Paid Memberships Pro - Version 2.4.4

Version Description

2020-09-02 =
BUG FIX: Fixed fatal error that sometimes occurred on the payment settings page when using PHP 5.6 or earlier.
BUG FIX: Fixed fatal errors that showed up on the frontend invoice page.
BUG FIX: Fixed issue where the confirmation message was not showing up in the confirmation email if that option was checked.
ENHANCEMENT: Added a pmpro_stripe_charge_params filter that can be used to edit or add params sent to the Stripe create charge method. (Thanks, Michael Bester)
ENHANCEMENT: Tweaked the markup of the invoice page so the payment type information looks a little better.

Release Info

Developer	strangerstudios
Plugin	Paid Memberships Pro
Version	2.4.4
Comparing to
See all releases

Code changes from version 2.4.3 to 2.4.4

Files changed (8) hide show

CHANGELOG.txt +7 -0
classes/gateways/class.pmprogateway_stripe.php +28 -5
includes/functions.php +0 -5
includes/rest-api.php +8 -0
pages/confirmation.php +3 -2
pages/invoice.php +4 -3
paid-memberships-pro.php +2 -2
readme.txt +8 -1

CHANGELOG.txt CHANGED Viewed

	@@ -1,4 +1,11 @@
1	== Changelog ==







2	= 2.4.3 - 2020-08-25
3	* SECURITY: Fixed a cross-site scripting vulnerability in the code that updates the Required Membership settings on a post. This vulnerability could have been used in conjunction with other security vulnerabilities to trick an admin into editing the membership settings for a page, potentially exposing members only content to non-members. It is unlikely that there was any active exploitation of this vulnerability. This issue may also have shown up as a bug on some sites using page builders, where the membership settings for a post would be cleared out when editing a post. (Thanks to the wp.org plugin review team for catching this issue.)
4	* SECURITY: Better escaping of variables shown in the Require Membership meta box and related SQL queries.


1	== Changelog ==
2	+ = 2.4.4 - 2020-09-02 =
3	+ * BUG FIX: Fixed fatal error that sometimes occurred on the payment settings page when using PHP 5.6 or earlier.
4	+ * BUG FIX: Fixed fatal errors that showed up on the frontend invoice page.
5	+ * BUG FIX: Fixed issue where the confirmation message was not showing up in the confirmation email if that option was checked.
6	+ * ENHANCEMENT: Added a pmpro_stripe_charge_params filter that can be used to edit or add params sent to the Stripe create charge method. (Thanks, Michael Bester)
7	+ * ENHANCEMENT: Tweaked the markup of the invoice page so the payment type information looks a little better.
8	+
9	= 2.4.3 - 2020-08-25
10	* SECURITY: Fixed a cross-site scripting vulnerability in the code that updates the Required Membership settings on a post. This vulnerability could have been used in conjunction with other security vulnerabilities to trick an admin into editing the membership settings for a page, potentially exposing members only content to non-members. It is unlikely that there was any active exploitation of this vulnerability. This issue may also have shown up as a bug on some sites using page builders, where the membership settings for a post would be cleared out when editing a post. (Thanks to the wp.org plugin review team for catching this issue.)
11	* SECURITY: Better escaping of variables shown in the Require Membership meta box and related SQL queries.

classes/gateways/class.pmprogateway_stripe.php CHANGED Viewed

	@@ -672,12 +672,17 @@ class PMProGateway_stripe extends PMProGateway {
672	*
673	* @since 2.4
674	*/
675	- static function get_webhooks( $limit = 10 ) {
676	-



677	try {
678	$webhooks = Stripe_Webhook::all( [ 'limit' => apply_filters( 'pmpro_stripe_webhook_retrieve_limit', $limit ) ] );
679	} catch (\Throwable $th) {
680	$webhooks = $th->getMessage();


681	}
682
683	return $webhooks;
	@@ -726,6 +731,9 @@ class PMProGateway_stripe extends PMProGateway {
726	} catch (\Throwable $th) {
727	//throw $th;
728	return new WP_Error( 'error', $th->getMessage() );



729	}
730
731	}
	@@ -838,6 +846,9 @@ class PMProGateway_stripe extends PMProGateway {
838	} catch (\Throwable $th) {
839	//throw $th;
840	return new WP_Error( 'error', $th->getMessage() );



841	}
842
843	} else {
	@@ -863,6 +874,9 @@ class PMProGateway_stripe extends PMProGateway {
863	} catch (\Throwable $th) {
864	self::update_webhook_ids( '', $secretkey );
865	return new WP_Error( 'error', $th->getMessage() );



866	}
867
868	return $delete;
	@@ -1566,13 +1580,22 @@ class PMProGateway_stripe extends PMProGateway {
1566
1567	//charge
1568	try {
1569	- $~~response~~ = ~~Stripe_Charge::create(~~ array(
1570	"amount" => $amount * $currency_unit_multiplier, # amount in cents, again
1571	"currency" => strtolower( $pmpro_currency ),
1572	"customer" => $this->customer->id,
1573	"description" => apply_filters( 'pmpro_stripe_order_description', "Order #" . $order->code . ", " . trim( $order->FirstName . " " . $order->LastName ) . " (" . $order->Email . ")", $order )
1574	- )
1575	- );









1576	} catch ( \Throwable $e ) {
1577	//$order->status = "error";
1578	$order->errorcode = true;


672	*
673	* @since 2.4
674	*/
675	+ static function get_webhooks( $limit = 10 ) {
676	+ if ( ! class_exists( 'Stripe\WebhookEndpoint' ) ) {
677	+ return false;
678	+ }
679	+
680	try {
681	$webhooks = Stripe_Webhook::all( [ 'limit' => apply_filters( 'pmpro_stripe_webhook_retrieve_limit', $limit ) ] );
682	} catch (\Throwable $th) {
683	$webhooks = $th->getMessage();
684	+ } catch (\Exception $e) {
685	+ $webhooks = $e->getMessage();
686	}
687
688	return $webhooks;

731	} catch (\Throwable $th) {
732	//throw $th;
733	return new WP_Error( 'error', $th->getMessage() );
734	+ } catch (\Exception $e) {
735	+ //throw $th;
736	+ return new WP_Error( 'error', $e->getMessage() );
737	}
738
739	}

846	} catch (\Throwable $th) {
847	//throw $th;
848	return new WP_Error( 'error', $th->getMessage() );
849	+ } catch (\Exception $e) {
850	+ //throw $th;
851	+ return new WP_Error( 'error', $e->getMessage() );
852	}
853
854	} else {

874	} catch (\Throwable $th) {
875	self::update_webhook_ids( '', $secretkey );
876	return new WP_Error( 'error', $th->getMessage() );
877	+ } catch (\Exception $e) {
878	+ self::update_webhook_ids( '', $secretkey );
879	+ return new WP_Error( 'error', $e->getMessage() );
880	}
881
882	return $delete;

1580
1581	//charge
1582	try {
1583	+ $params = array(
1584	"amount" => $amount * $currency_unit_multiplier, # amount in cents, again
1585	"currency" => strtolower( $pmpro_currency ),
1586	"customer" => $this->customer->id,
1587	"description" => apply_filters( 'pmpro_stripe_order_description', "Order #" . $order->code . ", " . trim( $order->FirstName . " " . $order->LastName ) . " (" . $order->Email . ")", $order )
1588	+ );
1589	+ /**
1590	+ * Filter params used to create the Stripe charge.
1591	+ *
1592	+ * @since 2.4.4
1593	+ *
1594	+ * @param array $params Array of params sent to Stripe.
1595	+ * @param object $order Order object for this checkout.
1596	+ */
1597	+ $params = apply_filters( 'pmpro_stripe_charge_params', $params, $order );
1598	+ $response = Stripe_Charge::create( $params );
1599	} catch ( \Throwable $e ) {
1600	//$order->status = "error";
1601	$order->errorcode = true;

includes/functions.php CHANGED Viewed

	@@ -2251,11 +2251,6 @@ function pmpro_getLevelAtCheckout( $level_id = null, $discount_code = null ) {
2251	$pmpro_level = $wpdb->get_row( "SELECT * FROM $wpdb->pmpro_membership_levels WHERE id = '" . esc_sql( $level_id ) . "' AND allow_signups = 1 LIMIT 1" );
2252	}
2253
2254	- // hide the confirmation message
2255	- if ( ! empty( $pmpro_level->confirmation ) ) {
2256	- $pmpro_level->confirmation = '';
2257	- }
2258	-
2259	// filter the level (for upgrades, etc)
2260	$pmpro_level = apply_filters( 'pmpro_checkout_level', $pmpro_level );
2261


2251	$pmpro_level = $wpdb->get_row( "SELECT * FROM $wpdb->pmpro_membership_levels WHERE id = '" . esc_sql( $level_id ) . "' AND allow_signups = 1 LIMIT 1" );
2252	}
2253





2254	// filter the level (for upgrades, etc)
2255	$pmpro_level = apply_filters( 'pmpro_checkout_level', $pmpro_level );
2256

includes/rest-api.php CHANGED Viewed

	@@ -553,6 +553,14 @@ if ( class_exists( 'WP_REST_Controller' ) ) {
553
554	$discount_code = isset( $params['discount_code'] ) ? $params['discount_code'] : null;
555	$checkout_level = pmpro_getLevelAtCheckout( $level_id, $discount_code );








556	return new WP_REST_Response( $checkout_level );
557	}
558


553
554	$discount_code = isset( $params['discount_code'] ) ? $params['discount_code'] : null;
555	$checkout_level = pmpro_getLevelAtCheckout( $level_id, $discount_code );
556	+
557	+ // Hide confirmation message if not an admin or member.
558	+ if ( ! empty( $checkout_level->confirmation )
559	+ && ! pmpro_hasMembershipLevel( $level_id )
560	+ && ! current_user_can( 'pmpro_edit_memberships' ) ) {
561	+ $checkout_level->confirmation = '';
562	+ }
563	+
564	return new WP_REST_Response( $checkout_level );
565	}
566

pages/confirmation.php CHANGED Viewed

	@@ -78,8 +78,9 @@
78	<div class="<?php echo pmpro_get_element_class( 'pmpro_invoice-payment-method' ); ?>">
79	<strong><?php _e('Payment Method', 'paid-memberships-pro' );?></strong>
80	<?php if($pmpro_invoice->accountnumber) { ?>
81	- <p><?php echo esc_html( ucwords( $pmpro_invoice->cardtype ) ); ?> <?php _e('ending in', 'paid-memberships-pro' );?> <?php echo esc_html( last4($pmpro_invoice->accountnumber ) )~~;?></p>~~
82	- <~~p><?php~~ ~~_e('Expiration', 'paid-memberships-pro' );?>: <?php echo esc_html( $pmpro_invoice->expirationmonth );?>/<?php echo esc_html( $pmpro_invoice->expirationyear );?></p>~~

83	<?php } else { ?>
84	<p><?php echo esc_html( $pmpro_invoice->payment_type ); ?></p>
85	<?php } ?>


78	<div class="<?php echo pmpro_get_element_class( 'pmpro_invoice-payment-method' ); ?>">
79	<strong><?php _e('Payment Method', 'paid-memberships-pro' );?></strong>
80	<?php if($pmpro_invoice->accountnumber) { ?>
81	+ <p><?php echo esc_html( ucwords( $pmpro_invoice->cardtype ) ); ?> <?php _e('ending in', 'paid-memberships-pro' );?> <?php echo esc_html( last4($pmpro_invoice->accountnumber ) );?>
82	+ <br />
83	+ <?php _e('Expiration', 'paid-memberships-pro' );?>: <?php echo esc_html( $pmpro_invoice->expirationmonth );?>/<?php echo esc_html( $pmpro_invoice->expirationyear );?></p>
84	<?php } else { ?>
85	<p><?php echo esc_html( $pmpro_invoice->payment_type ); ?></p>
86	<?php } ?>

pages/invoice.php CHANGED Viewed

	@@ -68,8 +68,9 @@
68	<div class="<?php echo pmpro_get_element_class( 'pmpro_invoice-payment-method' ); ?>">
69	<strong><?php _e('Payment Method', 'paid-memberships-pro' );?></strong>
70	<?php if($pmpro_invoice->accountnumber) { ?>
71	- <p><?php echo ucwords( $pmpro_invoice->cardtype ); ?> <?php _e('ending in', 'paid-memberships-pro' );?> <?php echo last4($pmpro_invoice->accountnumber)~~?></p>~~
72	- <~~p><?php~~ ~~_e('Expiration', 'paid-memberships-pro' );?>: <?php echo $pmpro_invoice->expirationmonth?>/<?php echo $pmpro_invoice->expirationyear?></p>~~

73	<?php } else { ?>
74	<p><?php echo $pmpro_invoice->payment_type; ?></p>
75	<?php } ?>
	@@ -119,7 +120,7 @@
119	{
120	?>
121	<tr>
122	- <td><a href="<?php echo pmpro_url("invoice", "?invoice=" . $invoice->code)?>"><?php echo date_i18n(get_option("date_format"), $invoice->~~getTimestamp(~~))?></a></td>
123	<td><a href="<?php echo pmpro_url("invoice", "?invoice=" . $invoice->code)?>"><?php echo $invoice->code; ?></a></td>
124	<td><?php echo $invoice->membership_level_name;?></td>
125	<td><?php echo pmpro_formatPrice($invoice->total);?></td>


68	<div class="<?php echo pmpro_get_element_class( 'pmpro_invoice-payment-method' ); ?>">
69	<strong><?php _e('Payment Method', 'paid-memberships-pro' );?></strong>
70	<?php if($pmpro_invoice->accountnumber) { ?>
71	+ <p><?php echo ucwords( $pmpro_invoice->cardtype ); ?> <?php _e('ending in', 'paid-memberships-pro' );?> <?php echo last4($pmpro_invoice->accountnumber)?>
72	+ <br />
73	+ <?php _e('Expiration', 'paid-memberships-pro' );?>: <?php echo $pmpro_invoice->expirationmonth?>/<?php echo $pmpro_invoice->expirationyear?></p>
74	<?php } else { ?>
75	<p><?php echo $pmpro_invoice->payment_type; ?></p>
76	<?php } ?>

120	{
121	?>
122	<tr>
123	+ <td><a href="<?php echo pmpro_url("invoice", "?invoice=" . $invoice->code)?>"><?php echo date_i18n( get_option("date_format"), strtotime( get_date_from_gmt( date( 'Y-m-d H:i:s', $invoice->timestamp ) ) ) )?></a></td>
124	<td><a href="<?php echo pmpro_url("invoice", "?invoice=" . $invoice->code)?>"><?php echo $invoice->code; ?></a></td>
125	<td><?php echo $invoice->membership_level_name;?></td>
126	<td><?php echo pmpro_formatPrice($invoice->total);?></td>

paid-memberships-pro.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	* Plugin Name: Paid Memberships Pro
4	* Plugin URI: https://www.paidmembershipspro.com
5	* Description: The most complete member management and membership subscriptions plugin for WordPress.
6	- * Version: 2.4.3
7	* Author: Stranger Studios
8	* Author URI: https://www.strangerstudios.com
9	* Text Domain: paid-memberships-pro
	@@ -16,7 +16,7 @@
16	*/
17
18	// version constant
19	- define( 'PMPRO_VERSION', '2.4.3' );
20	define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
21	define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
22


3	* Plugin Name: Paid Memberships Pro
4	* Plugin URI: https://www.paidmembershipspro.com
5	* Description: The most complete member management and membership subscriptions plugin for WordPress.
6	+ * Version: 2.4.4
7	* Author: Stranger Studios
8	* Author URI: https://www.strangerstudios.com
9	* Text Domain: paid-memberships-pro

16	*/
17
18	// version constant
19	+ define( 'PMPRO_VERSION', '2.4.4' );
20	define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
21	define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
22

readme.txt CHANGED Viewed

	@@ -3,7 +3,7 @@ Contributors: strangerstudios, kimannwall, andrewza, dlparker1005, paidmembershi
3	Tags: memberships, members, subscriptions, ecommerce, user registration, member, membership, e-commerce, paypal, stripe, braintree, authorize.net, payflow, restrict access, restrict content, directory
4	Requires at least: 4
5	Tested up to: 5.5
6	- Stable tag: 2.4.3
7
8	Get Paid with Paid Memberships Pro: The most complete member management and membership subscriptions plugin for your WordPress site.
9
	@@ -153,6 +153,13 @@ Not sure? You can find out by doing a bit a research.
153	8. Membership Account page, display all sections or show specific sections using shortcode attributes.
154
155	== Changelog ==







156	= 2.4.3 - 2020-08-25
157	* SECURITY: Fixed a cross-site scripting vulnerability in the code that updates the Required Membership settings on a post. This vulnerability could have been used in conjunction with other security vulnerabilities to trick an admin into editing the membership settings for a page, potentially exposing members only content to non-members. It is unlikely that there was any active exploitation of this vulnerability. This issue may also have shown up as a bug on some sites using page builders, where the membership settings for a post would be cleared out when editing a post. (Thanks to the wp.org plugin review team for catching this issue.)
158	* SECURITY: Better escaping of variables shown in the Require Membership meta box and related SQL queries.


3	Tags: memberships, members, subscriptions, ecommerce, user registration, member, membership, e-commerce, paypal, stripe, braintree, authorize.net, payflow, restrict access, restrict content, directory
4	Requires at least: 4
5	Tested up to: 5.5
6	+ Stable tag: 2.4.4
7
8	Get Paid with Paid Memberships Pro: The most complete member management and membership subscriptions plugin for your WordPress site.
9

153	8. Membership Account page, display all sections or show specific sections using shortcode attributes.
154
155	== Changelog ==
156	+ = 2.4.4 - 2020-09-02 =
157	+ * BUG FIX: Fixed fatal error that sometimes occurred on the payment settings page when using PHP 5.6 or earlier.
158	+ * BUG FIX: Fixed fatal errors that showed up on the frontend invoice page.
159	+ * BUG FIX: Fixed issue where the confirmation message was not showing up in the confirmation email if that option was checked.
160	+ * ENHANCEMENT: Added a pmpro_stripe_charge_params filter that can be used to edit or add params sent to the Stripe create charge method. (Thanks, Michael Bester)
161	+ * ENHANCEMENT: Tweaked the markup of the invoice page so the payment type information looks a little better.
162	+
163	= 2.4.3 - 2020-08-25
164	* SECURITY: Fixed a cross-site scripting vulnerability in the code that updates the Required Membership settings on a post. This vulnerability could have been used in conjunction with other security vulnerabilities to trick an admin into editing the membership settings for a page, potentially exposing members only content to non-members. It is unlikely that there was any active exploitation of this vulnerability. This issue may also have shown up as a bug on some sites using page builders, where the membership settings for a post would be cleared out when editing a post. (Thanks to the wp.org plugin review team for catching this issue.)
165	* SECURITY: Better escaping of variables shown in the Require Membership meta box and related SQL queries.