Event Organiser Pro 1.11.10 releases & Event Organiser FES 1.3.9 release

There have been recent bug-fix releases for Pro and FES extensions. Both of these fixes an issue with the select, radio and checkbox fields in the booking / event submission forms.

Specifically users can modify the HTML of those fields in the browser to submit whatever value they like. While there is no security implications for the plug-in in themselves it’s important to be aware that this means you cannot trust the user supplied option to be one of the values you have listed.

The implications of this range from collecting ‘invalid’ data from users exploiting this bug, to a potential security vulnerability. This depends on how you are using and storing the data, and whether you’ve taken necessary precautions. For the plugins themselves there are no security implications: collected data is treated as untrustworthy and escaped appropriately. Additionally CSV exports and excel spreadsheets will be fine. If you are using the data in a script then you should make sure you are escaping it, but you should be doing this anyway.

In short, this not a security vulnerability for those plug-ins, but be aware that a user could submit a value that is not part of your pre-defined choices.

Additional Pro bugfixes

  • A bug with venue meta queries affecting WP 4.6+ was fixed.
  • A bug with the booking form’s submit button not always being disabled after pressed (to prevent duplicate submissions) was fixed.
  • Translations were updated