Security Note 09

03/28/2017

Security issue details

There is a potential security problem found in aMember Pro. It affects all aMember Pro versions from 4.0.0 to 5.2.1 (except 5.1.9 released today).
aMember Pro v.3 and earlier are not affected by this issue.
It is necessary to take actions against this and protect your aMember installation. We understand that upgrading to the latest version is not an easy alternative for customers running old versions of aMember, so upgrade is NOT NECESSARY. Just follow fix instructions as described below.

Problem details

This vulnerability has been reported to CGI-Central and is not widely known. We have no information about existing exploits for this problem.
This problem is an XSS vulnerability. Fortunately, because of additional protection added to aMember, it DOES NOT ALLOW to steal sensitive information, get customer details or run custom PHP code on your website. However, we anyway recommend to take actions as soon as possible to fix the problem.

Methods of protection

Method 1 – Upgrade to latest aMember release

If you are using aMember Pro (stable) – upgrade to version 5.1.9
If you are using aMember Pro (beta) – upgrade to version 5.2.2

Method 2 – Update file

If you are running a customized version of aMember, please follow instructions listed on this page (available to aMember Pro customers only).

Contact Us

As always, you can ask us any questions via aMember HelpDesk. Because of the high volume
of tickets, it may take up to 48 hours to respond on this week. We are sorry for possible inconvenience.