EM 7.0.4 – Security Vulnerability Fix

We have released Events Manager 7.0.4 just under 24 hours ago, having received some reported security disclosures via the WordFence Security team during the prior 24 hours. We take security very seriously and acted quickly to patch these vulnerabilities.

We were notified of this just over 24 hours ago, these were reported to WordFence by security researches on the 24th and 25th of June. These will be responsibly disclosed to the public in 30 days as per WordFence disclosure policy, giving everyone time to update.

Updating is Strongly Recommened

These issues are graded 6.1, 6.4 and 7.4 in severity., comprised of 3 different reports / vulnerabilities. Whilst these vulnerabilities should not directly enable unauthorized access your website if exploited for correctly configured websites, they are certainly vulnerabilities we strongly recommend get patched by the latest update.

We recommend everyone upgrades to the latest version of Events Manager 7 or 6.6.5 (see below).

Given we have just released a major update and there is a significant enough number of users still transitioning we have released a version 6.6.5, allowing users to update to that version as well, without jumping to version 7.

Updating older versions to Version 6.6.5

To update to version 6.6.5 from version 6.6.4.4 or earlier, you have quite a few options.

One easy way is by using the WP Rollback plugin. Install that, visit the plugins page and you’ll see a ‘Rollback’ link on the Events Manager plugin. You can then click on that and select 6.6.5 to roll back to.

To update manually, you can download version 6.6.5 directly and install it on your site via FTP or by uploading the ZIP file directly as covered in our installation instructions.

Changelogs

Changelog 7.0.4

  • Fixed pagination errors introduced in 7.0.3.
  • Fixed potential collation issues with DB tables and added more meaningful errors when saving index tables so admins see clearer error messages.
  • Tweaked installation and update process to schedule DB updates via wp_cron for WP-CLI and auto-updates, rather than relying on a dashboard page load.
  • Fixed uninstall fatal error caused by the new recurrences table introduced in v7.
  • Fixed 3 security vulnerabilities reported by Muhammad Yudha and @mikemyers via WordFence.

Changelog 6.6.5

  • Fixed 3 security vulnerabilities reported by Muhammad Yudha and @mikemyers via WordFence.

Leave a Reply

Your email address will not be published. Required fields are marked *