Events Manager 5.9.8
Posted on July 6, 2020
We’re happy to announce Events Manager 5.9.8, which introduces a new concept feature – Event Location Types!
Additionally, along with a few bug-fixes, we have also fixed two reported vulnerabilities and therefore strongly urge everyone to update their plugin.
Location Types and Online Events
Event Location Types allows for different ‘types’ of events, other than a physical one. This is mainly geared towards accommodating online events but could also potentially accommodate for other custom location types which to suit any need.
Online events was the focus of this update, which we’ve been working on for a few months now, shifting focus away from other features due to the pandemic the whole world has come to experience. This update is the foundation for what’s to follow; webinar integrations!
With that, we’re proud to (re)announce a new, freely available, Zoom Integration add-on, already available on wordpress.org. This is our first Webinar platform integration, due to its surge in popularity, ease of use, and comprehensive API.
This provides direct integration with Zoom Meetings and Webinars, along with some initial support for Zoom Rooms, including automatic creation and syncing of meetings/webinars and also managing registrations via Events Manager.
During the past few weeks of development, we were alerted to two separate vulnerabilities in Events Manager and have proceeded to patch these in the latest update.
The XSS vulnerability, discovered by Jakob Wierzba will affect all installations of Events Manager, so we strongly recommend updating to the latest version. This vulnerability potentially allows an attacker to formulate a URL on your site, that if visited by an administrator could potentially allow the attacker to access their account.
The SQL vulnerability, reported by Antony Garand from Godaddy will affect a far smaller subset of users. If you use Multisite with Global Tables mode enabled, along with allowing subsite events or locations to be shown on the main site, then you should certainly upgrade to the latest version.
Whilst it’s always unfortunate to discover security vulnerabilities, it is also fortunate that we were made aware of these and can now rest assured that these cannot be exploited. We’d like to thank both Jakob and Antony for their great work and also for responsibly reporting these directly to us.
Here’s the list of changes in the latest version, as stated in our readme.txt file:
- added Location Types including URL and (via external free add-on) Zoom support!
- added native OAuth support for third party integrations (e.g. Zoom)
- added $EM_Event object to booking form template actions
- changed $EM_Booking->booking_status to protected so that status returns 1 even if approvals are disabled
- fixed XSS vulnerability (kudos to Jakob Wierzba)
- fixed potential SQL injection vulnerability (kudos to Antony Garand from Godaddy)
- fixed fatal errors in BuddyPress if notifications are disabled
- fixed minor PHP warning
- fixed Yoast SEO 14.0 conflict