5.3.5 and Pro 2.2.9 released, including a security update

Posted on January 22, 2013

At the end of last week we released 5.3.4 shortly followed by 5.3.5. We have just released Pro 2.2.9 today. Among various bugfixes and minor improvements, these updates include a security vulnerability fix, meaning everyone should upgrade immediately from any previous versions.

Medium-risk XSS vulnerability fixed

We would like to thank High-Tech Bridge Security for spotting and taking the time to notify us about this potential vunlerability in the plugin, which was immediately fixed within 24 hours once we found out. We will not go into details about the fix for security reasons, but this information will be made public on their site in early March, which we hope is enough warning for everyone to update their plugin to close this vulnerability.

A drawback of Open Source software is that it is easier for vulnerabilities to be uncovered since it is out in the public domain and can be scrutinized by anyone who wishes to do so. However, rest assured that when we come across any vulnerabilities they will be fixed immediately.

Pro users should update to 2.2.9 or…

In the event that you don’t want to update yet and/or don’t have access to updates we have produced a small plugin/script which you can download here. This script will fix the security vulnerability and you can safely continue using a previous version. You can install this by unzipping the file (there is one php file included) and either:

  • upload this file to your wp-content/mu-plugins folder (create it if it doesn’t exist)
  • add the contents to the bottom of your events-manager-pro.php file
  • add the contents to the bottom of your theme’s functions.php file

EM 5.3.5 Changelog

Since we quickly released version 5.3.5 which patched a bug in 5.3.4 we’ll include a change summary of the two (first item in the list applies to 5.3.5)

  • fixed bug in placeholder formatting
  • fixed Multilingual settings not saving default language setting if other than english
  • fixed typo in performance optimization settings
  • fixed warning of undefined ID on archive pages when enqueuing scripts
  • fixed special characters being converted to entities in non-html emails
  • fixed typo in options for category/location event list placeholders
  • corrected Slovak translation, thanks to Julius Pastierik
  • added British translation, thanks to Jeff Cole
  • added some code to booking form js to prevent JS conflicts with JetPack’s reCaptcha
  • added base64 encoding/decoding to em_notice cookies for improved compatibility
  • fixed potential php warning in EM_Tickets class
  • event spaces show as blank rather than 0 on input form (aesthetic change in line with the field help text)
  • added alphabetical ordering to category and countries ddms in search form and admin event categories ddm
  • fixed XSS vulnerabilities
  • fixed em_is_category_page() and added check for specific categories (like is_tax() second parameter), added em_is_tag_page() with checks for specific tags
  • added #_EVENTPRICERANGEALL and fixed #_EVENTPRICERANGE showing if booking closed but unavailable tickets set to true (docs need revising)
  • improved speed of event shortcode by adding global event object
  • added ordering of locations by name and other location table fields in event queries such as events_list shortcode
  • added some missing classes to event form ‘when’ section

Pro 2.2.9 Changelog

  • security update for some XSS vunlerabilities
  • fixed blank date and time custom fields breaking datepickers for editing user/booking information
  • fixed coupon placeholders remaining if booking doesn’t have a coupon associated with it

Comments are closed.



Interested in Events Manager?

Sign up to our newsletter, receive a free add-on and an additional 10% discount for Pro!

You will receive a confirmation email which you must click on, you will then be sent another welcome email with links to your discount and free add-on.