Version 2.12.6 of Paid Memberships Pro is out with a very important security fix.
All versions of PMPro since 2.3 are vulnerable to the issue fixed in this release. The vulnerability allows malicious actors with no authorization to add new levels or change the details of existing levels, including the level price. With this ability, someone could change a level price to $0, allowing them to bypass your paywall or otherwise cause issues with your site.
You can update Paid Memberships Pro from the plugins page of your WordPress dashboard or get the latest version of PMPro here.
We have no reason to believe that this vulnerability is being abused widely, but to be sure your site was not impacted by this issue, double-check that your levels are all still configured as intended.
Thanks to Craig Smith and WordFence for the responsible disclosure of this issue.
The full list of updates in v2.12.6 is below.
- SECURITY: Fixed a security issue where unauthorized users could abuse the REST API endpoints to add new levels or edit existing levels. (Thanks, Craig Smith at WordFence)
- BUG FIX: Now hiding level confirmation messages from the output returned by the
checkout_levels
API route.