Version 2.12.9 of Paid Memberships Pro is out with one enhancement and one security update. Thanks to Scott Kingsley Clark for the responsible disclosure of the security issue. Version 2.12.10 was released soon after with a fix for an issue introduced in 2.12.9.

Banner Image for Development Changelog Paid Memberships Pro Release Updates

Table of contents

About the Security Issue

The security issue addressed by this update is related to the pmpro_member shortcode. It is a very useful and powerful shortcode to help membership site creators add personalization and build dashboard-like experiences for their members.

The pmpro_member shortcode can output any user or user meta field for the logged in user or a specific named user (by user ID).

For this reason and the potential privacy and security risks associated with displaying user info, since version 2.12.9, only administrators and users with the edit_users capability (given to people with the Administrator role) can add this shortcode to content.

Much like how WordPress core filters the script tag from content before updating the database, we also filter out this shortcode

  • If a user without the edit_users capability adds this shortcode to post content (like a page, post, or CPT), widgets, or menus, we will now remove it before saving to the database.
  • We will also remove the shortcode if it exists in post content and someone without this capability edits the post.

Upgrading to version 2.12.9 will NOT remove any existing uses of the shortcode on your site.

How to Audit Your Site For Shortcode Usage

If you are concerned with how this shortcode may have been used in your site, here is how to audit your site:

  1. Navigate to Posts > All Posts in the WordPress admin.
  2. Search for "[pmpro_member ". Be sure to include the quotes and the space at the end.
  3. This will show you any posts that include the pmpro_member shortcode. If you weren’t using this shortcode, there may be no results.

Repeat these steps to search your Pages and any other custom post types (if applicable).

You can update Paid Memberships Pro from the plugins page of your WordPress dashboard or get the latest version of PMPro here.

Full Changelog For v2.12.9 and v2.12.10

  • SECURITY: Only users with the edit_users capability may add the pmpro_member shortcode to posts and widgets now. (Thanks, Scott Kingsley Clark)
  • ENHANCEMENT: Now simplifying the members and user search on sites where wp_is_large_user_count() is true.
  • BUG FIX/ENHANCEMENT: Removed the 24 option from the hours dropdown for expiration dates since the hours start with 00.
Jason Coleman

Author: Jason Coleman

Jason Coleman is the co-founder and CEO of Paid Memberships Pro, the most trusted membership platform that grows with you. With a deep passion for open source software, Jason is the author of Building Web Apps With WordPress, published by O'Reilly Media.

Jason's entrepreneurial spirit is driven by uncertainty, risk, and the thrill of new opportunities. With over two decades of experience in development, management, and marketing, he is committed to Paid Memberships Pro: the only open source platform focused on helping creators get paid so they can find freedom in their life and fulfill their goals.

View more articles by Jason Coleman »

Was this article helpful?
YesNo