirationYear = $_REQUEST['ExpirationYear'];
84
if (isset($_REQUEST['CVV']))
85
- $CVV = trim($_REQUEST['CVV']);
86
87
//avoid warnings for the required fields
88
if (!isset($bfirstname))
36
37
//_x stuff in case they clicked on the image button with their mouse
38
if (isset($_REQUEST['update-billing']))
39
+ $submit = true;
40
else
41
$submit = false;
42
43
if (!$submit && isset($_REQUEST['update-billing_x']))
44
+ $submit = true;
45
46
if ($submit === "0")
47
$submit = true;
50
if ($submit) {
51
//load em up (other fields)
52
if (isset($_REQUEST['bfirstname']))
53
+ $bfirstname = trim(sanitize_text_field($_REQUEST['bfirstname']));
54
if (isset($_REQUEST['blastname']))
55
+ $blastname = trim(sanitize_text_field($_REQUEST['blastname']));
56
if (isset($_REQUEST['fullname']))
57
+ $fullname = sanitize_text_field($_REQUEST['fullname']); //honeypot for spammers
58
if (isset($_REQUEST['baddress1']))
59
+ $baddress1 = trim(sanitize_text_field($_REQUEST['baddress1']));
60
if (isset($_REQUEST['baddress2']))
61
+ $baddress2 = trim(sanitize_text_field($_REQUEST['baddress2']));
62
if (isset($_REQUEST['bcity']))
63
+ $bcity = trim(sanitize_text_field($_REQUEST['bcity']));
64
if (isset($_REQUEST['bstate']))
65
+ $bstate = trim(sanitize_text_field($_REQUEST['bstate']));
66
if (isset($_REQUEST['bzipcode']))
67
+ $bzipcode = trim(sanitize_text_field($_REQUEST['bzipcode']));
68
if (isset($_REQUEST['bcountry']))
69
+ $bcountry = trim(sanitize_text_field($_REQUEST['bcountry']));
70
if (isset($_REQUEST['bphone']))
71
+ $bphone = trim(sanitize_text_field($_REQUEST['bphone']));
72
if (isset($_REQUEST['bemail']))
73
+ $bemail = trim(sanitize_email($_REQUEST['bemail']));
74
if (isset($_REQUEST['bconfirmemail']))
75
+ $bconfirmemail = trim(sanitize_email($_REQUEST['bconfirmemail']));
76
if (isset($_REQUEST['CardType']))
77
+ $CardType = sanitize_text_field($_REQUEST['CardType']);
78
if (isset($_REQUEST['AccountNumber']))
79
+ $AccountNumber = trim(sanitize_text_field($_REQUEST['AccountNumber']));
80
if (isset($_REQUEST['ExpirationMonth']))
81
+ $ExpirationMonth = sanitize_text_field($_REQUEST['ExpirationMonth']);
82
if (isset($_REQUEST['ExpirationYear']))
83
+ $ExpirationYear = sanitize_text_field($_REQUEST['ExpirationYear']);
84
if (isset($_REQUEST['CVV']))
85
+ $CVV = trim(sanitize_text_field($_REQUEST['CVV']));
86
87
//avoid warnings for the required fields
88
if (!isset($bfirstname))
preheaders/cancel.php CHANGED
@@ -39,7 +39,7 @@
39
40
//are we confirming a cancellation?
41
if(isset($_REQUEST['confirm']))
42
- $pmpro_confirm = $_REQUEST['confirm'];
43
else
44
$pmpro_confirm = false;
45
39
40
//are we confirming a cancellation?
41
if(isset($_REQUEST['confirm']))
42
+ $pmpro_confirm = boolval($_REQUEST['confirm']);
43
else
44
$pmpro_confirm = false;
45
preheaders/checkout.php CHANGED
@@ -15,7 +15,7 @@ $pmpro_required_user_fields = array();
15
16
//was a gateway passed?
17
if ( ! empty( $_REQUEST['gateway'] ) ) {
18
- $gateway = $_REQUEST['gateway'];
19
} elseif ( ! empty( $_REQUEST['review'] ) ) {
20
$gateway = "paypalexpress";
21
} else {
@@ -221,14 +221,14 @@ if ( isset( $_REQUEST['username'] ) ) {
221
$username = "";
222
}
223
if ( isset( $_REQUEST['password'] ) ) {
224
- $password = $_REQUEST['password'];
225
} else {
226
$password = "";
227
}
228
if ( isset( $_REQUEST['password2_copy'] ) ) {
229
$password2 = $password;
230
} elseif ( isset( $_REQUEST['password2'] ) ) {
231
- $password2 = $_REQUEST['password2'];
232
} else {
233
$password2 = "";
234
}
@@ -240,10 +240,10 @@ if ( isset( $_REQUEST['tos'] ) ) {
240
241
//_x stuff in case they clicked on the image button with their mouse
242
if ( isset( $_REQUEST['submit-checkout'] ) ) {
243
- $submit = $_REQUEST['submit-checkout'];
244
}
245
if ( empty( $submit ) && isset( $_REQUEST['submit-checkout_x'] ) ) {
246
- $submit = $_REQUEST['submit-checkout_x'];
247
}
248
if ( isset( $submit ) && $submit === "0" ) {
249
$submit = true;
15
16
//was a gateway passed?
17
if ( ! empty( $_REQUEST['gateway'] ) ) {
18
+ $gateway = sanitize_text_field($_REQUEST['gateway']);
19
} elseif ( ! empty( $_REQUEST['review'] ) ) {
20
$gateway = "paypalexpress";
21
} else {
221
$username = "";
222
}
223
if ( isset( $_REQUEST['password'] ) ) {
224
+ $password = sanitize_text_field($_REQUEST['password']);
225
} else {
226
$password = "";
227
}
228
if ( isset( $_REQUEST['password2_copy'] ) ) {
229
$password2 = $password;
230
} elseif ( isset( $_REQUEST['password2'] ) ) {
231
+ $password2 = sanitize_text_field($_REQUEST['password2']);
232
} else {
233
$password2 = "";
234
}
240
241
//_x stuff in case they clicked on the image button with their mouse
242
if ( isset( $_REQUEST['submit-checkout'] ) ) {
243
+ $submit = true;
244
}
245
if ( empty( $submit ) && isset( $_REQUEST['submit-checkout_x'] ) ) {
246
+ $submit = true;
247
}
248
if ( isset( $submit ) && $submit === "0" ) {
249
$submit = true;
preheaders/invoice.php CHANGED
@@ -12,7 +12,7 @@ if (!is_user_logged_in()) {
12
13
//get invoice from DB
14
if (!empty($_REQUEST['invoice']))
15
- $invoice_code = $_REQUEST['invoice'];
16
else
17
$invoice_code = NULL;
18
12
13
//get invoice from DB
14
if (!empty($_REQUEST['invoice']))
15
+ $invoice_code = sanitize_text_field($_REQUEST['invoice']);
16
else
17
$invoice_code = NULL;
18
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: strangerstudios
3
Tags: memberships, membership, authorize.net, ecommerce, paypal, stripe, braintree, restrict access, restrict content, directory site, payflow
4
Requires at least: 4
5
Tested up to: 4.8
6
- Stable tag: 1.9.2.2
7
8
A revenue-generating machine for membership sites. Unlimited levels with recurring payment, protected content and member management.
9
@@ -116,6 +116,15 @@ Not sure? You can find out by doing a bit a research.
116
117
== Changelog ==
118
119
= 1.9.2.2 =
120
* BUG FIX: Fixed warnings on the Network Dashboard's sites page.
121
* BUG FIX: Skipping update scripts that require the Stripe library if the system doesn't support the minimum requirements for the Stripe API. This avoids warnings and errors during upgrade.
3
Tags: memberships, membership, authorize.net, ecommerce, paypal, stripe, braintree, restrict access, restrict content, directory site, payflow
4
Requires at least: 4
5
Tested up to: 4.8
6
+ Stable tag: 1.9.3
7
8
A revenue-generating machine for membership sites. Unlimited levels with recurring payment, protected content and member management.
9
116
117
== Changelog ==
118
119
+ = 1.9.3 =
120
+ * SECURITY: Fixed sanitization of inputs and added nonces in several places to protect against XSS attacks.
121
+ * BUG FIX: Showing correct error message when trying to update a PMPro Plus add on with a Core license installed.
122
+ * BUG FIX: Fixed issue where subscription and payment transaction IDs were not being saved correctly when copying an order in the dashboard. (Thanks, Pippin Williamson)
123
+ * BUG FIX: Fixed fatal errors that occurred in certain PHP versions.
124
+ * BUG FIX: Fixed issue where ProfileStartDate was being calculated incorrectly in the test, check, and Cybersource gateways.(Thanks, David Parker)
125
+ * ENHANCEMENT: Added a pmpro_sanitize_with_safelist() function that is used to sanitize inputs that have a limited number of exact options.
126
+ * ENHANCEMENT: Updated the pmpro_setOption() and pmpro_getParam() functions to take a new last parameter $sanitize_function, which defaults to 'sanitize_text_field'.
127
+
128
= 1.9.2.2 =
129
* BUG FIX: Fixed warnings on the Network Dashboard's sites page.
130
* BUG FIX: Skipping update scripts that require the Stripe library if the system doesn't support the minimum requirements for the Stripe API. This avoids warnings and errors during upgrade.
services/authnet-silent-post.php CHANGED
@@ -23,7 +23,7 @@
23
foreach($_REQUEST as $name => $value)
24
{
25
// Create our associative array
26
- $fields[$name] = $value;
27
28
// If we see a special field flag this as an ARB transaction
29
if($name == 'x_subscription_id')
23
foreach($_REQUEST as $name => $value)
24
{
25
// Create our associative array
26
+ $fields[$name] = sanitize_text_field($value);
27
28
// If we see a special field flag this as an ARB transaction
29
if($name == 'x_subscription_id')
services/braintree-webhook.php CHANGED
@@ -33,7 +33,7 @@
33
34
//verify
35
if(!empty($_REQUEST['bt_challenge']))
36
- echo Braintree_WebhookNotification::verify($_REQUEST['bt_challenge']);
37
else
38
$logstr .= "Guessing you are just testing the URL out. Check that the timestamp updates on refresh to make sure this isn't being cached.";
39
@@ -45,13 +45,13 @@
45
try
46
{
47
$webhookNotification = Braintree_WebhookNotification::parse(
48
- $_REQUEST['bt_signature'], $_REQUEST['bt_payload']
49
);
50
}
51
catch ( Exception $e )
52
{
53
{
54
- $logstr .= "Couldn't get notification with payload " . $_REQUEST['bt_payload'] . ". " . $e->getMessage();
55
pmpro_braintreeWebhookExit();
56
}
57
}
33
34
//verify
35
if(!empty($_REQUEST['bt_challenge']))
36
+ echo Braintree_WebhookNotification::verify(sanitize_text_field($_REQUEST['bt_challenge']));
37
else
38
$logstr .= "Guessing you are just testing the URL out. Check that the timestamp updates on refresh to make sure this isn't being cached.";
39
45
try
46
{
47
$webhookNotification = Braintree_WebhookNotification::parse(
48
+ sanitize_text_field($_REQUEST['bt_signature']), sanitize_text_field($_REQUEST['bt_payload'])
49
);
50
}
51
catch ( Exception $e )
52
{
53
{
54
+ $logstr .= "Couldn't get notification with payload " . sanitize_text_field($_REQUEST['bt_payload']) . ". " . $e->getMessage();
55
pmpro_braintreeWebhookExit();
56
}
57
}
services/ipnhandler.php CHANGED
@@ -31,9 +31,9 @@ $initial_payment_status = pmpro_getParam( "initial_payment_status", "POST" );
31
$payment_status = pmpro_getParam( "payment_status", "POST" );
32
$payment_amount = pmpro_getParam( "payment_amount", "POST" );
33
$payment_currency = pmpro_getParam( "payment_currency", "POST" );
34
- $receiver_email = pmpro_getParam( "receiver_email", "POST" );
35
- $business_email = pmpro_getParam( "business", "POST" );
36
- $payer_email = pmpro_getParam( "payer_email", "POST" );
37
$recurring_payment_id = pmpro_getParam( "recurring_payment_id", "POST" );
38
$profile_status = strtolower( pmpro_getParam( "profile_status", "POST" ) );
39
31
$payment_status = pmpro_getParam( "payment_status", "POST" );
32
$payment_amount = pmpro_getParam( "payment_amount", "POST" );
33
$payment_currency = pmpro_getParam( "payment_currency", "POST" );
34
+ $receiver_email = pmpro_getParam( "receiver_email", "POST", '', 'sanitize_email' );
35
+ $business_email = pmpro_getParam( "business", "POST", '', 'sanitize_email' );
36
+ $payer_email = pmpro_getParam( "payer_email", "POST", '', 'sanitize_email' );
37
$recurring_payment_id = pmpro_getParam( "recurring_payment_id", "POST" );
38
$profile_status = strtolower( pmpro_getParam( "profile_status", "POST" ) );
39
services/stripe-webhook.php CHANGED
@@ -44,11 +44,11 @@
44
45
//get the id
46
if(!empty($post_event))
47
- $event_id = $post_event->id;
48
}
49
else
50
{
51
- $event_id = $_REQUEST['event_id'];
52
}
53
54
//get the event through the API now
44
45
//get the id
46
if(!empty($post_event))
47
+ $event_id = sanitize_text_field($post_event->id);
48
}
49
else
50
{
51
+ $event_id = sanitize_text_field($_REQUEST['event_id']);
52
}
53
54
//get the event through the API now
services/twocheckout-ins.php CHANGED
@@ -35,6 +35,7 @@
35
$txn_id = pmpro_getParam( 'sale_id', 'REQUEST' );
36
$recurring = pmpro_getParam( 'recurring', 'REQUEST' );
37
$order_id = pmpro_getParam( 'merchant_order_id', 'REQUEST' );
38
if(empty($order_id))
39
$order_id = pmpro_getParam( 'vendor_order_id', 'REQUEST' );
40
$product_id = pmpro_getParam( 'item_id_1', 'REQUEST' ); // Should be item 0 or 1?
@@ -43,7 +44,7 @@
43
$invoice_status = pmpro_getParam( 'invoice_status', 'REQUEST' ); // On single we need to check for deposited
44
$fraud_status = pmpro_getParam( 'fraud_status', 'REQUEST' ); // Check fraud status?
45
$invoice_list_amount = pmpro_getParam( 'invoice_list_amount', 'REQUEST' ); // Price paid by customer in seller currency code
46
- $customer_email = pmpro_getParam( 'customer_email', 'REQUEST' );
47
48
// No message = return processing
49
if( empty($message_type) ) {
@@ -58,7 +59,7 @@
58
if( ! empty ( $morder ) && ! empty ( $morder->status ) && $morder->status === 'success' ) {
59
inslog( "Checkout was already processed (" . $morder->code . "). Ignoring this request." );
60
}
61
- elseif (pmpro_insChangeMembershipLevel( $_REQUEST['order_number'], $morder ) ) {
62
inslog( "Checkout processed (" . $morder->code . ") success!" );
63
}
64
else {
35
$txn_id = pmpro_getParam( 'sale_id', 'REQUEST' );
36
$recurring = pmpro_getParam( 'recurring', 'REQUEST' );
37
$order_id = pmpro_getParam( 'merchant_order_id', 'REQUEST' );
38
+ $order_number = pmpro_getParam( 'order_number', 'REQUEST' );
39
if(empty($order_id))
40
$order_id = pmpro_getParam( 'vendor_order_id', 'REQUEST' );
41
$product_id = pmpro_getParam( 'item_id_1', 'REQUEST' ); // Should be item 0 or 1?
44
$invoice_status = pmpro_getParam( 'invoice_status', 'REQUEST' ); // On single we need to check for deposited
45
$fraud_status = pmpro_getParam( 'fraud_status', 'REQUEST' ); // Check fraud status?
46
$invoice_list_amount = pmpro_getParam( 'invoice_list_amount', 'REQUEST' ); // Price paid by customer in seller currency code
47
+ $customer_email = pmpro_getParam( 'customer_email', 'REQUEST', '', 'sanitize_email' );
48
49
// No message = return processing
50
if( empty($message_type) ) {
59
if( ! empty ( $morder ) && ! empty ( $morder->status ) && $morder->status === 'success' ) {
60
inslog( "Checkout was already processed (" . $morder->code . "). Ignoring this request." );
61
}
62
+ elseif (pmpro_insChangeMembershipLevel( $order_number, $morder ) ) {
63
inslog( "Checkout processed (" . $morder->code . ") success!" );
64
}
65
else {