Events Manager 5.12 & Pro 2.7

We’ve released two maintenance updates, including a security fix for a vulnerability found in Events Manager 5.12. We advise that you upgrade as soon as possible to mitigate an XSS vulnerability.

We’d like to thank the WordPress Plugin team for doing a fabulous job with keeping the plugin repository safe and secure, and in this case liaising with us to identify the vulnerability and getting it fixed in a timely manner. We’ll be following up with another post in a few weeks with some extra precautionary advice, however, rest assured that Events Manager 5.12 has been updated to mitigate the reported vulnerability.

Events Manager 5.12 Changelog

  • changed EM_Booking::$disable_restricions so that all ticket restrictions can ignored for admin manual bookings (pro feature) including spaces, roles and dates
  • added taxonomy filters for Meta Tag Manager compatibility on overriden taxonomy pages
  • added filters to Event_Locations\Event_Location and Event_Locations\URL
  • added filters to EM_Events::output_grouped()
  • fixed #_EVENTDATES_LOCAL and #_24HHTIMES_LOCAL showing time/date range even if time/dates are the same
  • fixed XSS security vulnerability reported by/via WP Plugins team

Events Manager Pro 2.7 Changelog

  • fixed issue where manual bookings without any active gateways still marks bookings as pending payment,
  • added option to auto-confirm manual bookings if offline gatweay is inactive
  • fixed ‘non longer available’ error for manual booking tickets
  • fixed transaction log dates showing UTC time instead of local blog time
  • fixed forms editor minor meta box styling issues,
  • added emp_form_get_formatted_value filter
  • added em_logs_log_directory and em_logs_log_name filters to EMP_Logs to allow overriding of locations
  • fixed username fields not showing in manual booking form
  • fixed transactions table showing UTC date/time instead of local timezone
  • fixed issue with ML cross-language bookings not being removable in multiple bookigns mode
  • fixed tooltips not accepting HTML
  • fixed wrong attendee form data output on checkout if multiple events in cart have different attendee forms
  • added checkbox to disable ticket restrictions in manual bookings, allowing for overbooking ticket spaces and overriding role/date limitations
  • fixed manual booking form ommitting certain registration fields as per settings page options meant for regular users
  • fixed paypal pending payments getting auto-deleted on all blogs in MS Global according to the shortest timeout setting on any of the network blogs
  • fixed logging issues in multisite installations (requires re-saving network EM settings if logging is enabled)