Merge branch 'dev' into v2.3

CHANGELOG.txt

@@ -1,11 +1,22 @@
 == Changelog ==
-= 2.3.2 2020-05-07 =
+= 2.3.3 - 2020-05-12 =
+* SECURITY: Fixed SQL injection vulnerability when logged in as an administrator and adding new orders in the dashboard. JVN#20248858 (Thanks, Kenichi Okuno of Mitsui Bussan Secure Directions, Inc)
+* SECURITY: Making sure to properly escape all values on the add/edit order form in the dashboard.
+* BUG FIX: Now properly setting the order status to "error" when an initial payment fails when using PayPal Express. Before the order status would be set as "cancelled", which would count the order toward reports and make it harder to find orders that had errors. (Thanks, Mirco Babini)
+* BUG FIX: Fixed issue with the PMPro logo and some other assets loading over the wrong schema (http vs https) in some cases.
+* BUG FIX: Fixed issue where the chosen discount code was not shown after submitting when adding a new order through the dashboard.
+* BUG FIX/ENHANCEMENT: Using "PMPro" in the admin activity email subject to keep the line shorter and avoid issues when replacing the word "member" via gettext.
+* ENHANCEMENT: Added a pmpro_allow_weak_passwords filter. You can set this to return true (like this https://gist.github.com/ideadude/5a12119b9ce1c2aad87b2d69cb8f9505) to allow weak passwords on the change password and reset password pages. Note that at this time, weak passwords are still allowed no matter the value of this filter. We expect to change that in the future. For now, you can use our PMPro Strong Passwords plugin to force strong passwords at checkout.
+* REFACTOR: Updated the logic around checking the PMPRO_IPN_DEBUG constant in the IPN handler. (Thanks, Mirco Babini)
+
+= 2.3.2 - 2020-05-07 =
 * BUG FIX: Fixed errors calling is_main_query() that came up with certain themes.
 * BUG FIX: Fixed typo in the pmpro_account_profile_action_links filter.
 * BUG FIX/ENHANCEMENT: Added a new force parameter to the pmpro_getAllLevels() function. This is used by the Multisite Membership Add On to fix an issue where levels were missing or incorrect on the subsites.
 * ENHANCEMENT: Removed mention of the ezAdsense plugin, which has been discontinued.
+* ENHANCEMENT: Added $recipient param in sendAdminActivity() function so you can send additional activity emails like this https://gist.github.com/dparker1005/6bf650370a12aef44adf8c8c26d3e906
 
-= 2.3.1 2020-05-01 =
+= 2.3.1 - 2020-05-01 =
 * BUG FIX: Fixed infinite redirect issue if no account page was set. Fixed a few other places where we do is_page() type checks just in case.
 * BUG FIX: Fixed issue where all pages were retitled to Welcome when logged in, if no login page was set.
 * BUG FIX: Fixed issue with BuddyBoss and other themes/plugins that use the_title filter with only one parameter.

classes/class-pmpro-admin-activity-email.php

@@ -405,7 +405,7 @@ public function sendAdminActivity( $frequency = '', $recipient = null ) {
 		}
 		$this->email = $recipient;
 
-		$this->subject  = sprintf( __( '[%1$s] Paid Memberships Pro Activity for %2$s: %3$s', 'paid-memberships-pro' ), get_bloginfo( 'name' ), ucwords( $term ), $date_range );
+		$this->subject  = sprintf( __( '[%1$s] PMPro Activity for %2$s: %3$s', 'paid-memberships-pro' ), get_bloginfo( 'name' ), ucwords( $term ), $date_range );
 		$this->template = 'admin_activity_email';
 		$this->body     = $admin_activity_email_body;
 		$this->from     = pmpro_getOption( 'from' );

classes/class.memberorder.php

@@ -654,40 +654,40 @@ function saveOrder()
 				$after_action = "pmpro_updated_order";
 				//update
 				$this->sqlQuery = "UPDATE $wpdb->pmpro_membership_orders
-									SET `code` = '" . $this->code . "',
-									`session_id` = '" . $this->session_id . "',
+									SET `code` = '" . esc_sql( $this->code ) . "',
+									`session_id` = '" . esc_sql( $this->session_id ) . "',
 									`user_id` = " . intval($this->user_id) . ",
 									`membership_id` = " . intval($this->membership_id) . ",
-									`paypal_token` = '" . $this->paypal_token . "',
+									`paypal_token` = '" . esc_sql( $this->paypal_token ) . "',
 									`billing_name` = '" . esc_sql($this->billing->name) . "',
 									`billing_street` = '" . esc_sql($this->billing->street) . "',
 									`billing_city` = '" . esc_sql($this->billing->city) . "',
 									`billing_state` = '" . esc_sql($this->billing->state) . "',
 									`billing_zip` = '" . esc_sql($this->billing->zip) . "',
 									`billing_country` = '" . esc_sql($this->billing->country) . "',
 									`billing_phone` = '" . esc_sql($this->billing->phone) . "',
-									`subtotal` = '" . $this->subtotal . "',
-									`tax` = '" . $this->tax . "',
-									`couponamount` = '" . $this->couponamount . "',
+									`subtotal` = '" . esc_sql( $this->subtotal ) . "',
+									`tax` = '" . esc_sql( $this->tax ) . "',
+									`couponamount` = '" . esc_sql( $this->couponamount ) . "',
 									`certificate_id` = " . intval($this->certificate_id) . ",
-									`certificateamount` = '" . $this->certificateamount . "',
-									`total` = '" . $this->total . "',
-									`payment_type` = '" . $this->payment_type . "',
-									`cardtype` = '" . $this->cardtype . "',
-									`accountnumber` = '" . $this->accountnumber . "',
-									`expirationmonth` = '" . $this->expirationmonth . "',
-									`expirationyear` = '" . $this->expirationyear . "',
+									`certificateamount` = '" . esc_sql( $this->certificateamount ) . "',
+									`total` = '" . esc_sql( $this->total ) . "',
+									`payment_type` = '" . esc_sql( $this->payment_type ) . "',
+									`cardtype` = '" . esc_sql( $this->cardtype ) . "',
+									`accountnumber` = '" . esc_sql( $this->accountnumber ) . "',
+									`expirationmonth` = '" . esc_sql( $this->expirationmonth ) . "',
+									`expirationyear` = '" . esc_sql( $this->expirationyear ) . "',
 									`status` = '" . esc_sql($this->status) . "',
-									`gateway` = '" . $this->gateway . "',
-									`gateway_environment` = '" . $this->gateway_environment . "',
+									`gateway` = '" . esc_sql( $this->gateway ) . "',
+									`gateway_environment` = '" . esc_sql( $this->gateway_environment ) . "',
 									`payment_transaction_id` = '" . esc_sql($this->payment_transaction_id) . "',
 									`subscription_transaction_id` = '" . esc_sql($this->subscription_transaction_id) . "',
 									`timestamp` = '" . esc_sql($this->datetime) . "',
 									`affiliate_id` = '" . esc_sql($this->affiliate_id) . "',
 									`affiliate_subid` = '" . esc_sql($this->affiliate_subid) . "',
 									`notes` = '" . esc_sql($this->notes) . "',
 									`checkout_id` = " . intval($this->checkout_id) . "
-									WHERE id = '" . $this->id . "'
+									WHERE id = '" . esc_sql( $this->id ) . "'
 									LIMIT 1";
 			}
 			else
@@ -705,32 +705,32 @@ function saveOrder()
 				//insert
 				$this->sqlQuery = "INSERT INTO $wpdb->pmpro_membership_orders
 								(`code`, `session_id`, `user_id`, `membership_id`, `paypal_token`, `billing_name`, `billing_street`, `billing_city`, `billing_state`, `billing_zip`, `billing_country`, `billing_phone`, `subtotal`, `tax`, `couponamount`, `certificate_id`, `certificateamount`, `total`, `payment_type`, `cardtype`, `accountnumber`, `expirationmonth`, `expirationyear`, `status`, `gateway`, `gateway_environment`, `payment_transaction_id`, `subscription_transaction_id`, `timestamp`, `affiliate_id`, `affiliate_subid`, `notes`, `checkout_id`)
-								VALUES('" . $this->code . "',
-									   '" . session_id() . "',
+								VALUES('" . esc_sql( $this->code ) . "',
+									   '" . esc_sql( session_id() ) . "',
 									   " . intval($this->user_id) . ",
 									   " . intval($this->membership_id) . ",
-									   '" . $this->paypal_token . "',
+									   '" . esc_sql( $this->paypal_token ) . "',
 									   '" . esc_sql(trim($this->billing->name)) . "',
 									   '" . esc_sql(trim($this->billing->street)) . "',
 									   '" . esc_sql($this->billing->city) . "',
 									   '" . esc_sql($this->billing->state) . "',
 									   '" . esc_sql($this->billing->zip) . "',
 									   '" . esc_sql($this->billing->country) . "',
-									   '" . cleanPhone($this->billing->phone) . "',
-									   '" . $this->subtotal . "',
-									   '" . $tax . "',
-									   '" . $this->couponamount. "',
+									   '" . esc_sql( cleanPhone($this->billing->phone) ) . "',
+									   '" . esc_sql( $this->subtotal ) . "',
+									   '" . esc_sql( $tax ) . "',
+									   '" . esc_sql( $this->couponamount ). "',
 									   " . intval($this->certificate_id) . ",
-									   '" . $this->certificateamount . "',
-									   '" . $total . "',
-									   '" . $this->payment_type . "',
-									   '" . $this->cardtype . "',
-									   '" . hideCardNumber($this->accountnumber, false) . "',
-									   '" . $this->expirationmonth . "',
-									   '" . $this->expirationyear . "',
+									   '" . esc_sql( $this->certificateamount ) . "',
+									   '" . esc_sql( $total ) . "',
+									   '" . esc_sql( $this->payment_type ) . "',
+									   '" . esc_sql( $this->cardtype ) . "',
+									   '" . esc_sql( hideCardNumber($this->accountnumber, false) ) . "',
+									   '" . esc_sql( $this->expirationmonth ) . "',
+									   '" . esc_sql( $this->expirationyear ) . "',
 									   '" . esc_sql($this->status) . "',
-									   '" . $this->gateway . "',
-									   '" . $this->gateway_environment . "',
+									   '" . esc_sql( $this->gateway ) . "',
+									   '" . esc_sql( $this->gateway_environment ) . "',
 									   '" . esc_sql($this->payment_transaction_id) . "',
 									   '" . esc_sql($this->subscription_transaction_id) . "',
 									   '" . esc_sql($this->datetime) . "',

includes/admin.php

@@ -32,7 +32,13 @@ function pmpro_admin_init_redirect_to_dashboard() {
 function pmpro_block_dashboard() {
 	global $current_user;
 	$block_dashboard = pmpro_getOption( 'block_dashboard' );
-	if ( ! wp_doing_ajax() && ! empty( $block_dashboard ) && in_array( 'subscriber', (array) $current_user->roles ) ) {
+
+	if ( ! wp_doing_ajax()
+			&& ! empty( $block_dashboard )
+			&& ! current_user_can( 'manage_options' )
+			&& ! current_user_can( 'edit_users' )
+			&& ! current_user_can( 'edit_posts' )
+			&& in_array( 'subscriber', (array) $current_user->roles ) ) {
 		$block = true;
 	} else {
 		$block = false;

includes/functions.php

@@ -1074,6 +1074,10 @@ function pmpro_changeMembershipLevel( $level, $user_id = null, $old_level_status
 
 			if ( ! empty( $c_order->error ) ) {
 				$pmpro_error = $c_order->error;
+			} else {
+				if( $old_level_status == 'error' ) {
+					$c_order->updateStatus("error");
+				}
 			}
 		}
 	}
@@ -3255,4 +3259,4 @@ function pmpro_int_compare( $a, $b, $operator ) {
 	}
 
 	return $r;
-}
+}

includes/scripts.php

@@ -69,10 +69,22 @@ function pmpro_enqueue_scripts() {
                             array( 'jquery', 'password-strength-meter' ),
                             PMPRO_VERSION );
 
+        /**
+         * Filter to allow weak passwords on the 
+         * change password and reset password forms.
+         * At this time, this only disables the JS check on the frontend.
+         * There is no backend check for weak passwords on those forms.
+         * 
+         * @since 2.3.3
+         *
+         * @param bool $allow_weak_passwords    Whether to allow weak passwords.
+         */
+        $allow_weak_passwords = apply_filters( 'pmpro_allow_weak_passwords', false );
+
         wp_localize_script( 'pmpro_login', 'pmpro', array(
             'pmpro_login_page' => 'changepassword',
 			'strength_indicator_text' => __( 'Strength Indicator', 'paid-memberships-pro' ),
-        ));
+            'allow_weak_passwords' => $allow_weak_passwords ) );
         wp_enqueue_script( 'pmpro_login' );	
     }
 }

js/pmpro-login.js

@@ -29,11 +29,15 @@ jQuery(document).ready(function(){
 		switch ( strength ) {
 			case -1:
 				indicator.addClass( 'empty' ).html( ' ' );
-				submitbutton.prop( 'disabled', true );
+				if ( pmpro.allow_weak_passwords === '' ) {
+					submitbutton.prop( 'disabled', true );
+				}
 				break;
 			case 2:
 				indicator.addClass( 'bad' ).html( pwsL10n.bad );
-				submitbutton.prop( 'disabled', true );
+				if ( pmpro.allow_weak_passwords === '' ) {
+					submitbutton.prop( 'disabled', true );
+				}
 				break;
 			case 3:
 				indicator.addClass( 'good' ).html( pwsL10n.good );
@@ -49,7 +53,9 @@ jQuery(document).ready(function(){
 				break;
 			default:
 				indicator.addClass( 'short' ).html( pwsL10n['short'] );
-				submitbutton.prop( 'disabled', true );
+				if ( pmpro.allow_weak_passwords === '' ) {
+					submitbutton.prop( 'disabled', true );
+				}
 		}
 	}
 

paid-memberships-pro.php

@@ -3,7 +3,7 @@
  * Plugin Name: Paid Memberships Pro
  * Plugin URI: https://www.paidmembershipspro.com
  * Description: The most complete member management and membership subscriptions plugin for WordPress.
- * Version: 2.3.2
+ * Version: 2.3.3
  * Author: Stranger Studios
  * Author URI: https://www.strangerstudios.com
  * Text Domain: paid-memberships-pro
@@ -16,7 +16,7 @@
  */
 
 // version constant
-define( 'PMPRO_VERSION', '2.3.2' );
+define( 'PMPRO_VERSION', '2.3.3' );
 define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
 define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
 
@@ -139,7 +139,7 @@
 if ( ! defined( 'SECUREURL'  ) ) {
 	define( 'SECUREURL', str_replace( 'http://', 'https://', get_bloginfo( 'wpurl' ) ) );
 }
-define( 'PMPRO_URL', WP_PLUGIN_URL . '/paid-memberships-pro' );
+define( 'PMPRO_URL', plugins_url( '', PMPRO_BASE_FILE ) );
 define( 'PMPRO_DOMAIN', pmpro_getDomainFromURL( site_url() ) );
 define( 'PAYPAL_BN_CODE', 'PaidMembershipsPro_SP' );
 

readme.txt

@@ -3,7 +3,7 @@ Contributors: strangerstudios, kimannwall, andrewza, dlparker1005
 Tags: memberships, members, subscriptions, ecommerce, user registration, member, membership, e-commerce, paypal, stripe, braintree, authorize.net, payflow, restrict access, restrict content, directory
 Requires at least: 4
 Tested up to: 5.4.1
-Stable tag: 2.3.2
+Stable tag: 2.3.3
 
 Get Paid with Paid Memberships Pro: The most complete member management and membership subscriptions plugin for your WordPress site.
 
@@ -153,13 +153,24 @@ Not sure? You can find out by doing a bit a research.
 8. Membership Account page, display all sections or show specific sections using shortcode attributes.
 
 == Changelog ==
-= 2.3.2 2020-05-07 =
+= 2.3.3 - 2020-05-12 =
+* SECURITY: Fixed SQL injection vulnerability when logged in as an administrator and adding new orders in the dashboard. JVN#20248858 (Thanks, Kenichi Okuno of Mitsui Bussan Secure Directions, Inc)
+* SECURITY: Making sure to properly escape all values on the add/edit order form in the dashboard.
+* BUG FIX: Now properly setting the order status to "error" when an initial payment fails when using PayPal Express. Before the order status would be set as "cancelled", which would count the order toward reports and make it harder to find orders that had errors. (Thanks, Mirco Babini)
+* BUG FIX: Fixed issue with the PMPro logo and some other assets loading over the wrong schema (http vs https) in some cases.
+* BUG FIX: Fixed issue where the chosen discount code was not shown after submitting when adding a new order through the dashboard.
+* BUG FIX/ENHANCEMENT: Using "PMPro" in the admin activity email subject to keep the line shorter and avoid issues when replacing the word "member" via gettext.
+* ENHANCEMENT: Added a pmpro_allow_weak_passwords filter. You can set this to return true (like this https://gist.github.com/ideadude/5a12119b9ce1c2aad87b2d69cb8f9505) to allow weak passwords on the change password and reset password pages. Note that at this time, weak passwords are still allowed no matter the value of this filter. We expect to change that in the future. For now, you can use our PMPro Strong Passwords plugin to force strong passwords at checkout.
+* REFACTOR: Updated the logic around checking the PMPRO_IPN_DEBUG constant in the IPN handler. (Thanks, Mirco Babini)
+
+= 2.3.2 - 2020-05-07 =
 * BUG FIX: Fixed errors calling is_main_query() that came up with certain themes.
 * BUG FIX: Fixed typo in the pmpro_account_profile_action_links filter.
 * BUG FIX/ENHANCEMENT: Added a new force parameter to the pmpro_getAllLevels() function. This is used by the Multisite Membership Add On to fix an issue where levels were missing or incorrect on the subsites.
 * ENHANCEMENT: Removed mention of the ezAdsense plugin, which has been discontinued.
+* ENHANCEMENT: Added $recipient param in sendAdminActivity() function so you can send additional activity emails like this https://gist.github.com/dparker1005/6bf650370a12aef44adf8c8c26d3e906
 
-= 2.3.1 2020-05-01 =
+= 2.3.1 - 2020-05-01 =
 * BUG FIX: Fixed infinite redirect issue if no account page was set. Fixed a few other places where we do is_page() type checks just in case.
 * BUG FIX: Fixed issue where all pages were retitled to Welcome when logged in, if no login page was set.
 * BUG FIX: Fixed issue with BuddyBoss and other themes/plugins that use the_title filter with only one parameter.

services/ipnhandler.php

@@ -361,22 +361,27 @@ function pmpro_ipnExit() {
 
 		echo $logstr;
 
-		//log in file or email?
-		if ( defined( 'PMPRO_IPN_DEBUG' ) && PMPRO_IPN_DEBUG === "log" ) {
-			//file
-			$loghandle = fopen( dirname( __FILE__ ) . "/../logs/ipn.txt", "a+" );
-			fwrite( $loghandle, $logstr );
-			fclose( $loghandle );
-		} elseif ( defined( 'PMPRO_IPN_DEBUG' ) ) {
-			//email
-			if ( strpos( PMPRO_IPN_DEBUG, "@" ) ) {
-				$log_email = PMPRO_IPN_DEBUG;
-			}    //constant defines a specific email address
-			else {
-				$log_email = get_option( "admin_email" );
+		//log or dont log? log in file or email?
+		//- dont log if constant is undefined or defined but false
+		//- log to file if constant is set to TRUE or 'log'
+		//- log to file if constant is defined to a valid email address
+		if ( defined( 'PMPRO_IPN_DEBUG' ) ) {
+			if( PMPRO_IPN_DEBUG === false ){
+				//dont log here. false mean no.
+				//should avoid counterintuitive interpretation of false.
+			} elseif ( PMPRO_IPN_DEBUG === "log" ) {
+				//file
+				$logfile = apply_filters( 'pmpro_ipn_logfile', dirname( __FILE__ ) . "/../logs/ipn.txt" );
+				$loghandle = fopen( $logfile, "a+" );
+				fwrite( $loghandle, $logstr );
+				fclose( $loghandle );
+			} elseif ( is_email( PMPRO_IPN_DEBUG ) ) {
+				//email to specified address
+				wp_mail( PMPRO_IPN_DEBUG, get_option( "blogname" ) . " IPN Log", nl2br( $logstr ) );							
+			} else {
+				//email to admin
+				wp_mail( get_option( "admin_email" ), get_option( "blogname" ) . " IPN Log", nl2br( $logstr ) );							
 			}
-
-			wp_mail( $log_email, get_option( "blogname" ) . " IPN Log", nl2br( $logstr ) );			
 		}
 	}