Events Made Easy Forums Generic IMPORTANT: Security release and switch to github

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #64829
    Franky
    Keymaster

    There is a vulnerability in EME: an sql was not properly escaped so an authenticated user could use a special crafted url/tool to see info he was not supposed to see even if not authorized to do so …). See also: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/events-made-easy/events-made-easy-2316-missing-authorization
    It has already been fixed days ago (see the date of this post), but wordpress requires me to refactor the whole code since they have new coding standards. I tried for 5 full days to comply but some of their (new) requirements are very hard to meet (“late escaping” for example, where you need to call an escape function inside the echo-call, not before it … ). Due to this fact, the plugin is currently closed on wordpress. This is a very weird wordpress decision: not allowing a security release because of new coding standards …

    So, if you want to install and receive updates again, go to https://github.com/liedekef/events-made-easy and follow the (in the readme mentioned) install instructions:

    For existing wordpress users that have version 2.3.18 or older:

    – Take a database backup to be sure
    – Download the zip “events-made-easy.zip” from the latest release on github ( https://github.com/liedekef/events-made-easy/releases )
    – Go in the WordPress ‘Plugins’ menu, and click on “Add new”
    – Select the zip you downloaded, this will upload the zip and replace the existing installation without losing data
    If the file is too big for uploading, try again with “events-made-easy-minimal.zip” (which is a minimum version of the previous release, after which a regular update will present itself).
    If still too big, or you need to use FTP/SSH: use your favorite upload tool to upload the contents of the zip file to the /wp-content/plugins/events-made-easy directory (remove the old files first)
    – After that, updating the plugin will be as usual in the backend

    I advise to do this in test first, although it should work just fine (but I did change a huge number of lines of code so a bug is not impossible).

    If you feel uncomfortable doing this and want to switch to another plugin, I can totally understand.

    Franky

Viewing 1 post (of 1 total)
  • The forum ‘Generic’ is closed to new topics and replies.
Scroll to Top