v2.5.6

• SECURITY: Now sanitizing and escaping the order parameter when filtering the users table in the dashboard. (Thanks, Gen Sato)
• BUG FIX/ENHANCEMENT: Now hiding the ApplePay/GooglePay "Payment Request" buttons when the main checkout form is submitted. This helps to prevent double checkouts.
• BUG FIX: Fixed missing membership data in the billing failed email.

v2.5.5

• SECURITY: Better sanitization of parameters on some REST API endpoints.
• SECURITY: Now showing reCAPTCHA field at checkout even for logged in users.
• ENHANCEMENT: Added find_billing_address() method to the MemberOrder class. This will look for the address on the last order with the same sub id or in user meta.
• ENHANCEMENT: Better styling for invoices shown on the frontend.
• ENHANCEMENT: No longer forcing column width % in the members list table.
• ENHANCEMENT: Added a pmpro_doing_webhook action that is fired at the beginning of our webhook/IPN handlers.
• ENHANCEMENT: Added a pmpro_membership_level_after_billing_details_settings hook to the edit membership level page. This hook should now be used to add billing related settings.
• BUG FIX/ENHANCEMENT: Allowing order total to be set to 0, even if there is a subtotal and tax amount.
• BUG FIX/ENHANCEMENT: Stripe checkout fields will now use the language set in the Stripe settings.
• BUG FIX/ENHANCEMENT: The URL check in our notifications code now accepts arrays (e.g. to see if a URL has one of a group of top level domains). This fixes a warning some may have seen in error logs.
• BUG FIX: Fixed issues where totals on PayPal recurring payments were sometimes incorrect if both an mt_gross and amount field were passed via IPN.

v2.5.4

• ENHANCEMENT: Bump license year 2021 - 10 years.
• ENHANCEMENT: Now passing billing street in pmpro_tax filter.
• ENHANCEMENT: Prefixed our pmpro_stripeResponseHandler function to avoid conflicts.
• ENHANCEMENT: Added getRealPaymentTransactionId method to PayPal Express gateway class to recover a missing transaction ID.
• ENHANCEMENT: Added pmpro_checkout_before_form action to hook anything before the membership checkout form.
• ENHANCEMENT: Added avatar as a valid field type for the [pmpro_member] shortcode.
• ENHANCEMENT: Changed license key field to text type and unmasked. Masking implied the key was hashed before saving which is not true.
• ENHANCEMENT: Addedpmpro_discount_code_used action hook for when a discount code is used.
• ENHANCEMENT: Stripe will now pull billing address info for recurring orders from webhooks.
• BUG FIX/ENHANCEMENT: Improved user interface, error handling, and messages in the frontend password reset process.
• BUG FIX/ENHANCEMENT: Added a space between state and zip code in billing info.
• BUG FIX/ENHANCEMENT: Now rounding amount sent with Stripe payment request button.
• BUG FIX/ENHANCEMENT: Improved pmpro_check_plugin_version function to also check a specific value of the get_plugin_data array.
• BUG FIX/ENHANCEMENT: Added pmpro_membership_levelmeta and pmpro_membership_ordermeta tables to uninstall process.
• BUG FIX/ENHANCEMENT: Escaped things in SQL queries in 2Checkout INS service handler.
• BUG FIX/ENHANCEMENT: Cleaned up levels page template and added MMPU compatibility.
• BUG FIX/ENHANCEMENT: Fixed pagination and export issues with a discount code filter on the Orders admin page.
• BUG FIX/ENHANCEMENT: Prefixed our pmpro_stripeResponseHandler function to avoid conflicts with other Stripe code that may not be prefixed.
• BUG FIX/ENHANCEMENT: Cleaned up conditionals and escaping improvements in the pmpro_redirect_to_logged_in function.
• BUG FIX/ENHANCEMENT: Fixed deprecation notices for sites running PHP 8.
• BUG FIX/ENHANCEMENT: Improved SQL query format in the applydiscountcode service.
• BUG FIX: Fixed issues with ReCAPTCHA v2 and certain gateways.
• BUG FIX: Fixed bug where blog name was not showing in Admin Activity email.
• BUG FIX: Improved incorrect PHP doc blocks.
• BUG FIX: Fixed an issue on some sites where password reset link in email was incorrect.
• BUG FIX: Fixed level change issues during 2Checkout checkout.
• BUG FIX: Fixed issue where checkout_levels REST API endpoint could return the wrong initial payment
• BUG FIX: Fixed undefined notice for timestamp variable in the Stripe gateway class.
• BUG FIX: Avoiding warnings when user ids are in the memberships_users table, but a user doesn't exist.
• BUG FIX: Now setting the correct value for membership_id in the admin change emails.

v2.5.3

• SECURITY: Fixed indirect object reference vulnerability where order information, including customer names, email addresses, and order numbers could be accessed by non-admin WordPress users. (Thanks, WP Plugins Team)
• SECURITY: Now checking ReCAPTCHA validation before enabling the submit button on the checkout form when using ReCAPTCHA v2. This helps to keep bad actors from testing credit cards on your checkout page. We were already doing a similar check when using ReCAPTCHA v3. Further updates to rate limit credit card failures are planned.

v2.5.2

• BUG FIX: Fixed issue where the RECAPTCHA library wasn't being loaded early enough to validate at checkout.
• BUG FIX: Fixed issue where code in the Stripe class was unsetting some required fields, even if Stripe was not being used at checkout.

v2.5.1

• SECURITY: Fixed XSS vulnerability on the Members List page of the dashboard. (Thanks, Ron Masas from Checkmarx.com)
• ENHANCEMENT: Add Ukrainian Hryvnia currency. (Thanks, Mirco Babini)
• ENHANCEMENT: Added a "non-members" option to the Beaver Build module.
• BUG FIX: Fixed issue where only USD and US were allowed with Stripe's GooglePay/ApplePay buttons.
• BUG FIX: Fixed issue where some profile fields, e.g. those added with Register Helper, were accidentally updated or removed when accessing the frontend profile page.
• BUG FIX: Fixed issue with tracking discount code uses when using the 2Checkout gateway. (Thanks, karambk on GitHub)
• BUG FIX: No longer running excerpts through wpautop when a more tag is used.

v2.5

• FEATURE: When using the Stripe Gateway, you may now allow users to pay using Apple Pay, Google Pay, or Microsoft Pay depending on their browser. Enable this feature from the payment settings page.
• FEATURE: Added Divi Builder compatibility.
• FEATURE: Updated the Braintree Gateway class to be able to use the Braintree API for the pmpro_next_payment() function. Note, for performance reasons, you must call this method directly or enable it by hooking it up with code like add_filter('pmpro_next_payment', array('PMProGateway_braintree', 'pmpro_next_payment'), 10, 3);
• FEATURE: Added ordermeta tables and functions. We will wait about a year for all users to upgrade before using these widespread. (Thanks, Mirco Babini)
• ENHANCEMENT: The "short" version of the level cost text for a free level is now "Free" instead of "0.00 now".
• ENHANCEMENT: Added a get_original_subscription_order method to the MemberOrder class. This will return the first order in a subscription when called from a recurring order.
• ENHANCEMENT: Removed the old style license nags.
• BUG FIX/ENHANCEMENT: Using microtime and a static counter int to make sure our order and discount codes are unique. In the past very high traffic sites could run into duplicates if two checkouts happened at the exact same second.
• BUG FIX/ENHANCEMENT: Adjust order delete prompt to support other locales.
• BUG FIX/ENHANCEMENT: Better handling of tax amounts in recurring payments, e.g. when using the PMPro VAT Tax add on.
• BUG FIX/ENHANCEMENT: Optimized how often we hit the Stripe API when events on the checkout page could potentially update the price of checkout.
• BUG FIX/ENHANCEMENT: The checkout_levels api call now takes level as param.
• BUG FIX/ENHANCEMENT: No longer running sanitize_text_field on password fields. This would break passwords that had strings of characters resembling html tags.
• BUG FIX/ENHANCEMENT: Now warning admins if the Stripe billing period is longer than 1 year. Billing periods greater than 1 year are not allowed by Stripe.
• BUG FIX/ENHANCEMENT: Now detecting when a Stripe webhook is set up for an older version of the Stripe API and showing a notice with a link to update.
• BUG FIX/ENHANCEMENT: Adding MAXFAILEDPAYMENTS=1 to PayPal add subscription requests. This tells PayPal to cancel a subscription after the first failed payment. In our experience, the automatic retries rarely worked well. This change fixes issues with subscriptions going out of sync or users retaining access to your site when their payment has failed. Members still receive the payment failed email, which prompts users to return to the site to renew.
• BUG FIX/ENHANCEMENT: Fixing some issues where we are adding extra break tags into the password reset email. There are still some issues like this when using certain plugins. We are working on a general fix.
• BUG FIX/ENHANCEMENT: Removed the "coupon amount" field from the edit order page. These were hold outs from the 2007! ecommerce plugin PMPro was forked from. You can set the pmpro_orders_show_coupon_amounts filter to __return_true to show these fields again if you were using them for tracking things in your custom code.
• BUG FIX: Fixed MMPU compatibility when using discount codes.
• BUG FIX: No longer filtering the wp login url when on wp-login.php. This fixes issues with iThemes Security 2FA.
• BUG FIX: Fixed issues where the Stripe webhook was not being updated sometimes when clicking the button to update.
• BUG FIX: Fixed some notices and warnings when using Braintree.
• BUG FIX: Now resetting memberslist page number when changing shown level.
• BUG FIX: Now ensuring that the discount code field updates, update the Request Button price.
• BUG FIX: Fixed issue where non-pretty permalinks may break frontend password resets.
• BUG FIX: Fixed invoice links on the account page. (Thanks, Mateusz Hołtyn)
• BUG FIX: Fixed incorrect label "for" attribute for uninstall setting.
• BUG FIX: Fixed issue where some free plugins distributed by PMPro would show warnings about requiring a Plus license.

v2.4.4

• BUG FIX: Fixed fatal error that sometimes occurred on the payment settings page when using PHP 5.6 or earlier.
• BUG FIX: Fixed fatal errors that showed up on the frontend invoice page.
• BUG FIX: Fixed issue where the confirmation message was not showing up in the confirmation email if that option was checked.
• ENHANCEMENT: Added a pmpro_stripe_charge_params filter that can be used to edit or add params sent to the Stripe create charge method. (Thanks, Michael Bester)
• ENHANCEMENT: Tweaked the markup of the invoice page so the payment type information looks a little better.

v2.4.3

• SECURITY: Fixed a cross-site scripting vulnerability in the code that updates the Required Membership settings on a post. This vulnerability could have been used in conjunction with other security vulnerabilities to trick an admin into editing the membership settings for a page, potentially exposing members only content to non-members. It is unlikely that there was any active exploitation of this vulnerability. This issue may also have shown up as a bug on some sites using page builders, where the membership settings for a post would be cleared out when editing a post. (Thanks to the wp.org plugin review team for catching this issue.)
• SECURITY: Better escaping of variables shown in the Require Membership meta box and related SQL queries.
• BUG FIX/ENHANCEMENT: Renamed the Vietnamese language files to match what is expected.

v2.4.2

• SECURITY: Updated the PMPro REST API endpoints accessed via the GET method to also require appropriate capabilities to access. The membership confirmation text will be hidden from non-members and non-admins. The endpoints to check a user's level or access to a post require the pmpro_edit_memberships capability now. You should make sure your API users have the appropriate capabilities to use the API. You can use the pmpro_rest_api_route_capabilities filter and/or pmpro_rest_api_permissions filter to change this behavior.
• BUG FIX: Fixed issues with the PMPro REST API endpoints, including the discount code and checkout level endpoints.
• BUG FIX: Fixed issue with backslashes in the display name when editing form the PMPro frontend profile page.
• BUG FIX: Fixed issue where timestamps were showing up incorrectly for recent orders shown on the dashboard page.
  BUG FIX: Fixed issue where PMPro would always try to add capabilities to the administrator role, even if you removed that role for some reason.
• ENHANCEMENT: Added a pmpro_get_no_access_message() function, which can be used to show the no access messages.
• ENHANCEMENT: Added a "show_noaccess" property to the membership shortcode. When set, it will show the noaccess message to users who don't have the levels specified.
• ENHANCEMENT: Added a pmpro_user_profile_update_errors hook, which can be used to show errors on the PMPro frontend profile page.
• ENHANCEMENT: The pmpro_set_capabilities_for_role() function now returns true or false if the caps were added in case others want to use this function and tell if it worked.
• ENHANCEMENT: You can now include links in the description of the fields you add to the PMPro advanced settings page via the pmpro_custom_advanced_settings filter.
• ENHANCEMENT: Updated the PayPal gateways to use the latest versions of the PayPal buttons.
• ENHANCEMENT: Fixed styling of the PMPro update script notice.
• ENHANCEMENT: Added the pmpro_account_membership_expiration_text filter to the expiration dates shown on the cancel page when using MMPU.