Edit: 5.8.1.3 was released fixing a minor display bug that arose from the latest update, but has no relation to this security fix.
Our latest 5.8.1.2 release is a security update (along with some minor bugfixes) due to a potential Stored XSS vulnerability which was discovered over the course of this weekend. This can considered a medium to high severity under certain circumstances, although there are no known cases of this exploit being used.
Any sites that allow guests or non-trusted users to submit events and locations should consider upgrading as soon as possible. Those that do not accept user event and location submissions should not be affected.
The latest update does not include any of the planned timezone features we have posted about recently, as this is still undergoing testing and debugging and is not yet ready for stable release. Those who may be running our latest dev version with timezones should upgrade to dev version 5.8.1.22 as well, which has also been patched.
We would like to thank Luigi Gubello for responsibly disclosing the vulnerability, who will follow-up with an official disclosure in four weeks.
Whilst this isn’t an exploitable vulnerability in WordPress itself, there are potential scenarios where this same vulnerability could be used (we aren’t aware of any, this is hypothetical). We are also liasing with the WordPress Security team to understand whether there are other potential implications for other plugins and/or theme and will also follow-up accordingly if necessary.
For security reasons, we’re not disclosing further information at this time, so that we can give time for the WordPress Security team to investigate the underlying causes as well as to minimize the potential exploitation of this vulnerability, giving time for everyone to update as soon as possible.
We apologize for any inconvenience caused, we take security and every security report very seriously. We will give any discovered vulnerability our full attention and priority all else with prompt updates to ensure your safety.