We’ve released two maintenance updates, including a security fix for a vulnerability found in Events Manager 5.12. We advise that you upgrade as soon as possible to mitigate an XSS vulnerability.
We’d like to thank the WordPress Plugin team for doing a fabulous job with keeping the plugin repository safe and secure, and in this case liaising with us to identify the vulnerability and getting it fixed in a timely manner. We’ll be following up with another post in a few weeks with some extra precautionary advice, however, rest assured that Events Manager 5.12 has been updated to mitigate the reported vulnerability.
Events Manager 5.12 Changelog
- changed EM_Booking::$disable_restricions so that all ticket restrictions can ignored for admin manual bookings (pro feature) including spaces, roles and dates
- added taxonomy filters for Meta Tag Manager compatibility on overriden taxonomy pages
- added filters to Event_Locations\Event_Location and Event_Locations\URL
- added filters to EM_Events::output_grouped()
- fixed #_EVENTDATES_LOCAL and #_24HHTIMES_LOCAL showing time/date range even if time/dates are the same
- fixed XSS security vulnerability reported by/via WP Plugins team
Events Manager Pro 2.7 Changelog
- fixed issue where manual bookings without any active gateways still marks bookings as pending payment,
- added option to auto-confirm manual bookings if offline gatweay is inactive
- fixed ‘non longer available’ error for manual booking tickets
- fixed transaction log dates showing UTC time instead of local blog time
- fixed forms editor minor meta box styling issues,
- added emp_form_get_formatted_value filter
- added em_logs_log_directory and em_logs_log_name filters to EMP_Logs to allow overriding of locations
- fixed username fields not showing in manual booking form
- fixed transactions table showing UTC date/time instead of local timezone
- fixed issue with ML cross-language bookings not being removable in multiple bookigns mode
- fixed tooltips not accepting HTML
- fixed wrong attendee form data output on checkout if multiple events in cart have different attendee forms
- added checkbox to disable ticket restrictions in manual bookings, allowing for overbooking ticket spaces and overriding role/date limitations
- fixed manual booking form ommitting certain registration fields as per settings page options meant for regular users
- fixed paypal pending payments getting auto-deleted on all blogs in MS Global according to the shortest timeout setting on any of the network blogs
- fixed logging issues in multisite installations (requires re-saving network EM settings if logging is enabled)