At The Events Calendar, security is one of our top priorities. We actively monitor for potential risks and act promptly to address any issues we discover or that are reported to us.
On Friday September 13th we received two reports from WordFence notifying us of security vulnerabilities in The Events Calendar and Event Tickets plugins. Our team immediately sprang into action to make sure we’d have a Monday morning update for you.
If you’re using The Events Calendar or Event Tickets plugins, it’s important that you follow the instructions in this post as soon as possible to make sure your WordPress website is secure.
The vulnerabilities
- Unauthenticated Stored Cross-Site Scripting – This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Unauthenticated SQL Injection – This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Who’s affected?
- Unauthenticated Stored Cross-Site Scripting – All versions up to, and including, 5.13.3 of Event Tickets.
- Unauthenticated SQL Injection (unused code) – All versions up to, and including, 6.6.4 of The Events Calendar. However, only sites that have manually added tribe_has_next_event() will be vulnerable.
The solution
To remove these vulnerabilities, the easiest and more straightforward approach is to simply update to the latest versions of both The Events Calendar and Event Tickets. To do that, log into your WordPress Admin and navigate to Dashboard > Updates. Make sure The Events Calendar is updated to version 6.6.4.1 and Event Tickets to version 5.13.3.1.
Addressing legacy versions of Event Tickets
If you need to to remain on a legacy version of Event Tickets for compatibility reasons we have released patches for each of the legacy versions listed below.
Event Tickets legacy version patches:
- Update from 5.12.0 to 5.12.0.1
- Update from 5.11.0.5 to 5.11.0.6
- Update from 5.10.0 to 5.10.0.1
- Update from 5.9.2 to 5.9.2.1
To implement the patched copy of the Event Tickets plugin for your specific legacy version, please do the following as soon as possible:
- Sign into your account here at theeventscalendar.com
- Navigate to My Account > Downloads
- Download the patched plugin files for the legacy version of Event Tickets you’re running (as listed above)
- On your website navigate to WP Admin > Plugins > Add New Plugin
- Click the “Upload Plugin” button at the top of the page
- Click “Choose File” and select the zipped folder you downloaded
- Click “Install Now”
- Click “Replace current with uploaded”
Patch installed!
Thank you to WordFence
We want to express our gratitude to WordFence for alerting us to these vulnerabilities. The collective work of plugin developers, WordPress security firms, independent researchers, and users focused on security helps ensure we all stay safe online. Thank you!
Stay safe out there!
We’d also like to take a moment to thank you, our valued customers, for placing your trust in us. Rest assured, we are committed to prioritizing security in all our products and will keep you informed of any necessary steps to safeguard your website and data. Should you have any questions, concerns, or issues to report, don’t hesitate to contact us here.
Additionally, situations like this serve as a helpful reminder to review and apply WordPress security best practices. If it’s been a while since you’ve done so, we suggest checking out this guide.
The post Two Security Vulnerabilities Addressed in The Events Calendar and Event Tickets appeared first on The Events Calendar.