There have been no significant issues with the current release of Quick Cache, and since we’re hard at work on a new/improved version of Quick Cache, we’re not currently updating the existing release. If significant issues arise, you can be sure we’ll address them.
The new release of Quick Cache will also be provided at WordPress.org. There WILL be a free version of the next major release. No worries. You’ll be notified in your Dashboard automatically. We’re a little behind schedule, but we’ll get there soon.
Thanks for reporting this important issue. You are absolutely correct. We’re having s2Member Pro updated for the next maintenance release, with support for “SMYR” billing intervals via Payflow integration.
Until then, I’m attaching a ZIP file with the files needed to update your installation. If you’d like to PATCH now, instead of awaiting the next release, please follow these instructions.
Unzip the attached ZIP file. Inside you’ll find two files:
– paypal-utilities.inc.php
Please upload this file, allowing it to override your existing copy of: /s2member/includes/classes/paypal-utilities.inc.php
– paypal-responses.inc.php
Please upload this file, allowing it to override your existing copy of: /s2member-pro/includes/classes/separates/gateways/paypal/paypal-responses.inc.php
Your Shortcode will now function properly rp="6" rt="M", with Payflow integration.
I just made an attempt to reproduce this, but I was unable. The additional query string argument s2member_level_req=1 is for information purposes only (for developers); as discussed here:
Did you ever figure out why this was causing a blank page on your site? I see you removed the variable, but I’ve been unable to determine why that variable would have caused a blank page. Do you have a custom .htaccess (or any s2Member hacks) you can post for us? Those could be the underlying issue on your installation?
An Unlimited Site License provides support for an unlimited number of s2Member® Product instances. Perfect for site owners with multiple domain names, and/or those who operate a WordPress® Multisite Network installation. Each of your s2Member® Product instances must be installed/activated on domains that you own & operate. This goes for all s2Member® Products that you purchase under an Unlimited Site License.
Please note… if you’re a developer, your clients will need to purchase their own Single-Site and/or Unlimited-Site License. We will not support s2Member® Product instances on domains that you do NOT own and operate yourself. We invite all developers to join our affiliate program, and refer their clients to s2Member.com, where your clients may purchase an s2Member® Product of their own. This also gives your clients access to future releases.
Each customer account at s2Member.com provides support for ONE customer. If you have clients that you’re installing s2Member Pro for, please ask them to purchase a copy of s2Member Pro for themselves. This will provide them with a Customer account here at s2Member.com, and they’ll be entitled to receive support from our staff. It is currently not possible to create sub-accounts at s2Member.com.
And although the correct data is sent to Mailchimp, it doesn’t stick in the WP user record. Within the filter, if we call get_user_option() again after calling update_user_option(), it returns the updated information. But when we go back to the list of users in the WP admin interface, it’s still got the old values.
Have we missed something?
It sounds to me like you’re using this filter for MailChimp, to not only affect the MailChimp MERGE vars, but also to update a user’s record at the same time. While it’s certainly possible to do this, I would’nt do it all inside a filter attaching to ws_plugin__s2member_mailchimp_merge_array, because that is merely a filter for a specific array of details being passed over to MailChimp.
The reason you’re seeing details properly while in your custom function that’s working together with this filter, but they’re NOT sticking, is because WordPress and s2Member are actually still in the process of registering/updating the user’s account record with a completely different set of information, which does not include the custom data you’re attempting to save upon hooking into this filter.
So the solution in a case like this, is to use the MailChimp filter only for what it’s designed for. Then use a Hook provided by WordPress or s2Member to actually save the data to the user’s account record, at the appropriate time (i.e. using a Hook that puts you right in the action, where WordPress/s2Member are actually handling the customer’s details).
I recommend this hook to save user data during registration.
I’ve just finished a careful review of the reports that you submitted privately. I’ll post my findings below for you. In short, I did not find any legitimate concern in this scan. Yes, please do let us know if your additional scans turn up any problems on your installation. We’ll be happy to review those with you as well.
Analysis of security scan
1. Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) (CWE ID 95)(194 flaws)
– Also found in s2Member Pro: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) (CWE ID 95)(2 flaws)
These are all false positives. It’s not uncommon for a scanner to pick up on these instances of the eval() PHP function, simply because the use of the eval() function in PHP, is prone to security issues when not used properly. s2Member’s use of the PHP eval() function is secured against untrusted PHP code; and thus is NOT a security issue in s2Member. Upon closer inspection (one which is NOT automated), one will find that s2Member uses the eval() function to make s2Member more accessible for plugin developers, and also to evaluate PHP code provided by advanced site owners through UI panels in the Dashboard, made available ONLY to Administrators of the site. s2Member does not make it possible for code injections be to evaluated via the PHP eval() function, or from any source other than a site Administrator.
ADDITIONAL NOTES: The use of the eval() function in PHP, is prone to security issues when not used properly. However, there are justifiable reasons to use the PHP eval() function, and s2Member’s use of eval() is justified in our opinion. Please pass this along to your security review team.
2. Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’) (CWE ID 98)(2 flaws)
These are both false positives. The automated scanner has simply picked up on variables being used in an include/require call, but has not considered whether those variables came from trusted or untrusted sources. In both of these “flaws” that your scanner picked up, the variables can most definitely be trusted. They do not come from untrusted sources in any way. In fact, they are absolutely required for s2Member to function properly. These variables are established at runtime by the s2Member application, using trusted data sources.
3. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)(4 flaws)
All four of these were false positives. I have no explanation for why your scanner would have picked up these. It appears these were simply chosen by heuristics which might be incapable of detecting true security issues. I found nothing in any of these cases that was questionable.
4. Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)(77 flaws)
– Also found in s2Member Pro: Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)(33 flaws)
These are all false positives. Your scanner has simply picked up on s2Member’s use of the MD5() function in PHP, which has MANY justifiable uses throughout s2Member’s source code. While the MD5() hashing algorithm has been found to have some weaknesses when compared to more modern hashing algorithms, s2Member’s use of the MD5() function in PHP is not targeted to any sensitive data, rather it is simply building a hash for low-level data comparision. Anytime s2Member is truly encrypting data, that encryption is performed by s2Member using MCRYPT_RIJNDAEL_256, which a high-level encryption technique. Much more secure than a simple call to MD5().
NOTE: You will find many valid uses for the MD5() function in PHP; throughout many plugins/themes. Quite common.
5. External Control of File Name or Path (CWE ID 73)(1 flaw)
– Also found in s2Member Pro: External Control of File Name or Path (CWE ID 73)(10 flaws)
These are false positives. The arguments are passed by s2Member internally, and are not received from any unknown or untrusted source. This looks more like a scanning error to me. I’m really not sure why a scanner would ever be this senstitive. Or if it was going to be this sensitive, it should really backtrace where data is coming from, instead of assuming that data is untrusted. In any case, I suppose a manual review is better than no review at all. My impression of this scanner is that it’s assuming the worst, and asking you or your developer to confirm validity in the code. These are false positives.
6. Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE ID 89)(3 flaws)
– Referencing: trunk/…/utils-users.inc.php 42
This is a false positive. The variables being referenced are supplied by the WordPress database class itself, and have already been sanitized. In fact, the variables in question are actually referencing table names, as defined by the WordPress database class (ex: $wpdb->users, $wpdb->usermeta, etc). False positive.
Investigation completed. I was unable to reproduce the bug being reported here. So, let me instead try to explain further how s2Member functions on a Multisite Network, and then please let me know if any of you continue to have trouble.
By default, on a Multisite Network (without s2Member)…
User registration, if allowed, occurs through /wp-signup.php, regardless of which blog is being accessed, all registrations would go through /wp-signup.php. In addition, the Network Settings menu where you’re asked “Who Can Register” would affect all sites (i.e. all Child Blogs) in the Network.
Without s2Member installed, Network-wide registration settings are handled via: Network Admin -> Network Settings -> Who Can Register.
With s2Member installed on a Multisite Network…
s2Member’s Multisite Patches are applied, and we remove this limitation. It now becomes possible to collect registrations for each blog separately. Making it possible to accept registrations through either /wp-signup.php on the Main Site of your Network, or through /wp-login.php?action=register on each Child Blog, or even on the Main Site if you prefer; /wp-login.php?action=register can be used on the Main Site too.
In addition, if s2Member Pro Forms are used, registration can occur through a Pro Form introduced on-site. So, if you prefer to take more control over the registration process, it’s possible to do this with s2Member Pro Forms.
With s2Member installed, Network-wide registration settings are a moot point. This section in your Dashboard: Network Admin -> Network Settings -> Who Can Register is disabled, and instead of setting Open Registration here, you can handle this setting for the Main Site of your Network under: s2Member -> Multisite (Config) -> Multisite Registration -> Main Site / Open Registration.
For each individual blog, Open Registration is disabled by default, but can be enabled if s2Member is activated on a Child Blog, by going to s2Member -> General Options -> Open Registration on that Child Blog where s2Member is active (if it is active on that Child Blog). If s2Member is NOT active on that Child Blog, Open Registration is off by default, as it should be.
The option you choose there for “Main Site / Open Registration”, is ONLY applied to your Main Site. It does NOT affect Child Blogs that exist now, or that you might add later, in any way at all. Open Registration is NOT enabled for any of your Child Blogs by default. By default, Open Registration is disabled for each Child Blog, as it should be.
Helpful Hints, Tips & Tricks on a Multisite Network…
If you are logged in as an Administrator (or Super Admin), registration will appear open across the Network, because it’s YOU who are browsing and testing the sites. Please make sure you log out of the site before testing any user/member/registration functionality in your Network.
If s2Member is NOT active on a Child Blog, and for whatever reason Open Registration is enabled on a particular Child Blog, a Network Administrator can change this from the Network Admin panel. Open Registration is ALWAYS off by default, but if settings for a particular Child Blog have been corrupted or manipulated by plugins you’ve experimented with, it might be necessary to change this setting manually. See: Network Admin -> Sites -> Edit -> Settings, as depicted in the screenshot below. 1 is on, 0 is off, the default value.
If s2Member has been activated on a Child Blog, or was activated Network-wide, so it’s active on every Child Blog of the Network; Open Registration can be controlled for each Child Blog by logging into that Child Blog, and going to s2Member -> General Options -> Open Registration.
I’m having the code samples for JW Player updated in the next maintenance release to include the mp4: prefix for streaming distributions. You’re right, it works fine from the root bucket, but not from a directory, not in the latest version of CloudFront. This seems to be a change in the way the latest versions of the CloudFront API handle streaming requests, indicated by this article.
Hi Scott. Thanks for reporting this important issue.
Please submit copies of your reports to us via this private contact form. I recieved a form submission from you, but I don’t have copies of the reports that you received yet. See: s2Member® » Private Contact Form
We take security very seriously here. I’m not aware of any XSS or SQL injection risks with s2Member or s2Member Pro, but we’ll be happy to review reports produced by your scanner with you. If you would prefer to post them publicly here in the forum, that’s fine also. s2Member’s source code is open.
This is a question for MailChimp® please. We integrate with MailChimp®, we don’t enforce their rules, or make efforts to interpret their terms/conditions. Please see: http://kb.mailchimp.com/contact
A User’s ID is not top secret information. I’m not aware of any security issue related to the use of a Customer’s ID in transaction details sent to PayPal as a reference to that User. It would actually be more secure than sending, oh say, their email address, which would be a privacy concern for sure.
That being said, if you’d like to upgrade to s2Member Pro, with the use of Pro Form there are no payment “Buttons”, and thus there is no reason for s2Member to send a Customer ID or email address through a “Button”. In the case of s2Member Pro, all communication with PayPal is handled via the PayPal Pro API. So that would allow you to bypass any details being sent to PayPal in the button, if you prefer.
Hi Bart. We’re already on this. Support for your new services in the UK are forthcoming on our end. We’ll let you know if any problems arise. Thanks for your contact information, we appreciate that!
Posted: Saturday Dec 22nd, 2012 at 11:34 am
#35335
You can use %%user_email%% or %%user_login%% if you prefer. Here is a link that tracks the order number as the user’s username (i.e. %%user_login%%). See also: Dashboard -› s2Member® -› API / Notifications -› Registration Notifications for a list of all Replacement Codes.
I recommend NOT using the email address as the order number within iDevAffiliate. If you must use one of these, I’d go with the username (just use the link above), because exposing a customer’s email address in affiliate reports would be a privacy issue for you.
Thanks for your patience. So I assume that you’re using an s2Member Free Registration Pro Form. If you’re NOT charging anything, there is NO Signup Notification being processed, and thus there is no Signup Tracking Code to display in this case, and thus, there is no %%payer_email%%.
Please correct me if I’m wrong about “free”. If I am, I will apologize in advance.
A Signup Notification is documented as:
“Signup Tracking Codes will be displayed each time a “new”, “paying” Member, signs up. “.
If you want to track what are essentially just “leads” with iDevAffiliate and pay a commission to your affiliates for each “lead” (not an actual sale), that they refer to you; you will instead need to use s2Member’s more advanced API Notifications, and specifically the API Notification for “Registration”, not for a “Signup”.
You will want to paste the following URL into the field for URLs under that section of your Dashboard. You can learn more about the Replacement Codes I’ve included for you below in that section also; and you can learn more about this particular integration technique (which is slightly different from IMG pixel tracking, and also more reliable), inside your iDevAffiliate Dashboard here: iDevAffiliate -> Setup & Tools -> Advanced Developer Tools -> Custom Functions -> cURL Tracking Pixel This page should be located here in your installation.
This will pay your affiliates a $1.00 commission on each new lead they generate (i.e. for each new person that registers). If you want to change that amount, you can change the value of idev_commission=1.00.
PS I’d like S2Member to be paid for my referral to idevaffiliate, but couldn’t find your affiliated link on your site. If you have such a thing and want me to confirm you as the source of my referral, please let me know what I need to do so you can receive your commission.
Also, what error message are you receiving please? If it’s a writable file error, please set permissions on /wp-login.php to 777 via your FTP application and then re-run s2Member’s multisite patcher.
I can confirm that s2Member v121213+ correctly patches WordPress v3.4, v3.4.2, and v3.5. If problems persist for you, please open your current copy of /wp-login.php and paste the snippet of code that you have in your /wp-login.php file at line #509. You should see this by default:
case 'register' :
if ( is_multisite() ) {
// Multisite uses wp-signup.php
wp_redirect( apply_filters( 'wp_signup_location', site_url('wp-signup.php') ) );
exit;
}
Change that to:
case 'register' :
if ( is_multisite() ) {
// Multisite uses wp-signup.php
// Modified for full plugin compatiblity.
//wp_redirect( apply_filters( 'wp_signup_location', network_site_url('wp-signup.php') ) );
//exit;
}
You do not have sufficient permissions to access this page.
It happens when trying to view /wp-admin and also when I try to edit my own profile (I can edit other users’ profiles, oddly)…and on several other pages that I can’t remember offhand.
Reactivating s2M immediately solved the problem. I tried deactivating — and deleting — both bbPress and s2M, and then doing fresh installs, and then uninstalling s2M again, but the problem just kept returning. Ultimately, what seemed to have happened was that many (but not all, oddly) of the “Administrator” level account capabilities had been disabled.
I’ve been unable to reproduce this so far. The only Capabilities that s2Member removes if you deactivate it with Deactivation Safeguards turned OFF, are the Capabilities that control s2Member functionality (i.e. access_s2member_level1, 2, 3, 4, etc). No changes occur to default Administrative capabilities whatsoever.
Therefore, I suspect the underlying issue on your installation might have been related to compatibility issues between different versions of s2Member and bbPress. To avoid this issue going forward, please make sure you’re running bbPress 2.2.2+ and s2Member v121201+, where the incompatibility issues have been corrected.
UPDATE: I was able to reproduce this upon installating bbPress v2.0.3, upgrading to bbPress v2.2.2, then upgrading to bbPress v2.2.3. The issue seems to be related to the loss of the “read” capability while upgrading bbPress. If s2Member is also running, it will automatically fix the issue because it adds the read capability at runtime. However, if s2Member is deactivated, this corruption will appear in the form of errors stating “You do not have sufficient permissions to access this page.” on certain pages that check for the “read” capability.
The solution is to do a full reset of your WordPress Capabilities, as described here: http://www.s2member.com/forums/topic/dont-upgrade-to-bbpress-2-2/#post-34350
(Or, if you know how to update your Roles/Capabilities manually, simply restore the “read” Capability to Administrators,Editors,Authors, Contributors,Subscribers)
Disclaimer: I was unable to find any hard evidence in code that this was indeed bbPress causing the corruption. However, since I was unable to reproduce it with s2Member alone, and I was unable to reproduce it with s2Member being activated/deactivated with bbPress installed together with s2Member; it leads me to believe it is caused by corruption of the “read” capability, introduced by another plugin. I can’t be sure which other plugin (or plugin version). The latest versions of bbPress do not seem to cause this, so I would think this might only happen to sites that were running past versions of bbPress and then upgraded to a newer version of bbPress.
For the benefit of other readers….
If you’re having problems with Roles/Capabilities where s2Member is or has been running with bbPress or BuddyPresss, or both; please follow the procedure described here to do a complete reset of your Roles/Capabilities.
It could be that your Roles/Capabilities were modified by one of all of these plugins (s2Member,bbPress,BuddyPresss), and if compatibility issues existed between different versions at some point when you upgraded, you could be left with some mild corruption. Normally, upgrading to the latest release of s2Member would resolve issues like this. However, if you’re still having trouble, please do a complete reset of your Roles/Capabilities. Remember to do a full backup of your site first. Also remember to “reactivate” each plugin after you reset your Roles/Capabilities so that each plugin is again making the changes it needs to work properly. It is a good idea to activate bbPress first, then BuddyPress, then s2Member (in that order). Not required in that order, but that order can help to further improve your chances of smooth sailing.
s2Member’s integration with Authorize.Net does NOT allow you to create Custom Registration/Profile Fields from your s2Member configuration panel, and map those to Authorize.Net API calls. s2Member only sends Authorize.Net the information required to complete the transaction itself. All other information (i.e. any Custom Fields that you add), will be stored in WordPress and associated with the customer’s account record in WordPress, and only in WordPress.
That being said, you are correct that Authorize.Net DOES support a company field. So if you wanted to map your Custom Registration Field that you created with s2Member to an API call that passes that info over to Authorize.Net, you will need to custom code this.
Here is a quick overview of what it might take…
Open /s2member-pro/includes/classess/gateways/authnet/authnet-checkout-in.inc.php
This assumes that you gave your Custom Registration/Profile Field (when you configured it with s2Member), the Field ID: company. If you did NOT give it this Field ID, then please change the code snippet above where you see reference to the Field ID (i.e. ["company"]).
See also: Dashboard -› s2Member® -› General Options -› Registration/Profile Fields
We will definitely add this feature in a future release of s2Member, so that it’s easier to change the underlying language code on a button-by-button basis via shortcodes. Until that happens, let’s get this filter working properly as a short-term workaround :-)
Please implement the hack that Cristian posted earlier, but please name the file /s2-a.php /wp-content/mu-plugins/s2-a.php
Or /wp-content/mu-plugins/s2member-a.php (also works)
It is generally NOT harmful to delete s2Member transients, because these contain only temporary data that is not absolutely necessary to the functionality of s2Member over the long term. So what you did is fine. However, please note that after deleting s2Member’s transients, you’ve also reset your IP Restrictions for s2Member, as s2Member uses transient details to track customer behavior over a 30 day period (30 days is the default configuration). See: Dashboard -› s2Member® -› Restriction Options -› Unique IP Access Restrictions
Each transient is associated with an expiration date in the DB, and s2Member will automatically purge these from your DB over time via WP Cron. Having thousands of transients would NOT be uncommon on a site where there are MANY users. I’m not aware of any performance impact with this either. The use of transients would need to reach the 100’s of thousands (or more than a million in many cases) before most sites would even begin to feel a strain of any kind with this. WordPress does not autoload transients, they are just in the DB for reference as needed, and take up very little space.
_transient_s2m_ipr_9956e1a3022e58d… (tracks customer IP addresses)
_transient_s2m_rtn_2c71b18200b7fb1… (helps to prevent duplicate return-page handling)
_transient_s2m_ipn_c34f8253d048595… (helps to prevent duplicate IPN processing)
NOTE: WordPress does NOT automatically delete transients over the long term. s2Member handles this via WP Cron. It is a common assumption that WordPress will purge transients from your DB via WP Cron using a default installation of WordPress. That is NOT the case (not with a default WordPress installation). A plugin must provide this functionality, and s2Member handles transient cleanups via WP Cron for you.
Each transient in the DB has two rows.
_transient_s2m_.... (the data being stored)
_transient_timeout_s2m_... (the timeout/expiration value)
I’m sorry but if you purchased before the special promotion began, we will be unable to offer you the same discount. Doing so would be unfair to anyone/everyone who purchases before or after special promotions are made available here at s2Member®. Again, very sorry. Bending the rules on this will cause us problems.
This latest promotion started on: Dec 14th, 2012
It ends: Dec 31st, 2012
Terms/Conditions
s2Member® reserves the right, at any time, and from time to time, to modify or discontinue, temporarily or permanently, a Product (or any part thereof), with or without notice. Prices of all Products and Subscriptions, including, but not limited to: the individual price of Products, and any monthly Subscription fees (if applicable).
I would suggest that you create ALL of your Custom Registration/Profile Fields in s2Member (including those which you may or may NOT collect, based on the way a particular form is being filled out; i.e. has children or not).
Next, I would implement some custom JavaScript that manipulates the form to accomplish this dynamically. This way you can hide/show certain form fields, based on HOW the form has been filled out thus far.
s2Member works from the aria-required attribute. So if you need to suppress JavaScript validation on form fields that you’re NOT planning to require, you can simply set the form field attribute aria-required="false" through your own custom JavaScript routines.
For example, if having no children indicates that form fields x,y,z do NOT need to be filled in, your custom JavaScript can hide those fields from view, and also set the aria-required="false" attribute. You set that attribute on the form field itself, and NOT on the containing div element that holds the field.
That’s certainly an option as well, and that would be just a good. Possibly more work, but you will have even more control over things this way. Yes, you can place any custom code right into your custom template file.
Posted: Thursday Dec 13th, 2012 at 11:36 pm
#34512
So the scenario of upgrading BBPress when S2 IS already active might not run that routine to link the roles?
I’m guessing that on each S2 upgrade that routine is automated, but when BB Press is updated and reactivated we may have to push that button to run the routine?
An upgrade of bbPress (where a new version of bbPress is introducing role changes), will require you to press that button again so that s2Member can get things updated, with respect to Roles. s2Member will do this automatically whenever IT is upgraded, but if bbPress were being upgraded, without also updating s2Member immediately after, clicking that button in s2Member would resolve the issue for you.
In short, you are absolutely correct!
For the benefit of other readers, we’re speaking of the button located here: Dashboard -› s2Member® -› General Options -› Membership Levels/Labels
Click the button at the bottom of that section to reinstall your s2Member roles.
s2Member also makes a button available in the s2Member® -› Other Integrations section of it’s control panel, which does the exact same thing. Both of these buttons reconfigure s2Member’s Role/Capability integration with WordPress/bbPress.
Viewing 25 replies - 1,101 through 1,125 (of 1,909 total)
Pre-Sale FAQs
Video Tutorials
Community Forum
Knowledge Base
News/Updates
s2 Codex / Docs
GPL v2 License
Contact A Human
About Us
Our Customers
Support Policy
Privacy Policy
Old Forums (READ-ONLY): The 
