Security issue details

We recently received several reports of incidents where stolen credit card information is being "tested" using the aMember Payment API. This has been observed with our Authorize.Net integration, but it can also occur with other payment plugins.

Please note that this issue is not related to any security problem in aMember Pro. Your customers' credit card information remains safe and unaffected.

However, it's essential to be aware that multiple failed payment attempts can cause problems with your payment system account, potentially even locking it. We hope that payment processors will implement protections against this issue on their end, and many are already taking steps to do so.

From our side, we have released an immediate update to aMember Pro (version 6.3.30). This update includes code that limits credit card payment attempts by customer and by IP address. We strongly recommend that all aMember Pro customers install this update as soon as possible to ensure the continued security and functionality of their payment systems.

Problem details

An aMember Pro site admin see unusually big number of payment attemtps when open aMember CP -> Invoices page. Several customers were contacted by payment system (Authorize.net) regarding this.

Methods of protection

Method 1 – Upgrade to latest aMember release

Upgrade your installation to aMember version 6.3.30

Method 2 – Use hosted payment process payment page

Consider switching to an alternative payment plugin, which is likely offered through the same payment processor. In this scenario, you will not be responsible for any failed credit card transactions, as the payment processor will handle the issue according to their standard practice.

Contact Us

As always, you can ask us any questions via aMember HelpDesk.