Events Manager 5.12 : Security fix Follow-Up

Posted on November 5, 2021

Events Manager 5.12 fixed a reported XSS vulnerability. Whilst the update mitigates the known vulnerability, and we aren’t aware (or do we think there is) of a way to further exploit this, we updated a few template files with some extra security precautions.

This is an overabundant precautionary measure, meaning you don’t need to worry if these changes aren’t implemented on your site immediately, possibly at all.

We didn’t release any further information about the matter in order to give time for users to update the plugin before disclosing extra information about the vulnerability. We won’t disclose details about it here either, but we will advise anyone that has overridden our template files to consider copying over the changes to these files:

events-manager/templates/search/geo-units.php
events-manager/templates/events-search.php

Again, version 5.12 will prevent older versions of these templates located in your themes from being vulnerable, we advise you to update these files to keep up with best security practices even when there is no threat.

Providing an awesome and secure plugin is our top priority, rest assured that any known vulnerabilities are handled with utmost urgency and consideration for our users.

Comments are closed.