XSS Vulnerability in Event Organiser and two extensions

Following a security audit of Event Organiser and its extensions, the plug-ins listed below have been found to contain a XSS vulnerability. A patch for each extension has been released. You are strongly encouraged to update. If you are unable to update the plug-in from within the admin dashboard, you can also download it manually by logging into https://wp-event-organiser.com/my-account.

  • Event Organiser (update to 2.12.5)
  • Event Organiser Pro (update to 1.9.7)
  • Event Organiser Discount Codes (update to 1.2.1)

Details of the security vulnerability will be released shortly.

The severity of these vulnerabilities is relatively low. It would require a logged-in user with access to the events / bookings / discounts admin pages to click a malicious url (pointing to that admin page). Nevertheless you are urged to update as soon as possible.