A critical vulnerability has been discovered in the memberships plugin for WordPress called Paid Memberships Pro (aka PMPro).
If left unpatched, a WordPress installation utilizing a version of Paid Memberships Pro prior to 1.7.15 could allow an attacker to gain information about your web server and WordPress install which can be used to further attack your site.
Specifically, the update ensures: “the /services/getfile.php script has been disabled by default. You must set the PMPRO_GETFILE_ENABLED constant to true or 1 to allow the script to run. Additionally, the script will strip ../ and /. type strings out of the URI when looking for files to get and will not read any files using the extensions set via the pmpro_getfile_extension_blacklist filter. By default inc, php, php3, php4, php5, phps, and phtml file types are not allowed.”
Any site utilizing Paid Memberships Pro should update to the patched version of the plugin immediately.
The current version of Paid Memberships Pro is 126.96.36.199 and can be downloaded from WordPress.org.
For more details on the vulnerability, please visit the Paid Memberships Pro blog:
Critical Security Update. PMPro v1.7.15
NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.