Following a security audit of Event Organiser and its extensions, the plug-ins listed below have been found to contain a XSS vulnerability. A patch for each extension has been released. You are strongly encouraged to update. If you are unable to update the plug-in from within the admin dashboard, you can also download it manually by logging into https://wp-event-organiser.com/my-account.
- Event Organiser (update to 2.12.5)
- Event Organiser Pro (update to 1.9.7)
- Event Organiser Discount Codes (update to 1.2.1)
Details of the security vulnerability will be released shortly.
The severity of these vulnerabilities is relatively low. It would require a logged-in user with access to the events / bookings / discounts admin pages to click a malicious url (pointing to that admin page). Nevertheless you are urged to update as soon as possible.