Here at The Events Calendar we take security very seriously. We’re always on the lookout for potential threats and take swift action to resolve any issues we find or that are brought to our attention.
On Tuesday, August 20 we received a report notifying us of a potentially serious vulnerability in The Events Calendar Pro. Since then our team has been hard at work resolving the issue.
If you’re using The Events Calendar Pro plugin it is important that you follow the instructions in this post as soon as possible.
The vulnerability
The vulnerability lies in how the plugin handles PHP Object Serialization for widgets. If left unpatched, attackers could leverage this as a vector for Remote Code Execution (RCE). This means that even users with limited permissions, such as those assigned the “Contributor” role, could exploit this vulnerability depending on the combination of third-party plugins in use on your site. However, it’s important to note that this exploit can only be carried out if attackers can create new widgets.
Who’s affected?
Everyone running The Events Calendar Pro is affected by this vulnerability. We have created a patch for the latest version plus the four previous feature versions that some of you may still be using.
- 7.0.2 – current version
- 6.5.1 – legacy version
- 6.4.0.1 – legacy version
- 6.3.3 – legacy version
- 6.2.4 – legacy version
If you are running an even older version than those listed above and need to update please reach out to support with the exact version.
The solution
There are two solutions for resolving this issue. The first and easiest is to simply make sure you are running the latest version of The Events Calendar Pro plugin. Go to WP Admin > Updates and update to version 7.0.2.1. The second solution is for anyone who needs to remain on a legacy version of The Events Calendar Pro for compatibility reasons. To address that need we have released patches for each of the legacy versions listed above.
The Events Calendar Pro Patches:
- Update from 7.0.2 to 7.0.2.1 – can be done from WP Admin > Updates
- Update from 6.5.1 to 6.5.1.1
- Update from 6.4.0.1 to 6.4.0.2
- Update from 6.3.3 to 6.3.3.1
- Update from 6.2.4 to 6.2.4.1
To implement the patched copy of The Events Calendar Pro plugin for your specific legacy version, please do the following as soon as possible:
- Sign into your account here at theeventscalendar.com
- Navigate to My Account > Downloads
- Download the patched plugin files for the legacy version of The Events Calendar Pro you’re running (as listed above)
- On your website navigate to WP Admin > Plugins > Add New Plugin
- Click the “Upload Plugin” button at the top of the page
- Click “Choose File” and select the zipped folder you downloaded from The Events Calendar
- Click “Install Now”
- Click “Replace current with uploaded”
Patch installed!
Thank you to WordFence
We’d like to thank WordFence for bringing this vulnerability to our attention. It’s through the combined effort of plugin creators, WordPress security companies, independent researchers, and security minded users that we’re all made safer online. Thank you!
Stay safe out there
We also want to thank you, our customers, for the trust you extend to us. You can depend on us to always prioritize security in our products and notify you of any action needed to keep your website and data safe. If you have any questions or concerns (or something to report) you can always reach out to us here.
On a more general note, instances like this are a good reminder to review and implement WordPress security best practices across the board. If that’s something you haven’t done lately, we recommend this guide.
The post Important Security Update for The Events Calendar Pro appeared first on The Events Calendar.