EM 7.4 and Pro 3.9 are out. Version number bumps like these indicate a significant change, and they do: this latest update of Events Manager and Events Manager Pro comes with a story!
At Events Manager, security is part of how we build, not a step we bolt on afterwards. This release is the clearest example of that we have shipped, and we want to be open about the work behind it.
The Fable in this story…
A few weeks ago, when Claude Fable first became available, we jumped on it. We had been following the Mythos project ever since chatter surfaced about it; Claude Fable is the version of that model eventually released for public use.
In case you were unaware: Mythos is the latest and greatest model from Anthropic (the makers of Claude). This model is apparently so capable in cybersecurity that Anthropic has not released it publicly, instead making it available in preview to a limited group of critical-industry partners and open source projects under Project Glasswing (lots of ‘cool’ naming here). The results so far speak for themselves: over 10,000 high or critical severity vulnerabilities found across some of the world’s most important software, including 271 patched in Firefox alone!
Fable is the ‘safer’ version of Mythos, but still a powerful new AI model that can run the kind of deep, adversarial code review that used to take a specialist team days. The day it came out, we put it straight to work on our own code. We did not hold back on the token usage cost, which was not small!
Reviewing the results
That first review was as thorough as anything we have ever run against Events Manager. Access to Fable at that depth was then restricted, so we could not simply repeat it on demand. However, we had fortunately jumped on it just in time, and the eventual tally was not surprising (given what the major tech companies encountered) but daunting regardless: 32 security vulnerabilities!
To put that into context, we have not received that many security reports… ever… for all our plugins we’ve ever published! That says less about our code than about how far this tooling has come, and it is exactly why we moved on it early.
Sidenote: Historical Security Vulnerability Reporting
Open source software naturally invites more scrutiny, simply because the code is out there for anyone to read: cybersecurity analysts and attackers alike. Inevitably, we receive security reports when issues are found, either by direct contact or via responsible disclosure channels such as Patchstack, Dell Secureworks, Wordfence or the WordPress.org plugins team themselves. This may all sound scary, but whilst malicious users can scan open source software for exploits, so too can defenders and white-hat analysts.
Over the past 15 years, we may on average have received 1 report per year, for all our plugins combined! These reports were more concentrated in the latter years as WordPress (and our plugins) grew in popularity, inviting more scrutiny over their security.
Ultimately, the upside is we now had a unique opportunity to make Events Manager safer than ever.
What we found
For transparency, and without publishing anything that would help an attacker, here is the shape of what we found and fixed across the Events Manager family.
By severity
| Severity | Issues |
|---|---|
| Critical | 1 |
| High | 13 |
| Medium | 8 |
| Low | 9 |
| Informational | 1 |
| Total | 32 |
By category
| Category | Issues |
|---|---|
| Broken access control / IDOR | 11 |
| Server-side request forgery (SSRF) | 4 |
| Cross-site scripting (XSS) | 4 |
| SQL injection | 4 |
| Payment and booking integrity | 3 |
| Cross-site request forgery (CSRF) | 2 |
| Information disclosure | 1 |
| PHP object injection | 1 |
| Local file inclusion | 1 |
| Business logic / input validation | 1 |
| Total | 32 |
On exploitability
Regarding the actual exploitability of this list: the single critical issue and most of the high-severity items required particular conditions or a degree of existing access, and several were defence-in-depth hardening rather than open doors. We are deliberately not publishing specifics, endpoints, or reproduction steps. Responsible disclosure means fixing quietly and shipping first, not handing anyone a map.
From findings to fixes
We took every finding, re-reviewed it by hand against the source, reproduced what could be reproduced in a controlled test environment, patched it, and tested the patch. This release is the result.
We also coordinated with the WordPress.org plugins team to release this in a responsible fashion and timeline, without disclosing the vulnerabilities in the changelogs immediately. This allowed time for the release to propagate via regular and automatic updates held back by the 24 hour Protect The Shire (PTS) delay, which we covered in our recent post on plugin updating recommendations.
Still looking
We run follow-up reviews continually. During this release, we did our due diligence and deliberately used more than one model, vendor and tool to double-check our work. We will keep doing this as the tooling improves.
For Pro customers on older versions
If you are not able to move to the latest Events Manager Pro 3.9 release, we have prepared patched builds of the earlier versions, which you can download from your account area. We strongly recommend applying one of these as soon as possible; we are contacting our customers individually as well to make sure they’re aware and staying safe.
Update today
If you run Events Manager or Events Manager Pro, the most useful thing you can do today is update to the latest version. Thank you for trusting us with your events, your attendees, and their data.
With thanks to Wordfence and the researcher molten bit, who separately reported two of the issues resolved in this release. The remainder were found through our own review.