The most important fix is within Events Manager 5.3.9 which consists of closing a potential XSS vulnerability in the event search forms. Therefore, if you are using template files, we strongly suggest you take a look at the html change in the search box itself and move those over to your modifications.

The Pro version update is for a bug that cropped up in one of the recent updates due to the introduction of our Multiple Bookings beta feature, concerning the Form Editor and being able to switch between custom-created forms.

5.3.9 Changelog

• fixed XSS vulnerability in search form field
• fixed php warnings in events-list.php
• ‘mail sent’ messages not shown if no mails actually sent without errors, changed wording of ‘mail’ to ‘email’
• updated French and German languages
• added links to category page on #_EVENTCATEGORYIMAGES images
• reordered search form template variable definitions for future splitting up of fields into individual reusable templates
• changed htmlspecialchars to esc_attr, added esc_attr to various input fields
• improved sanitization of front-end form title submission to prevent entity conversion in db records
• fixed missing EM js variables on public edit/submit events page

Pro 2.3.4 Changelog

• fixed bug when trying to switch booking forms in form editor
• fixed localization typo
• added sanitation to various input textboxes in admin area

• fixed timthumb issues due to new local fetching modification and bad file inclusion path
• fixed time/date separators in settings page not being used
• added yarpp support to post types
• fixed some tag and category warnings when using assigned tags/categories pages
• fixed various PHP warnings
• updated French

Pro 2.3.3 Changelog

• fixed coupon final price miscalculations when tax is automatically included in ticket price
• fixed customer user gateway fields not being passed on correctly when in no-user mode
• fixed password user field problems in MB mode
• improved pro update notifier and key checking consistency
• added option for MB bookings submit button
• fixed form regex rules still being required if value is blank and form field not required
• fixed user profile page failed validation still resulting in update notice along with errors

• See it in action
• Read the documentation for more information

The new beta now allows you to enable Multiple Bookings directly from your settings area, no changes needed to wp-config.php

Here’s the changelog to Pro in this latest update:

• added Finnish
• updated German
• fixed various PHP warnings
• fixed user bookings link pointing to admin area from front-end bookings admin
• removed some redundant code from paypal gateway
• added ‘empty cart’ button to ‘view cart’ page
• fixed custom user fields not being saved properly in MB mode
• fixed manual bookings for MB mode
• Multiple Bookings now beta, no flag required in wp-config.php file

Notable Additions

Assign theme templates to Event & Location pages

Previously, you needed to create specific files (you’ll see us mentioning single-event.php and single-location.php in the forums) within your themes to change the layout of your event and location pages, such as removing/adding sidebars, using different sidebars, etc. Now you have the option to use templates supplied by your theme, just like you would when creating pages.

Note that in many cases you may also need to add additional classes to parts of your event/location pages, in order for your theme to correctly use the right CSS and display your template
correctly. We’ve written a small tutorial explaining how this is done in the TwentyTwelve theme.

Goodbye default Events and Locations!

Previously, Events Manager automatically added three sample events and corresponding locations. This was quite a cool way to get people set up with sample events and get a gist of how things work. However, we’ve decided to remove this for a few reasons:

• This is annoying if you are using MultiSite, each new site creates the same three events and locations each time (not to mention it creates some confusion)
• Many people quite rightly don’t want new random content published to their blog when installing Events Manager
• We’re littering the internet, if you try searching for some of these locations or events, you’ll find results from blogs that installed our plugin, yet didn’t delete these events.

So, we bid farewell to the good old ‘Orality in James Joyce Conference’, ‘Traditional music session’ and ’6 Nations, Italy VS Ireland’ events… good times! We start with a clean slate from now on.

#_CATEGORYNEXTEVENT and #_TAGNEXTEVENT custom formats

Whilst we already had the #_CATEGORYNEXTEVENT placeholder, there was no corresponding option to specifically format this placeholder. Well, now there is!

This is also related to our following addition, Tag archive pages.

Tags has an archive page now too

By default, Events Manager will now also install a new page as a child of the ‘Events’ page called ‘Tags’. This works exactly like the categories page, where you can list all your tags using custom formats to modify the look and feel. You’ll find these new options in the respective Tag sections within the Pages and Formatting tabs of your Events Manager settings page.

If you’re upgrading and you do use the single tag pages along with our ‘override with formats’, it’s strongly advised you create and assign a tags page, because this helps improve compatability with other themes and plugins (including Yoast WordPress SEO – Breadcrumbs module).

Changelog

Here’s a full list of fixes and changes, also found in the readme.txt file:

• fixed extra paragraphs being added to #_EVENTNOTES
• fixed location ‘no events’ message format not using header/footer formats
• updated Finnish, German and POT files
• added customizable event and location page templates
• improved em_options_select() now can create optgroup groups if an array value is supplied
• fixed clashes with JetPack Tiled Galleries
• fixed timthumb thumbnails issues with MultiSite and virtual links
• fixed multisite global problems when fetching and saving main blog events previously saved with NULL blog_id
• fixed bug with categories search attribute not working if any spaces exist such as “1, 2″
• improved offset calculations in ical for some servers
• improved ical generation to avoid memory limit problems with very large numbers of events
• fixed RSS feed pubdate format
• improved generation of RSS feed to avoid memory_limit errors on very large feeds
• changed em_rss_pubdate wp_option to em_last_modified which is now a timestamp
• improved em_get_wp_users() function to fix overload caused by http://core.trac.wordpress.org/ticket/23609
• changed default events aren’t created anymore
• changed public events admin table template to allow viewing of draft events (duplicates) and modified view linking formats
• changed duplicates so they now become drafts by default not published
• improved settings page tab/section loading UX
• added event archives scope
• improved MultiSite Global so unnecessary tables aren’t created for every blog
• fixed outdated group tip on event form (you can detach group events)
• added #_CONTACTURL
• fixed tags not being added to recurrences if no categories assigned too
• fixed datepicker problem on search pages when scope not defined and switching pages
• fixed wp_em_events post_content not being updated if description is removed
• added wp_title filter to widgets
• fixed incorrect number of events per day shown in full calendar according to settings
• fixed the_title usage to check the post id supplied in second parameter
• changed/fixed action where rules are rewritten on settings changes causing 404s for CPTs created in theme functions.php file
• fixed bug with W3TC repeating first no-user booking name for all others in admin table views
• fixed ‘email exists’ errors in no-user bookings mode
• added option for no-user registration with registered emails
• added #_CATEGORYNEXTEVENT, added formatting options for location/category next event placeholders
• improved event, location and category timthumb thumbnails so they accept 0 as a width/height to prevent cropping
• added ical scope option
• fixed category placeholders not being replaced in alphabetical order (so #_CATEGORYNEXTEVENT cannot overwrite #_CATEGORYNEXTEVENTS)
• added #_TAGNEXTEVENT and formatting options
• fixed problem with pagination not highlighting first page number when doing searches
• changed maps js to close other infowindows for locations map when marker is clicked
• added locations search attribute
• fixed autoembed and embed shortcode support for event/category/location placeholders for descriptions
• fixed duplicates triggering ‘published’ actions on duplications such as tweeting via WP to Twitter
• fixed author not being changed on quick edit
• fixed conflicts with various plugins which add custom registration validation (e.g. SI Captcha, Theme My Login, etc.)
• fixed bug where #_LATT fields not appearing in public location editor if event attributes aren’t enabled
• added booking links to edit event booking stats meta box even if no bookings made
• added em_bookings_filtered and em_locations_autocomplete_selected jQuery events
• fixed links pointing to admin on public booking admin tables after pagination clicks or multiple ajax calls
• updated German translation
• added em_calendar_get_args filter
• improved EM_Category::has() – now also checks category name too
• removed redundant functions in EM_Category
• improved default ordering of events in categories page applied to EM_Category::get_default_search() rather than just category pages,
• improved category taxonomy when overriding with formats when using an assigned categories page (particularly breadcrumbs)
• added specific tweaks for Yoast WP SEO plugin for breadcrumbs when using an assigned categories page
• added a tags page and template
• created EM_Tags class – very similar to EM_Categories
• fixed lack of pagination on tag placeholders showing related events
• fixed private locations turned public not appearing in public listings
• fixed today/tomorrow scope not working properly in wp-admin
• fixed pagination variables overriding shortcodes with fixed page attribute
• improved – minor adjustment to location autocomplete ui tip text behaviour
• added em_map_loaded js trigger for location admin map
• updated German

If you’re interested, please read the job description and apply!

The main reason for this focus is because we’ve been working on a pretty exciting Pro feature – Multiple Bookings – which is now in the form of a working alpha (meaning not ‘officially’ a pro feature yet) and is available for use in the latest Pro update (you need to update to EM 5.3.6 as well). You can see some preliminary documentation to help you activate this new feature as well as a working demo to see it in action.

We’re already starting work on the next update, which will be dedicated to polishing off this new feature, tying up some more loose ends as well as taking some time to improve some aspects of integration with MultiSite (mostly revolving around allowing/restricting certain settings available to blog admins).

We look forward to the coming weeks and the exciting things they have in store whilst we move onto the next update!

Events Manager 5.3.6 Changelog

• added is_free, is_free_now, not_free and not_free_now conditional placeholders
• modified EM_Event::is_free() so it can also check if event is free at that moment,
• added do_shortcode filter to dbem_notes so shortcode is parsed outside single event pages
• fixed category filtering when using negative/positive combinations
• fixed category filtering in MS Global mode
• fixed missing menus items for normal blog admins in MS without plugin caps
• updated italian and swedish
• added finish countries translations
• added sorting for countries lists (previously sorted by country code)
• updated POT file
• updated French, updated German (unfuzzied loads of strings, may need some corrections)
• booking meta now uses maybe_unserialize on instantiation
• separated booking validation from save function
• moved user registration logic during bookings into a reusable function
• cleaned up the email admin setting panels for submissions and booking templates
• booking email messages array now generated in separate function
• added em_get_location and em_get_event filters for event/location object retrieval functions
• added em_get_booking getter function with corresponding filter and changed all used of new EM_Booking()
• added em_bookings_admin_page action at start of booking admin pages
• added taxes functions to booking and object classes
• added get_admin_url function for booking object
• added get_price_taxes function to booking object
• added bookings filter condition to exclude bookings with event_id of 0 by default (for Pro Multi-Bookings)
• added data response as second argument to jQuery em_maps_locations_hook event
• fixed bookings form showing on password-protected events
• fixed MS Global blog switching issues when saving
• fixed $EM_Booking->get_tickets() returning all tickets rather than tickets in specific booking
• fixed hidden BP groups not showing to admins
• fixed some German translation file inconsistencies
• fixed blank datepickers if date format is left blank in settings
• fixed tags filter searching multiple tags returning no events
• fixed some MultiSite PHP warnings when adding/deleting sites
• fixed booking button not showing cancel if event is fully booked
• changed booking button so only one booking can be made
• fixed attributes not showing on event submission forms if categories are disabled (option name typo)
• added editable form, so no-user bookings user data can also be edited
• changed booking form JS enqueueing by moving it into EM_Bookings object as a function
• changed booking JS to use on() event delegation for more AJAX compatibility
• fixed some booking form CSS field styling inconsistencies
• fixed issues with locations on sub-blogs when in MultiSite Global mode with locations restricted to main blog
• fixed duplicate confirmations/warnings on MultiSite location admin pages
• changed (improved) EM_Object::can_manage method to avoid extra calls and potential warnings
• changed csv export of single event so the file name = the event name

Events Manager 2.3 Changelog

• fixed newly created user during booking not being deleted on bad card info via authorize.net
• updated Swedish translation
• fixed php warning
• fixed permission problems in MS preventing form editor and other admin screens from showing to admins without plugin rights
• updated Swedish
• fixed newly created users not being deleted in MultiSite if bad A.net card info is supplied
• added Multiple Bookings feature
• fixed MultiSite PHP warning on blog creation when visiting blog first time round
• added hooks to edit no-user booking personal information and custom user fields (requires EM 5.3.5.3 or higher)
• better template/class renaming, adjusted AJAX loading methods to account for caching plugins
• moved email reminders out of beta
• fixed checkboxes, radios and multiselect custom fields in booking form not being editable by admin
• fixed checkboxes, radios and multiselect attendee fields not being correctly editable by admin
• fixed some attendee form display and CSS issues
• fixed tips not appearing for core user fields

Medium-risk XSS vulnerability fixed

We would like to thank High-Tech Bridge Security for spotting and taking the time to notify us about this potential vunlerability in the plugin, which was immediately fixed within 24 hours once we found out. We will not go into details about the fix for security reasons, but this information will be made public on their site in early March, which we hope is enough warning for everyone to update their plugin to close this vulnerability.

A drawback of Open Source software is that it is easier for vulnerabilities to be uncovered since it is out in the public domain and can be scrutinized by anyone who wishes to do so. However, rest assured that when we come across any vulnerabilities they will be fixed immediately.

Pro users should update to 2.2.9 or…

In the event that you don’t want to update yet and/or don’t have access to updates we have produced a small plugin/script which you can download here. This script will fix the security vulnerability and you can safely continue using a previous version. You can install this by unzipping the file (there is one php file included) and either:

• upload this file to your wp-content/mu-plugins folder (create it if it doesn’t exist)
• add the contents to the bottom of your events-manager-pro.php file
• add the contents to the bottom of your theme’s functions.php file

EM 5.3.5 Changelog

Since we quickly released version 5.3.5 which patched a bug in 5.3.4 we’ll include a change summary of the two (first item in the list applies to 5.3.5)

• fixed bug in placeholder formatting
• fixed Multilingual settings not saving default language setting if other than english
• fixed typo in performance optimization settings
• fixed warning of undefined ID on archive pages when enqueuing scripts
• fixed special characters being converted to entities in non-html emails
• fixed typo in options for category/location event list placeholders
• corrected Slovak translation, thanks to Julius Pastierik
• added British translation, thanks to Jeff Cole
• added some code to booking form js to prevent JS conflicts with JetPack’s reCaptcha
• added base64 encoding/decoding to em_notice cookies for improved compatibility
• fixed potential php warning in EM_Tickets class
• event spaces show as blank rather than 0 on input form (aesthetic change in line with the field help text)
• added alphabetical ordering to category and countries ddms in search form and admin event categories ddm
• fixed XSS vulnerabilities
• fixed em_is_category_page() and added check for specific categories (like is_tax() second parameter), added em_is_tag_page() with checks for specific tags
• added #_EVENTPRICERANGEALL and fixed #_EVENTPRICERANGE showing if booking closed but unavailable tickets set to true (docs need revising)
• improved speed of event shortcode by adding global event object
• added ordering of locations by name and other location table fields in event queries such as events_list shortcode
• added some missing classes to event form ‘when’ section

Pro 2.2.9 Changelog

• security update for some XSS vunlerabilities
• fixed blank date and time custom fields breaking datepickers for editing user/booking information
• fixed coupon placeholders remaining if booking doesn’t have a coupon associated with it

If you have version 2.2.7 and are using tickets containing names that contains characters other than letters and numbers, please update to 2.2.8 immediately.

If you have experienced failed IPN messages, please see our previous post for instructions on resending those failed messages, and your bookings should readjust themselves automatically.

We have already released an update 2.2.7 which solves this problem and anyone using 2.2.6 and PayPal should update to this immediately.

If you have some pending bookings which haven’t been processed, fortunately there are some simple steps to set everything back to normal.

1. Visit your PayPal account and go to History > IPN History
2. Search for IPN messages within the last 5 days (or since you installed 2.2.6, which was released earlier this Wednesday)
3. You will see a table of IPN messages which will have the status ‘Failed’ or ‘Retrying’
4. For those that have failed, select them, and click the ‘Resend Selected’ button at the top of the table.
5. You should shortly see these bookings automatically confirmed within your site bookings admin area, the ones retrying should also get updated within 24 hours.

We apologize for any inconvenience caused.

Notable Events Manager Updates

There are two pretty important updates in Events Manager 5.3.3 which are worth mentioning:

Multilingual Support

We’ve added a new class and other tidbits to interface with MultiLingual plugins, and we’ve started off by writing and releasing a separate add-on to make Events Manager compatible with WPML, which is freely available on WordPress.org. See the linked article for more information on this.

Advanced Performance Optimization Options

This is somewhat long overdue, but we’ve now added some options in the settings page to allow more control over what CSS and JavaScript files get loaded where by Events Manager. We’ve also written some comprehensive documentation on how to make the best of these new optimization options, as well as some overall optimization recommendations.

Moreover, we’ve also introduced support for WP Thumbnails, meaning that you can now opt to access static files and circumvent the usage of timthumb.php. See the optimization recommendation links above for more information on this too. There is one important detail opting for this new feature - If you use category image thumbnails, you’ll need to reselect them using the uploader, even if you’re reselecting the same image from the library then save the category again, because we now need to save the attachment ID along with just the direct URL to the thumbnail.

What’s next?

Well, lots of things! Last month we launched our new website along with a new Pro customer site, which frees up resources, which we’ll now be dedicating to adding various new features to Pro, doing some tidying up in the main plugin, and expanding on documentations/tutorials/snippets to help users and developers make the best of Events Manager.

Changelog for Events Manager 5.3.3

• changed taxonomy pages to use is_tax() to check whether page is a taxonomy page, rather than checking the $wp_query object
• fixed booked spaces being off if approvals are disabled and booking has status 0 from when approvals were enabled
• added #_CATEGORYSLUG
• fixed bad usage of wpdb::prepare in classes/em-object.php
• added em_actions_locations_search_cond for autocompleter
• added Bermuda and Jersey to countries list
• fixed title rewriting warning when $sep is blank
• fixed BP ‘add event’ link appearing to all users on event profile pages
• fixed loading of unused post meta overwriting post fields/properties
• added multilingual capability
• added WPML add-on warning
• simplified enqueue of styles and scripts, now uses wp_enqueue_scripts action
• added performance optimization options for CSS and JS files
• removed usage of PHP sessions in exchange for temporary cookies
• added possibility to use wp thumbnails rather than timthumb (category images need resaving via uploader)
• added #_LOCATIONLONGITUDE and #_LOCATIONLATITUDE placeholders
• added em-pagination span wrapper and em-tablenav-pagination classnames to normal and table pagination sections
• fixed location searches not returning results admin-side in MS global tables with locations on main blog
• updated JS for location map to update when location name changed
• added pagination and limits to location and category event list placeholders.
• updated finnish language
• fixed minor php warning when deleting a user with no events in MultiSite
• fixed php warnings on category pages using formats, major change to how formats are overridden, now rewrites WP_Query completely
• added em_options_page_panel_admin_tools action to admin tools section of options page
• fixed #_BOOKINGPRICE and other booking price placeholders not using currency formatting option
• fixed permissions issue with groups plugin (thx itthinx)
• added Slovak translation, thanks to Branco
• added em_bookings_table_row_booking_price_ticket filter (needed for Pro ticket exports w/coupons)
• added default rows/cols attributes to booking form textarea field for valid html
• fixed conflict with caching plugins and booking forms due to cached wpnonces
• added #_CATEGORYDESCRIPTION to default EM filters of content placeholders
• updated timthumb.php to version 2.8.11

Changelog for Events Manager Pro 2.2.6

• fixed events with one non-required ticket not showing 1 attendee form (when shown in ticket table format)
• fixed some non-translated strings, updated pot file
• added Russian translation
• fixed registered user info not showing up on booking details/exports if no-user mode and manual booking is made
• fixed dates and other fields not being formatted when displayed using placeholders e.g. in emails
• updated French translation
• adding ‘define(‘EMP_SHARED_CUSTOM_FIELDS’,true);’ to your wp-config.php file allows user field ids to not be prefixed with dbem_ (for sharing user meta with other plugins)
• added compatibility with new script loading system
• fixed PayPal IPN verification mechanism, including fallback for curl on servers with outdated SSL certificates
• limited admin JS loading
• added fix for badly saved/displaying user meta date/time fields, added installation script to fix previously bad date/time user meta values
• added fix for normal field country output formatting
• added coupon calculation to CSV ticket total calculation
• added removal of header in CSV if EM_CSV_DISABLE_HEADERS is defined
• added coupon code placeholders #_BOOKINGCOUPON, #_BOOKINGCOUPONCODE, #_BOOKINGCOUPONDISCOUNT, #_BOOKINGCOUPONNAME, #_BOOKINGCOUPONDESCRIPTION
• added coupon code column to booking tables and csv export
• fixed IE8/safari form editor display issues
• fixed manual bookings allowing double bookings depending on EM settings
• fixed updates not accessing update information e.g. changelogs from our servers
• changed em_booking_add apply_filter to add_action (since it’s an action)