Version Description
- 2021-01-26 =
- SECURITY: Fixed indirect object reference vulnerability where order information, including customer names, email addresses, and order numbers could be accessed by non-admin WordPress users. (Thanks, WP Plugins Team)
- SECURITY: Now checking ReCAPTCHA validation before enabling the submit button on the checkout form when using ReCAPTCHA v2. This helps to keep bad actors from testing credit cards on your checkout page. We were already doing a similar check when using ReCAPTCHA v3. Further updates to rate limit credit card failures are planned.
Download this release
Release Info
| Developer | strangerstudios |
| Plugin |  Paid Memberships Pro |
| Version | 2.5.3 |
| Comparing to | |
| See all releases | |
Code changes from version 2.5.2 to 2.5.3
- CHANGELOG.txt +4 -0
- includes/recaptcha.php +52 -2
- includes/services.php +11 -2
- paid-memberships-pro.php +2 -2
- readme.txt +6 -2
CHANGELOG.txt
CHANGED
|
@@ -1,4 +1,8 @@
|
|
| 1 |
== Changelog ==
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
= 2.5.2 - 2020-10-23 =
|
| 3 |
* BUG FIX: Fixed issue where the RECAPTCHA library wasn't being loaded early enough to validate at checkout.
|
| 4 |
* BUG FIX: Fixed issue where code in the Stripe class was unsetting some required fields, even if Stripe was not being used at checkout.
|
| 1 |
== Changelog ==
|
| 2 |
+
= 2.5.3 - 2021-01-26 =
|
| 3 |
+
* SECURITY: Fixed indirect object reference vulnerability where order information, including customer names, email addresses, and order numbers could be accessed by non-admin WordPress users. (Thanks, WP Plugins Team)
|
| 4 |
+
* SECURITY: Now checking ReCAPTCHA validation before enabling the submit button on the checkout form when using ReCAPTCHA v2. This helps to keep bad actors from testing credit cards on your checkout page. We were already doing a similar check when using ReCAPTCHA v3. Further updates to rate limit credit card failures are planned.
|
| 5 |
+
|
| 6 |
= 2.5.2 - 2020-10-23 =
|
| 7 |
* BUG FIX: Fixed issue where the RECAPTCHA library wasn't being loaded early enough to validate at checkout.
|
| 8 |
* BUG FIX: Fixed issue where code in the Stripe class was unsetting some required fields, even if Stripe was not being used at checkout.
|
includes/recaptcha.php
CHANGED
|
@@ -108,7 +108,57 @@ function pmpro_init_recaptcha() {
|
|
| 108 |
src="https://www.google.com/recaptcha/api.js?onload=pmpro_recaptcha_onloadCallback&hl=<?php echo $lang;?>&render=explicit" async defer>
|
| 109 |
</script>
|
| 110 |
<?php } else { ?>
|
| 111 |
-
<div class="g-recaptcha" data-sitekey="<?php echo $pubkey;?>"></div>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 112 |
<script type="text/javascript"
|
| 113 |
src="https://www.google.com/recaptcha/api.js?hl=<?php echo $lang;?>">
|
| 114 |
</script>
|
|
@@ -155,4 +205,4 @@ add_action( 'wp_ajax_pmpro_validate_recaptcha', 'pmpro_wp_ajax_validate_recaptch
|
|
| 155 |
function pmpro_after_checkout_reset_recaptcha() {
|
| 156 |
pmpro_unset_session_var( 'pmpro_recaptcha_validated' );
|
| 157 |
}
|
| 158 |
-
add_action( 'pmpro_after_checkout', 'pmpro_after_checkout_reset_recaptcha' );
|
| 108 |
src="https://www.google.com/recaptcha/api.js?onload=pmpro_recaptcha_onloadCallback&hl=<?php echo $lang;?>&render=explicit" async defer>
|
| 109 |
</script>
|
| 110 |
<?php } else { ?>
|
| 111 |
+
<div class="g-recaptcha" data-callback="pmpro_recaptcha_validatedCallback" data-expired-callback="pmpro_recaptcha_expiredCallback" data-sitekey="<?php echo $pubkey;?>"></div>
|
| 112 |
+
<script type="text/javascript">
|
| 113 |
+
var pmpro_recaptcha_validated = false;
|
| 114 |
+
var pmpro_recaptcha_error_msg = "<?php esc_attr_e( 'Please check the ReCAPTCHA box to confirm you are not a bot.', 'paid-memberships-pro' ); ?>";
|
| 115 |
+
|
| 116 |
+
// Validation callback.
|
| 117 |
+
function pmpro_recaptcha_validatedCallback() {
|
| 118 |
+
// ReCAPTCHA worked.
|
| 119 |
+
pmpro_recaptcha_validated = true;
|
| 120 |
+
|
| 121 |
+
// Re-enable the submit button.
|
| 122 |
+
jQuery('.pmpro_btn-submit-checkout,.pmpro_btn-submit').removeAttr('disabled');
|
| 123 |
+
|
| 124 |
+
// Hide processing message.
|
| 125 |
+
jQuery('#pmpro_processing_message').css('visibility', 'hidden');
|
| 126 |
+
|
| 127 |
+
// Hide error message.
|
| 128 |
+
if ( jQuery('#pmpro_message').text() == pmpro_recaptcha_error_msg ) {
|
| 129 |
+
jQuery( '#pmpro_message' ).hide();
|
| 130 |
+
jQuery( '#pmpro_message_bottom' ).hide();
|
| 131 |
+
}
|
| 132 |
+
};
|
| 133 |
+
|
| 134 |
+
// Expiration callback.
|
| 135 |
+
function pmpro_recaptcha_expiredCallback() {
|
| 136 |
+
pmpro_recaptcha_validated = false;
|
| 137 |
+
}
|
| 138 |
+
|
| 139 |
+
// Check validation on submit.
|
| 140 |
+
jQuery(document).ready(function(){
|
| 141 |
+
jQuery('#pmpro_form').submit(function(event){
|
| 142 |
+
if( pmpro_recaptcha_validated == false ) {
|
| 143 |
+
event.preventDefault();
|
| 144 |
+
|
| 145 |
+
// Re-enable the submit button.
|
| 146 |
+
jQuery('.pmpro_btn-submit-checkout,.pmpro_btn-submit').removeAttr('disabled');
|
| 147 |
+
|
| 148 |
+
// Hide processing message.
|
| 149 |
+
jQuery('#pmpro_processing_message').css('visibility', 'hidden');
|
| 150 |
+
|
| 151 |
+
// error message
|
| 152 |
+
jQuery( '#pmpro_message' ).text( pmpro_recaptcha_error_msg ).addClass( 'pmpro_error' ).removeClass( 'pmpro_alert' ).removeClass( 'pmpro_success' ).hide().fadeIn();
|
| 153 |
+
jQuery( '#pmpro_message_bottom' ).hide().fadeIn();
|
| 154 |
+
|
| 155 |
+
return false;
|
| 156 |
+
} else {
|
| 157 |
+
return true;
|
| 158 |
+
}
|
| 159 |
+
});
|
| 160 |
+
});
|
| 161 |
+
</script>
|
| 162 |
<script type="text/javascript"
|
| 163 |
src="https://www.google.com/recaptcha/api.js?hl=<?php echo $lang;?>">
|
| 164 |
</script>
|
| 205 |
function pmpro_after_checkout_reset_recaptcha() {
|
| 206 |
pmpro_unset_session_var( 'pmpro_recaptcha_validated' );
|
| 207 |
}
|
| 208 |
+
add_action( 'pmpro_after_checkout', 'pmpro_after_checkout_reset_recaptcha' );
|
includes/services.php
CHANGED
|
@@ -86,7 +86,12 @@ add_action('wp_ajax_pmpro_orders_print_view', 'pmpro_orders_print_view');
|
|
| 86 |
* @since 1.8.6
|
| 87 |
*/
|
| 88 |
function pmpro_get_order_json() {
|
| 89 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 90 |
$order = new MemberOrder($order_id);
|
| 91 |
echo json_encode($order);
|
| 92 |
exit;
|
|
@@ -94,7 +99,11 @@ function pmpro_get_order_json() {
|
|
| 94 |
add_action('wp_ajax_pmpro_get_order_json', 'pmpro_get_order_json');
|
| 95 |
|
| 96 |
function pmpro_update_level_order() {
|
| 97 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
| 98 |
$level_order = null;
|
| 99 |
|
| 100 |
if ( isset( $_REQUEST['level_order'] ) && is_array( $_REQUEST['level_order'] ) ) {
|
| 86 |
* @since 1.8.6
|
| 87 |
*/
|
| 88 |
function pmpro_get_order_json() {
|
| 89 |
+
// only admins can get this
|
| 90 |
+
if ( ! function_exists( 'current_user_can' ) || ( ! current_user_can( 'manage_options' ) && ! current_user_can( 'pmpro_orders' ) ) ) {
|
| 91 |
+
die( __( 'You do not have permissions to perform this action.', 'paid-memberships-pro' ) );
|
| 92 |
+
}
|
| 93 |
+
|
| 94 |
+
$order_id = intval( $_REQUEST['order_id'] );
|
| 95 |
$order = new MemberOrder($order_id);
|
| 96 |
echo json_encode($order);
|
| 97 |
exit;
|
| 99 |
add_action('wp_ajax_pmpro_get_order_json', 'pmpro_get_order_json');
|
| 100 |
|
| 101 |
function pmpro_update_level_order() {
|
| 102 |
+
// only admins can get this
|
| 103 |
+
if ( ! function_exists( 'current_user_can' ) || ( ! current_user_can( 'manage_options' ) && ! current_user_can( 'pmpro_membershiplevels' ) ) ) {
|
| 104 |
+
die( __( 'You do not have permissions to perform this action.', 'paid-memberships-pro' ) );
|
| 105 |
+
}
|
| 106 |
+
|
| 107 |
$level_order = null;
|
| 108 |
|
| 109 |
if ( isset( $_REQUEST['level_order'] ) && is_array( $_REQUEST['level_order'] ) ) {
|
paid-memberships-pro.php
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
* Plugin Name: Paid Memberships Pro
|
| 4 |
* Plugin URI: https://www.paidmembershipspro.com
|
| 5 |
* Description: The most complete member management and membership subscriptions plugin for WordPress.
|
| 6 |
-
* Version: 2.5.
|
| 7 |
* Author: Stranger Studios
|
| 8 |
* Author URI: https://www.strangerstudios.com
|
| 9 |
* Text Domain: paid-memberships-pro
|
|
@@ -16,7 +16,7 @@
|
|
| 16 |
*/
|
| 17 |
|
| 18 |
// version constant
|
| 19 |
-
define( 'PMPRO_VERSION', '2.5.
|
| 20 |
define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
|
| 21 |
define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
|
| 22 |
|
| 3 |
* Plugin Name: Paid Memberships Pro
|
| 4 |
* Plugin URI: https://www.paidmembershipspro.com
|
| 5 |
* Description: The most complete member management and membership subscriptions plugin for WordPress.
|
| 6 |
+
* Version: 2.5.3
|
| 7 |
* Author: Stranger Studios
|
| 8 |
* Author URI: https://www.strangerstudios.com
|
| 9 |
* Text Domain: paid-memberships-pro
|
| 16 |
*/
|
| 17 |
|
| 18 |
// version constant
|
| 19 |
+
define( 'PMPRO_VERSION', '2.5.3' );
|
| 20 |
define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
|
| 21 |
define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
|
| 22 |
|
readme.txt
CHANGED
|
@@ -2,8 +2,8 @@
|
|
| 2 |
Contributors: strangerstudios, kimannwall, andrewza, dlparker1005, paidmembershipspro
|
| 3 |
Tags: memberships, members, subscriptions, ecommerce, user registration, member, membership, e-commerce, paypal, stripe, braintree, authorize.net, payflow, restrict access, restrict content, directory
|
| 4 |
Requires at least: 4
|
| 5 |
-
Tested up to: 5.
|
| 6 |
-
Stable tag: 2.5.
|
| 7 |
|
| 8 |
Get Paid with Paid Memberships Pro: The most complete member management and membership subscriptions plugin for your WordPress site.
|
| 9 |
|
|
@@ -153,6 +153,10 @@ Not sure? You can find out by doing a bit a research.
|
|
| 153 |
9. Membership Account page, display all sections or show specific sections using shortcode attributes.
|
| 154 |
|
| 155 |
== Changelog ==
|
|
|
|
|
|
|
|
|
|
|
|
|
| 156 |
= 2.5.2 - 2020-10-23 =
|
| 157 |
* BUG FIX: Fixed issue where the RECAPTCHA library wasn't being loaded early enough to validate at checkout.
|
| 158 |
* BUG FIX: Fixed issue where code in the Stripe class was unsetting some required fields, even if Stripe was not being used at checkout.
|
| 2 |
Contributors: strangerstudios, kimannwall, andrewza, dlparker1005, paidmembershipspro
|
| 3 |
Tags: memberships, members, subscriptions, ecommerce, user registration, member, membership, e-commerce, paypal, stripe, braintree, authorize.net, payflow, restrict access, restrict content, directory
|
| 4 |
Requires at least: 4
|
| 5 |
+
Tested up to: 5.6
|
| 6 |
+
Stable tag: 2.5.3
|
| 7 |
|
| 8 |
Get Paid with Paid Memberships Pro: The most complete member management and membership subscriptions plugin for your WordPress site.
|
| 9 |
|
| 153 |
9. Membership Account page, display all sections or show specific sections using shortcode attributes.
|
| 154 |
|
| 155 |
== Changelog ==
|
| 156 |
+
= 2.5.3 - 2021-01-26 =
|
| 157 |
+
* SECURITY: Fixed indirect object reference vulnerability where order information, including customer names, email addresses, and order numbers could be accessed by non-admin WordPress users. (Thanks, WP Plugins Team)
|
| 158 |
+
* SECURITY: Now checking ReCAPTCHA validation before enabling the submit button on the checkout form when using ReCAPTCHA v2. This helps to keep bad actors from testing credit cards on your checkout page. We were already doing a similar check when using ReCAPTCHA v3. Further updates to rate limit credit card failures are planned.
|
| 159 |
+
|
| 160 |
= 2.5.2 - 2020-10-23 =
|
| 161 |
* BUG FIX: Fixed issue where the RECAPTCHA library wasn't being loaded early enough to validate at checkout.
|
| 162 |
* BUG FIX: Fixed issue where code in the Stripe class was unsetting some required fields, even if Stripe was not being used at checkout.
|
