Events Manager 5.9.7.2 & Pro 2.6.7.2

Posted on February 5, 2020

Earlier today we received a vulnerability report regarding a potential CSV injection. After verifying, testing and promptly fixing the bug within hours, we’ve decided to push out an update along with various other additions which were already in the pipeline to be released, notably the ability to add email attachments and subsequently the option to attach ical files to booking confirmation emails!

Sites Affected

The CSV injection vulnerability does not affect your website itself and does not allow hackers to directly gain access to your WordPress website. Instead, it is possible when making a booking on your site to submit text via the input forms which can then become malicious if exported to CSV and opened in some spreadsheet applications such as Excel or Google Sheets.

Thankfully, whilst this is mainly considered a vulnerability in Spreadsheet software, this is somewhat mitigated by the fact that most recent modern versions of Spreadsheet software will give you a stern warning about potential security risks when opening these CSV files containing malicious text and before executing them. We tested on versions of Excel as early as from 2013 which exhibited this behaviour.

Classifying the severity of this vulnerability is debatable, as this would only affect a subset of users with specific setups that perform very specific tasks with EM, however, we have erred on the side of caution and released updates immediately.

Whilst we recommend everyone to upgrade, we particularly urge you to do so if you make use of our CSV export functionality, accept bookings from the general public and/or allow for free bookings.

Many thanks to Vishnupriya from Fortinet’s FortiGuard Labs for discovering and privately disclosing this bug.

Pro Security Patch

Since this can also affect Pro elements of the booking form, particularly attendee forms, we have provided a patch for all customers with expired licenses that do not have access to automatic updates.

Please log in and visit the patch instructions page. If you’re stuck or have further questions about this patch, we’ll also provide contact details so you can get in touch and we’ll be happy to provide further assistance.

Custom Code Implications

If you or a developer has created custom code which adds additional columns of data to booking fields, these will be sanitized, provided you are using our standard hooks such as em_bookings_table_rows_col_{colname} or em_bookings_table_rows_col.

Additional Improvements

Whilst we have other features in the pipeline, we already had a few minor improvements that were ready to release and therefore were included in the latest update.

Email Attachments

We’ve added the ability to programmatically add attachments to emails sent via Events Manager.

The idea here is to pave the way for further functionality, such as custom event attachments and printable tickets with scannable QR codes. The first step we’ve taken is to release the option to attach ical files to booking confirmation emails, similar to the functionality in email reminders.

This option is now available under Events > Settings > Emails > Booking Email Templates, your emails will include an ical attachment and will also start looking like this in clients such as gmail:

Ticket Ordering

We have added drag/drop ordering for tickets in the event editor! There are many instances where you may want to order tickets in a non-sensical way that are not alphabetical or price-related. Now, you can order your tickets by dragging and dropping them in the order you desire!

Previous events which were saved before this feature was introduced will maintain your previously chosen settings.

Detailed Changelogs

As per usual, here are the comprehensive list of changes you’ll find in both plugin readme.txt files:

Events Manager 5.9.7.2 Changelog

  • fixed CSV injection vulnerability which can allow malicious text to be exported to CSV files and parsed by Spreadsheet
  • fixed #_BOOKINGCUTOFF text date formats not getting translated correctly
  • added ability to programatically add attachments to booking emails for future features
  • fixed/updated casing of functions in phpMailer function calls (prefiously backward compatible),
  • added reply-to headers for wp_mail emails circumventing some plugins forcing from email address fields,
  • fixed email testing function ignoring sender name, encryption and autotls options
  • fixed ical apple structure breaking parsing in google (and possible others)
  • updated events-manager.js to replace deprecated use of delegate/bind with on/off equivalents
  • added ticket ordering
  • fixed editing booking tickets in admin causing validation errors on 0 values
  • fixed PHP Warning generated when adding Booking Notes which prevent a redirect with WP_DEBUG enabled
  • fixed Events tab on profile pages stripping last character with the BuddyPress Nouveau theme
  • changed blank value to ‘no location’ when viewing the event bookings admin page for locationless events
  • changed EM_Notices by making them JsonSerializable
  • fixed (hopefully!) the elusive and hard to reproduce "variable mismatch" error when submitting new form in some rare circumstances

Events Manager Pro 2.6.7.2 Changelog

  • fixed CSV injection potential vulnerability for tainted data when exporting bookings to CSV
  • added ical attachments to emails (requires at least EM version 5.9.7.2)
  • fixed WPML issues with custom email templates
  • changed the use of jQuery deprecated .delegate() to .on() function

One Comment

Leave a Reply

This comment area is for discussion, not obtaining support. If you are having issues installing or using Events Manager, please visit either our Free or Pro support forums and we'll be happy to help you there.