Important Security Update
Posted on April 2, 2015
We’ve been investigating a serious security vulnerability over the past few days, which we’ve found to be present in Events Manager from version 4.0 onwards.
We’ve released 5.5.6 which fixes this issue, as well as fixing this vulnerability in ALL affected versions on the wordpress.org repository to prevent anyone downloading an older vulnerable version in the future. Whilst the vulnerability is not present in the Pro add-on, since it is an add-on, EVERYONE must update the free/main version as soon as possible.
Whilst we always recommend people to update to the latest version of Events Manager (now 5.5.6), we understand that in certain situations this isn’t possible, and therefore you can also download and re-install whatever version you’re running from the EM WordPress plugin page.
Additionally, if you are in the situation where you or someone else modified our plugin on your site, and therefore cannot upgrade without losing any changes, please send a blank email to vulnerability.2015.04@wp-events-plugin.com and we’ll reply with some instructions on what file to edit and fix the problem.
Security is our top priority, and whilst we do already run regular security scans on our plugin, we’re working on further measures to prevent further vulnerabilities going undetected. We sincerely apologize for the inconvenience caused and appreciate your understanding.
I’d like to also personally thank Jorge Sáiz from SancoTec for responsibly reporting this directly to us, and to Daniel Cid from Sucuri for helping us gauge the impact of this vulnerability.
– Marcus Sykes
P.S. We’ve got a great update on the way, but due to the nature of this issue we’ve had to backtrack and release this patch immediately whilst we test and polish off the upcoming release.
Thanks Marcus your pro-active approach in letting your users know of the vulnerability and to take action. Much appreciate all your efforts.
Thanks!
Thank you for keeping us informed. My plugin is customized and I followed the steps provided in the email and it worked perfect.
Thanks for the heads-up and for the way you guys are handling this. Everybody makes mistakes and that is allowed. But vulnerability-fixing should be handled properly and there are no exceptions there.
With the mis-handling of the vulnerability in the slider revolution plugin, sold through theme forest, still fresh in memory, your actions contrast and serve as a good example of proper handling.
Thanks.
Appreciate the responsible disclosure and email alert! These days it seems like nearly every plugin has some security issue and it’s great to see developers like you being so proactive with your communication plan.
I agree with the comments above – well done in handling this professionally and with consideration. Thanks.
Thanks everyone for the kind words!
The first priority in these situations for us is to fix the problem and make sure we get everyone updated to a safe version.
I look forward to getting back to you all with some good news regarding a ‘real’ plugin update soon :)
OK this is just pasted here in case anyone experiences the same issue at it helps them. I have a sagepay plugin installed (relevant) and events manager pro.
After the update, Events manager did not reactivate itself (from 5.5.5 to 5.5.6), which I think might have happened before. Worse than that, though, was that my admin panel was now a white screen of death, and so was my website. Eek. [*Yes I did have a backup*]
Before resorting to the backup a quick look at the error log revealed the sagepay plugin was erroring out.
Went to plugins, zipped up sagepay to backup and deleted the sagepay folder (i.e. removed the plugin). Look at website – that’s now working but no events manager.
Look at admin (now working) – events manager is inactive, and events manager pro complaining that events manager needed to be installed.
Activate events manager – all looked good.
Unzipped SagePay plugin so that it’s active again. All looks normal. REMEMBER TO REACTIVATE THE PLUGIN (I didn’t at first!)
SO …. if you have add ons, do try checking the error log in the home directory and dealing with those first before panicking and reinstating your backup….
Thanks for the alert about the vulnerability.
Hi Lorraine,
You may want to contact Andy about that, it sounds like there’s a bug in the SagePay add-on. I’ve let him know about this as well.
Wow…I’m impressed by how proactive you guys have been! I’ve used so many plugins in the past and none of them have been as proactive as this.
Keep up the good work Marcus!
can you publish a manual patch as well, we needed to change the core files of the plugin to use it and probably can’t use an automatic update…
Hi Brent, email vulnerability.2015.04@wp-events-plugin.com for instructions.
I really appreciate the way you’ve handled this. Very professional, and above and beyond updating all versions & revisions. Thank You!
I’ve sent a blank email twice for the instructions but haven’t received a reply.
Hi Greg, I’ve sent it to you directly.