Events Manager 7.3.5

We have had two subsequent updates over the last week, addressing some known bugs, making improvements to the API/MCP infrastructure and plugging some reported security vulnerability reports.

These are all notable improvements around the block editor and how AI becomes more reliable interacting with MCP with repeated requests.

We’ve got a bunch of updates out and on the way, including a follow-up update to EM in the works. We’ll touch on the add-on updates in separate posts. Lots happening, stay tuned!

= 7.3.5 =

  • Security: Private events and locations could be exposed to non-privileged visitors when the private query argument was supplied — the fix ensures only users with the read_private_events / read_private_locations capability can request private content. CVE-2025-14945, responsibly disclosed by shark3y via WordFence. We recommend updating.
  • Fixed: A custom Grid format header/footer set in Formatting settings was never shown on grid event lists — the view was reading the wrong option name, so the header/footer text was silently dropped on both initial load and AJAX search.
  • Fixed: Custom Google Maps JSON styling (Styling Wizard / Snazzy Maps) stopped applying after the Advanced Markers upgrade — Google ignores legacy map styles when a Map ID is present. Front-end maps with custom styling now render correctly again, without the “styles property cannot be set when a mapId is present” console warning.
  • Fixed: Block editor — recurring events no longer trigger a false “recurrence times are required” error on second save (disabled recurrence fields are now included in form serialisation); the Event When block’s edits are no longer silently dropped in Gutenberg 6.6+ where the canvas renders inside an iframe.
  • Tweaked: The default event editor has been switched back to Classic while block editor support is further refined — existing installs are unaffected and the setting can be changed under Events Manager → Settings.

= 7.3.4 =

  • Security: Free-text event and location fields submitted by non-privileged users (e.g. front-end event submitters) are now sanitised, closing a stored-XSS vector. We recommend everyone update.
  • Added: New “Event When” block for the block editor — edit an event’s date, time and recurrence inline from the canvas.
  • Added: New display options for timeslot booking cards, giving you more control over how timeslot selection appears on the booking form.
  • Fixed: Timeslot and recurring booking pickers are now a single shared template, resolving several layout and timezone-picker glitches, multiday date display, and a card-gap regression.
  • Fixed: Recurring events now regenerate their timeslots when the event duration changes, and event listings sort and scope correctly by timeslot date/time across a series.
  • Fixed: Block editor — recurring events no longer fail validation on a second save, and the date picker now initialises correctly inside the editor’s iframe.
  • Fixed: Several REST/MCP API issues found in live testing — bookings made through the API were all being attributed to the authenticated admin rather than the intended account; partial event updates could wipe categories and tags; and media upload, booking-status and consent handling have been tightened. Booking on behalf of another person is now correctly a Pro-only capability.
  • Fixed: MCP installer buttons on the settings page not triggering the install.
  • Fixed: CSS glitches in the selectize search dropdown when resizing or typing.
  • Tweaked: The selected day is now shown in bold across every calendar event style.

Leave a Reply

Your email address will not be published. Required fields are marked *