Shared security patch analysis results
AI Used: claude_cli haikuComprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
--- cache/wp-event-solution_4.0.51/base/Container/Container.php 2026-01-09 00:38:09.548518484 +0000+++ cache/wp-event-solution_4.0.52/base/Container/Container.php 2026-01-09 00:43:13.275054628 +0000@@ -80,13 +80,13 @@ */ public function resolve( string $class_name ): object { if ( ! class_exists( $class_name ) ) {- throw new Exception( "Class: {$class_name} does not exist" );+ throw new Exception( esc_html( "Class: {$class_name} does not exist" ) ); } $reflection_class = new ReflectionClass( $class_name ); if ( ! $reflection_class->isInstantiable() ) {- throw new DependencyIsNotInstantiableException( "Class: {$class_name} is not instantiable" );+ throw new DependencyIsNotInstantiableException( esc_html( "Class: {$class_name} is not instantiable" ) ); } if ( null === $reflection_class->getConstructor() ) {@@ -120,7 +120,7 @@ if ( $parameter->isDefaultValueAvailable() ) { $dependencies[] = $parameter->getDefaultValue(); } else {- throw new DependencyHasNoDefaultValueException( "Class: {$parameter->name} dependency can not be resolved" );+ throw new DependencyHasNoDefaultValueException( esc_html( "Class: {$parameter->name} dependency can not be resolved" ) ); } } else { $dependencies[] = $this->get( $dependency );
Vulnerability Existed: no
No CWE - N/A - base/Container/Container.php (lines 83, 90, 123)
Old Code:
```php
throw new Exception( "Class: {$class_name} does not exist" );
throw new DependencyIsNotInstantiableException( "Class: {$class_name} is not instantiable" );
throw new DependencyHasNoDefaultValueException( "Class: {$parameter->name} dependency can not be resolved" );
```
Fixed Code:
```php
throw new Exception( esc_html( "Class: {$class_name} does not exist" ) );
throw new DependencyIsNotInstantiableException( esc_html( "Class: {$class_name} is not instantiable" ) );
throw new DependencyHasNoDefaultValueException( esc_html( "Class: {$parameter->name} dependency can not be resolved" ) );
```
Explanation:
The addition of `esc_html()` wrapping in exception messages does not address an actual vulnerability. Exception messages in this context are:
1. **Not output to users** - These exceptions are thrown during dependency resolution in a container class, which is part of the application's internal dependency injection system. Exception messages are logged or caught internally, not rendered to end users.
2. **Already safe from XSS** - The values being interpolated (`$class_name` and `$parameter->name`) are derived from reflection and class/parameter names, which cannot contain user input or arbitrary HTML/JavaScript.
3. **Misapplied escaping** - `esc_html()` is a WordPress function meant for escaping data before outputting it to HTML. Applying it to exception messages that are never output to users provides no security benefit and reflects a misunderstanding of when escaping should be applied.
This change appears to be a defensive programming practice or a linting requirement rather than a fix for an actual security vulnerability.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/Enqueue/admin.php 2026-01-09 00:38:09.552518728 +0000+++ cache/wp-event-solution_4.0.52/base/Enqueue/admin.php 2026-01-09 00:43:13.311056830 +0000@@ -98,7 +98,7 @@ $screen = get_current_screen(); $screen_id = $screen->id; - if ( 'toplevel_page_eventin' === $screen_id ) {+ if ( 'toplevel_page_eventin' === $screen_id && class_exists( 'EventinAI' ) ) { wp_enqueue_style( 'etn-ai' ); wp_enqueue_script( 'etn-ai' ); }
```
Vulnerability Existed: no
[Class Existence Check] - N/A - base/Enqueue/admin.php [101]
Old Code:
if ( 'toplevel_page_eventin' === $screen_id ) {
Fixed Code:
if ( 'toplevel_page_eventin' === $screen_id && class_exists( 'EventinAI' ) ) {
Explanation:
This is not a security vulnerability fix, but rather a defensive programming improvement. The change adds a `class_exists( 'EventinAI' )` check before enqueueing the 'etn-ai' style and script. This prevents potential errors if the EventinAI class is not loaded or available. While this improves code robustness and prevents runtime errors, it does not address or fix a security vulnerability. The original code was not vulnerable to security exploits; it would simply fail gracefully if the class didn't exist when the scripts/styles were enqueued. This is a stability/reliability improvement rather than a security fix.
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/Enqueue/register.php 2026-01-09 00:38:09.556518971 +0000+++ cache/wp-event-solution_4.0.52/base/Enqueue/register.php 2026-01-09 00:43:13.323057564 +0000@@ -225,14 +225,21 @@ $primary_color = '#5D78FF'; $secondary_color = ''; - // cart bg color.+ // SECURITY: Sanitize color values to prevent XSS if ( ! empty( $settings['etn_primary_color'] ) ) {- $primary_color = $settings['etn_primary_color'];+ $primary_color = sanitize_hex_color( $settings['etn_primary_color'] );+ // Fallback to default if sanitization fails+ if ( empty( $primary_color ) ) {+ $primary_color = '#5D78FF';+ } } - // cart icon color. if ( ! empty( $settings['etn_secondary_color'] ) ) {- $secondary_color = $settings['etn_secondary_color'];+ $secondary_color = sanitize_hex_color( $settings['etn_secondary_color'] );+ // Fallback to empty if sanitization fails+ if ( empty( $secondary_color ) && ! empty( $settings['etn_secondary_color'] ) ) {+ $secondary_color = '';+ } } $etn_custom_css .= "
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - base/Enqueue/register.php - Lines 229, 236
Old Code:
if ( ! empty( $settings['etn_primary_color'] ) ) {
$primary_color = $settings['etn_primary_color'];
}
if ( ! empty( $settings['etn_secondary_color'] ) ) {
$secondary_color = $settings['etn_secondary_color'];
}
Fixed Code:
if ( ! empty( $settings['etn_primary_color'] ) ) {
$primary_color = sanitize_hex_color( $settings['etn_primary_color'] );
// Fallback to default if sanitization fails
if ( empty( $primary_color ) ) {
$primary_color = '#5D78FF';
}
}
if ( ! empty( $settings['etn_secondary_color'] ) ) {
$secondary_color = sanitize_hex_color( $settings['etn_secondary_color'] );
// Fallback to empty if sanitization fails
if ( empty( $secondary_color ) && ! empty( $settings['etn_secondary_color'] ) ) {
$secondary_color = '';
}
}
Explanation:
The original code directly assigned user-controlled color settings ($settings['etn_primary_color'] and $settings['etn_secondary_color']) to variables that are later used in CSS generation without any validation or sanitization. This creates a Stored/Reflected XSS vulnerability - an attacker could inject malicious JavaScript code through color input fields, which would then be rendered in CSS and potentially execute in users' browsers. The fix properly uses WordPress's sanitize_hex_color() function to validate that values are legitimate hexadecimal color codes, with fallback values ensuring the CSS remains functional even if sanitization fails. This prevents injection of arbitrary code through the color input fields.
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/Exporter/ExporterFactory.php 2026-01-09 00:38:09.556518971 +0000+++ cache/wp-event-solution_4.0.52/base/Exporter/ExporterFactory.php 2026-01-09 00:43:13.331058053 +0000@@ -24,9 +24,9 @@ case 'json': return new JsonExporter();- + default:- throw new Exception( __( 'Unknown format', 'eventin' ) );+ throw new Exception( esc_html__( 'Unknown format', 'eventin' ) ); } } }
Vulnerability Existed: no
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - base/Exporter/ExporterFactory.php - Line 29
Old Code:
```php
throw new Exception( __( 'Unknown format', 'eventin' ) );
```
Fixed Code:
```php
throw new Exception( esc_html__( 'Unknown format', 'eventin' ) );
```
Explanation:
This change replaces the WordPress `__()` translation function with `esc_html__()`, which applies HTML escaping to the translated string. However, this is a defensive improvement rather than a fix for an existing vulnerability. The error message "Unknown format" is a static string with no user-controlled input, so it would not have been exploitable via XSS in the original code. That said, using `esc_html__()` is the more secure and recommended WordPress practice when outputting translatable strings in contexts where HTML escaping is appropriate, as it prevents any potential issues if the translation itself were to contain HTML characters. This represents a security best practice improvement.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/Exporter/PostExporter.php 2026-01-09 00:38:09.560519215 +0000+++ cache/wp-event-solution_4.0.52/base/Exporter/PostExporter.php 2026-01-09 00:43:13.339058543 +0000@@ -36,6 +36,6 @@ return new $exporters[$post_type](); } - throw new \Exception( __( 'Unknown Post Type', 'eventin' ) );+ throw new \Exception( esc_html__( 'Unknown Post Type', 'eventin' ) ); } }
Vulnerability Existed: no Output Escaping - CWE-79 - base/Exporter/PostExporter.php Line 39 Old Code: ``` throw new \Exception( __( 'Unknown Post Type', 'eventin' ) ); ``` Fixed Code: ``` throw new \Exception( esc_html__( 'Unknown Post Type', 'eventin' ) ); ``` Explanation: The change from `__()` to `esc_html__()` improves security by escaping HTML entities in the exception message. While the original code was not directly vulnerable (exception messages are typically not rendered in HTML contexts), the fix follows WordPress security best practices by ensuring any potential output of this string is properly escaped. This prevents potential XSS issues if the exception message were ever displayed in an HTML context, making the code more defensive and maintainable.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/Importer/PostImporter.php 2026-01-09 00:38:09.560519215 +0000+++ cache/wp-event-solution_4.0.52/base/Importer/PostImporter.php 2026-01-09 00:43:13.351059277 +0000@@ -37,6 +37,6 @@ return new $exporters[$post_type](); } - throw new \Exception( __( 'Unknown Post Type', 'eventin' ) );+ throw new \Exception( esc_html__( 'Unknown Post Type', 'eventin' ) ); } }
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Output During Web Page Generation ('Cross-site Scripting') - CWE-79** - base/Importer/PostImporter.php - Line 40
**Old Code:**
```php
throw new \Exception( __( 'Unknown Post Type', 'eventin' ) );
```
**Fixed Code:**
```php
throw new \Exception( esc_html__( 'Unknown Post Type', 'eventin' ) );
```
**Explanation:**
The original code used `__()` (the standard translation function) without HTML escaping when constructing an exception message. While exception messages are typically not displayed directly in HTML context in WordPress, if this exception message were ever caught and displayed to users in a web context (e.g., in an admin notice, error page, or logged output that's shown in the dashboard), it could potentially be vulnerable to XSS if the message contained user-controlled data.
The fix applies `esc_html__()` instead, which both translates the string AND escapes HTML special characters, preventing any potential XSS vector if this exception message is ever rendered in HTML output. This is a defensive security practice following WordPress security standards, where any text that might be displayed should be properly escaped at the point of display or prior to storage/transmission.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/Importer/ReaderFactory.php 2026-01-09 00:38:09.560519215 +0000+++ cache/wp-event-solution_4.0.52/base/Importer/ReaderFactory.php 2026-01-09 00:43:13.355059522 +0000@@ -23,7 +23,7 @@ case ('text/csv' || 'application/vnd.ms-excel'): return new CSVReader( $file_name ); default:- throw new \Exception( __( 'You must provide a valid file type', 'eventin' ) );+ throw new \Exception( esc_html__( 'You must provide a valid file type', 'eventin' ) ); } } }
Vulnerability Existed: no
[Improper Neutralization of Output During Web Page Generation ('Cross-site Scripting')] - CWE-79 - base/Importer/ReaderFactory.php [26]
Old Code:
```php
throw new \Exception( __( 'You must provide a valid file type', 'eventin' ) );
```
Fixed Code:
```php
throw new \Exception( esc_html__( 'You must provide a valid file type', 'eventin' ) );
```
Explanation:
This diff demonstrates a defensive security improvement rather than fixing an existing vulnerability. The change from `__()` to `esc_html__()` adds output escaping to an error message in an exception. While the original code using `__()` alone was not inherently vulnerable in this specific context (exceptions are typically not rendered directly to HTML output), applying `esc_html__()` follows WordPress security best practices by ensuring the string is escaped for safe HTML output if the exception message were ever displayed to users. This is a hardening measure that prevents potential XSS attacks if the error handling code were modified in the future to display this message in HTML context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/Mails/Mailable.php 2026-01-09 00:38:09.564519458 +0000+++ cache/wp-event-solution_4.0.52/base/Mails/Mailable.php 2026-01-09 00:43:13.407062703 +0000@@ -101,6 +101,6 @@ return ob_get_clean(); } - throw new Exception("Template not found: {$content}");+ throw new Exception( esc_html( "Template not found: {$content}" ) ); } }
Vulnerability Existed: no
[Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] - [CWE-79] - [base/Mails/Mailable.php] [104]
Old Code:
```php
throw new Exception("Template not found: {$content}");
```
Fixed Code:
```php
throw new Exception( esc_html( "Template not found: {$content}" ) );
```
Explanation:
This change does not fix a vulnerability because Exception messages are not rendered to the user in a web context where XSS would be possible. Exception messages are logged or displayed in error pages/logs where they are not interpreted as HTML. The `esc_html()` function is designed for escaping output that will be rendered in HTML contexts (like echo statements in templates), but Exception messages passed to the Exception constructor are not inherently vulnerable to XSS. The change is defensive and does not address an actual vulnerability in this code path. While it's not harmful to apply escaping, it indicates a misunderstanding of where XSS vulnerabilities actually occur in this context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/api-handler.php 2026-01-09 00:38:09.548518484 +0000+++ cache/wp-event-solution_4.0.52/base/api-handler.php 2026-01-09 00:43:13.259053649 +0000@@ -50,9 +50,6 @@ */ public function callback( $request ) { $this->request = $request;- if ( $this->request->get_params()['action'] == 'settings' ) {- $this->request->set_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) );- } $action_class = strtolower( $this->request->get_method() ) . '_' . $this->request['action']; @@ -67,8 +64,29 @@ * * @return bool */- public function permision_check() {- return true;+ public function permision_check($request) {+ // Verify nonce for all API requests+ $nonce = $request->get_header( 'X-WP-Nonce' );++ if ( empty( $nonce ) ) {+ return false;+ }++ // For administrative actions, also require manage_options capability+ $admin_actions = ['settings'];+ $action = $this->request['action'] ?? '';++ if ( in_array( $action, $admin_actions ) ) {+ return current_user_can( 'manage_options' ) && wp_verify_nonce( $nonce, 'wp_rest' );+ }++ // Verify the nonce+ if ( wp_verify_nonce( $nonce, 'wp_rest' ) ) {+ return true;+ }++ // Nonce is valid - allow access+ return false; } }
# Security Analysis
Vulnerability Existed: yes
FALSE POSITIVE
**Insufficient Verification and Nonce Generation - CWE-352 (Cross-Site Request Forgery (CSRF))** - CWE-352 - base/api-handler.php - Lines 53-55
Old Code:
```php
if ( $this->request->get_params()['action'] == 'settings' ) {
$this->request->set_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) );
}
```
Fixed Code:
```php
public function permision_check($request) {
// Verify nonce for all API requests
$nonce = $request->get_header( 'X-WP-Nonce' );
if ( empty( $nonce ) ) {
return false;
}
// For administrative actions, also require manage_options capability
$admin_actions = ['settings'];
$action = $this->request['action'] ?? '';
if ( in_array( $action, $admin_actions ) ) {
return current_user_can( 'manage_options' ) && wp_verify_nonce( $nonce, 'wp_rest' );
}
// Verify the nonce
if ( wp_verify_nonce( $nonce, 'wp_rest' ) ) {
return true;
}
return false;
}
```
Explanation:
The original code was vulnerable because it generated a nonce on the server side and set it in the request header, which defeats the purpose of CSRF protection. Nonces should be generated and provided to the client beforehand (typically in HTML forms or via a separate endpoint), and then verified when the client sends them back. By generating the nonce server-side during the request callback, the code bypassed CSRF validation entirely.
The fix moves nonce verification to the `permision_check()` method where it properly retrieves and validates the nonce sent by the client. This implements proper CSRF protection by requiring clients to present a valid nonce that was previously generated for them. Additionally, the fix adds capability checking (`current_user_can('manage_options')`) for administrative actions like 'settings', preventing unauthorized users from accessing sensitive endpoints even with a valid nonce.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/base/post-model.php 2026-01-09 00:38:09.564519458 +0000+++ cache/wp-event-solution_4.0.52/base/post-model.php 2026-01-09 00:43:13.431064171 +0000@@ -65,7 +65,7 @@ */ public function __get( $key ) { if ( ! isset( $this->data[$key] ) ) {- throw new Exception( __( 'Undefined property', 'eventin' ) );+ throw new Exception( esc_html__( 'Undefined property', 'eventin' ) ); } $data = $this->get_data();@@ -83,9 +83,9 @@ */ public static function __callStatic( $method, $arguments ) { if ( ! method_exists( new self, $method ) ) {- throw new Exception( __( 'Call to undefined method', 'eventin' ) );+ throw new Exception( esc_html__( 'Call to undefined method', 'eventin' ) ); }- + call_user_func( $method, $arguments ); }
Vulnerability Existed: no [Improper Output Encoding] - [CWE-116] - [base/post-model.php] [Lines 68, 86] Old Code: ```php throw new Exception( __( 'Undefined property', 'eventin' ) ); throw new Exception( __( 'Call to undefined method', 'eventin' ) ); ``` Fixed Code: ```php throw new Exception( esc_html__( 'Undefined property', 'eventin' ) ); throw new Exception( esc_html__( 'Call to undefined method', 'eventin' ) ); ``` Explanation: While the old code using `__()` for translation is not strictly vulnerable in this context (Exception messages are not typically rendered in HTML output by default), the fix improves security posture by applying `esc_html__()` instead. This ensures that if these exception messages are ever displayed in an HTML context (e.g., through error logging, debugging output, or custom error handlers), any special HTML characters would be properly escaped, preventing potential XSS vulnerabilities. This is a defensive coding practice that follows WordPress security standards more strictly. The vulnerability did not exist in practice but the fix eliminates a potential future risk.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/dashboard.asset.php 2026-01-09 00:38:09.624523110 +0000+++ cache/wp-event-solution_4.0.52/build/js/dashboard.asset.php 2026-01-09 00:43:14.431125343 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => '9792bc0ef9996b66ecd0');+<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'abe17fa727faa92a9750');
Vulnerability Existed: no
No CWE Identified - N/A - build/js/dashboard.asset.php Lines 1
Old Code:
<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => '9792bc0ef9996b66ecd0');
Fixed Code:
<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'abe17fa727faa92a9750');
Explanation:
This diff shows only a version hash update in a WordPress asset dependencies file. The change from version hash '9792bc0ef9996b66ecd0' to 'abe17fa727faa92a9750' is a routine cache-busting mechanism used during plugin updates. The file structure, dependencies array, and PHP syntax remain identical and secure. No security vulnerabilities are introduced or fixed by this change. This is a standard build artifact update with no security implications.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/elementor-scripts.asset.php 2026-01-09 00:38:09.648524570 +0000+++ cache/wp-event-solution_4.0.52/build/js/elementor-scripts.asset.php 2026-01-09 00:43:14.623137088 +0000@@ -1 +1 @@-<?php return array('dependencies' => array(), 'version' => '2f34a0e8b19af63855d0');+<?php return array('dependencies' => array(), 'version' => '3f5efd310724b1700acf');
Vulnerability Existed: no
No Vulnerability - CWE-N/A - build/js/elementor-scripts.asset.php Line 1
Old Code:
```php
<?php return array('dependencies' => array(), 'version' => '2f34a0e8b19af63855d0');
```
Fixed Code:
```php
<?php return array('dependencies' => array(), 'version' => '3f5efd310724b1700acf');
```
Explanation:
This diff shows only a version hash update in an asset manifest file. The change updates the version string from '2f34a0e8b19af63855d0' to '3f5efd310724b1700acf'. This is a routine cache-busting mechanism used by WordPress build systems to ensure browsers load the latest version of assets. No security vulnerability exists in this change - it's a benign version bump in a generated configuration file with hardcoded, safe values. No code logic, user input handling, or security-relevant functionality is present.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/event-manager-public.asset.php 2026-01-09 00:38:09.648524570 +0000+++ cache/wp-event-solution_4.0.52/build/js/event-manager-public.asset.php 2026-01-09 00:43:14.667139780 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('wp-i18n'), 'version' => '1113e5e0400b38ee2e0b');+<?php return array('dependencies' => array('wp-i18n'), 'version' => '0d0abf5d7589aadd4d59');
``` Vulnerability Existed: no No Vulnerability Detected - build/js/event-manager-public.asset.php N/A N/A Explanation: This diff only changes a version hash string in a WordPress asset dependency file. The old version hash '1113e5e0400b38ee2e0b' is being replaced with '0d0abf5d7589aadd4d59'. This is a routine update to the asset version identifier and does not introduce, fix, or relate to any security vulnerabilities. Version hashes are used for cache busting and dependency tracking - changing the hash value itself has no security implications. There are no code changes, no logic modifications, and no security-relevant alterations in this diff. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/feedback-modal.asset.php 2026-01-09 00:38:09.652524814 +0000+++ cache/wp-event-solution_4.0.52/build/js/feedback-modal.asset.php 2026-01-09 00:43:14.699141737 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react', 'wp-element', 'wp-i18n'), 'version' => '9ac0481aa6ba6e676411');+<?php return array('dependencies' => array('react', 'wp-element', 'wp-i18n'), 'version' => '3f66227226dc515f3946');
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no No CWE Identified Explanation: This diff shows only a version hash update in a WordPress asset dependency file. The change is from version `'9ac0481aa6ba6e676411'` to `'3f66227226dc515f3946'`. This is a routine asset versioning update that: 1. Does not introduce or remove any code 2. Does not alter any functionality or dependencies 3. Does not change security-relevant parameters 4. Is simply updating a cache-busting version identifier Version hash changes of this nature are not security vulnerabilities. They are expected behavior in build processes and do not affect code execution, access control, data handling, or any other security concern. **Result: No security vulnerabilities detected in this diff.**
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/gutenberg-blocks.asset.php 2026-01-09 00:38:09.652524814 +0000+++ cache/wp-event-solution_4.0.52/build/js/gutenberg-blocks.asset.php 2026-01-09 00:43:14.747144674 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-primitives', 'wp-server-side-render'), 'version' => '229b5cfeab83afaf21a2');+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-primitives', 'wp-server-side-render'), 'version' => '63c5c5e00a6b98e73f80');
Analyzing the provided code diff for security vulnerabilities: --- **Vulnerability Existed: no** This diff shows a change to a WordPress asset dependency file (`gutenberg-blocks.asset.php`). The only modification is an update to the version hash from `229b5cfeab83afaf21a2` to `63c5c5e00a6b98e73f80`. This is a standard version update in an auto-generated asset manifest file. The file contains: - A PHP array declaration with WordPress block dependencies - A version hash used for cache-busting **Why not vulnerable:** - No code logic changes are present - No user input handling occurs in this file - Asset hashes are automatically generated and do not introduce security issues - The file structure remains identical; only the hash value changes - This is normal build artifact versioning in WordPress development **Conclusion:** No security vulnerabilities are present in this diff. This is routine version maintenance with no exploitable changes.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/i18n-loader.asset.php 2026-01-09 00:38:09.664525544 +0000+++ cache/wp-event-solution_4.0.52/build/js/i18n-loader.asset.php 2026-01-09 00:43:14.843150546 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('wp-i18n'), 'version' => 'fd6ff2059f74bf18ab54');+<?php return array('dependencies' => array('wp-i18n'), 'version' => '8c994aa33ece729f1210');
Vulnerability Existed: no
No CWE - N/A - build/js/i18n-loader.asset.php [1]
Old Code:
```php
<?php return array('dependencies' => array('wp-i18n'), 'version' => 'fd6ff2059f74bf18ab54');
```
Fixed Code:
```php
<?php return array('dependencies' => array('wp-i18n'), 'version' => '8c994aa33ece729f1210');
```
Explanation:
This diff only updates the version hash value in a WordPress asset configuration file from 'fd6ff2059f74bf18ab54' to '8c994aa33ece729f1210'. This is a routine version bump used for cache busting and asset management. The change does not introduce, remove, or modify any security-relevant code, input validation, authentication, authorization, data handling, or cryptographic operations. There are no vulnerabilities present in either the old or fixed code.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/index-ai-script.asset.php 2026-01-09 00:38:09.668525788 +0000+++ cache/wp-event-solution_4.0.52/build/js/index-ai-script.asset.php 2026-01-09 00:43:14.855151280 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react'), 'version' => 'bc40056e8534d11a5c10');+<?php return array('dependencies' => array('react'), 'version' => 'cd82cdece798591ada85');
Vulnerability Existed: no
N/A - N/A - build/js/index-ai-script.asset.php (lines 1)
<?php return array('dependencies' => array('react'), 'version' => 'bc40056e8534d11a5c10');
<?php return array('dependencies' => array('react'), 'version' => 'cd82cdece798591ada85');
Explanation:
This diff shows only a version hash update in a PHP asset manifest file. The change is from one hash value ('bc40056e8534d11a5c10') to another ('cd82cdece798591ada85'). This is a benign update to a build artifact that tracks script dependencies and versioning. No security vulnerability is present in this change. The file structure, format, and content remain identical except for the version identifier, which is expected during normal build/release cycles.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/index-calendar.asset.php 2026-01-09 00:38:09.668525788 +0000+++ cache/wp-event-solution_4.0.52/build/js/index-calendar.asset.php 2026-01-09 00:43:14.867152015 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-element', 'wp-html-entities', 'wp-i18n'), 'version' => '3db22200b7534bc17e1a');+<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-element', 'wp-html-entities', 'wp-i18n'), 'version' => '83e5e90e80c510baa283');
Vulnerability Existed: no
No CWE - N/A - build/js/index-calendar.asset.php (Line 1)
Old Code:
```php
<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-element', 'wp-html-entities', 'wp-i18n'), 'version' => '3db22200b7534bc17e1a');
```
Fixed Code:
```php
<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-element', 'wp-html-entities', 'wp-i18n'), 'version' => '83e5e90e80c510baa283');
```
Explanation:
This diff shows only a version hash update in a WordPress asset manifest file (from '3db22200b7534bc17e1a' to '83e5e90e80c510baa283'). The change is purely administrative - updating the asset version string to reflect changes in the compiled JavaScript bundle. This is a standard practice in asset management systems to cache-bust and ensure users receive the latest version. No security vulnerabilities are present in this diff, as it involves no logic changes, no new code execution paths, and no modifications to security-sensitive operations. The dependencies array remains unchanged.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/index-onboard.asset.php 2026-01-09 00:38:09.676526275 +0000+++ cache/wp-event-solution_4.0.52/build/js/index-onboard.asset.php 2026-01-09 00:43:14.903154217 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react', 'react-dom', 'wp-compose', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n'), 'version' => '5eb924796c96fc96945d');+<?php return array('dependencies' => array('react', 'react-dom', 'wp-compose', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n'), 'version' => '8d0e9d97e143585635eb');
Vulnerability Existed: no
No CWE/Vulnerability Identified
Old Code:
```php
<?php return array('dependencies' => array('react', 'react-dom', 'wp-compose', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n'), 'version' => '5eb924796c96fc96945d');
```
Fixed Code:
```php
<?php return array('dependencies' => array('react', 'react-dom', 'wp-compose', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n'), 'version' => '8d0e9d97e143585635eb');
```
Explanation:
This diff shows only a version hash update in a WordPress asset manifest file. The change updates the version string from `5eb924796c96fc96945d` to `8d0e9d97e143585635eb`, which represents a cache-busting hash for the JavaScript bundle. There are no code changes that would introduce or fix security vulnerabilities. The dependencies array remains identical, and the only modification is the version identifier used for asset caching purposes. This is a routine build artifact update with no security implications.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/module-purchase.asset.php 2026-01-09 00:38:09.684526762 +0000+++ cache/wp-event-solution_4.0.52/build/js/module-purchase.asset.php 2026-01-09 00:43:14.971158377 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'abb1de188954c0f24dd7');+<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => '0c39153ba677a4bc7945');
Vulnerability Existed: no File: build/js/module-purchase.asset.php Explanation: This diff shows a change to a WordPress asset dependency manifest file. The only modification is an update to the version hash from 'abb1de188954c0f24dd7' to '0c39153ba677a4bc7945'. This is a standard cache-busting version identifier used by WordPress to ensure the correct version of JavaScript assets are loaded. The change does not introduce, fix, or relate to any security vulnerabilities. It's a routine version bump in an auto-generated asset manifest file. The dependencies list remains unchanged, and there are no modifications to code logic, input validation, data handling, or any other security-relevant aspects.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/packages.asset.php 2026-01-09 00:38:09.704527979 +0000+++ cache/wp-event-solution_4.0.52/build/js/packages.asset.php 2026-01-09 00:43:15.143168898 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'f323371f1a4f0ae3b100');+<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'f3dcdf5845efeb2efd60');
Vulnerability Existed: no Explanation: This diff shows a change to a WordPress asset dependency manifest file (`packages.asset.php`). The only modification is updating a version hash from `f323371f1a4f0ae3b100` to `f3dcdf5845efeb2efd60`. This is a routine version bump for built JavaScript assets. The file structure remains identical: - Same PHP return statement format - Same dependency array (no dependencies added or removed) - Only the version hash value changed This type of change does not introduce or fix any security vulnerabilities. It's a normal build artifact update that occurs when source code is rebuilt, resulting in a different content hash. There are no code changes that could affect security posture, no input validation modifications, no authentication/authorization changes, and no cryptographic or data handling modifications.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/build/js/template-builder-header-toolbar.asset.php 2026-01-09 00:38:09.740530170 +0000+++ cache/wp-event-solution_4.0.52/build/js/template-builder-header-toolbar.asset.php 2026-01-09 00:43:15.623198262 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-compose', 'wp-data', 'wp-edit-post', 'wp-element', 'wp-html-entities', 'wp-i18n', 'wp-plugins', 'wp-url'), 'version' => '894d21f9b4b79f6175f1');+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-compose', 'wp-data', 'wp-edit-post', 'wp-element', 'wp-html-entities', 'wp-i18n', 'wp-plugins', 'wp-url'), 'version' => 'b947f34e37fca06ae80c');
# Security Analysis - PatchLeaks Automated Request Analyzing the provided diff for security vulnerabilities... --- **Vulnerability Existed: no** **No Security Vulnerabilities Detected** **File:** build/js/template-builder-header-toolbar.asset.php **Analysis:** This diff shows a change to a WordPress asset dependency manifest file. The modifications are: 1. **Dependency Array Change**: Removal of `'wp-compose'` from the dependencies list 2. **Version Hash Update**: Change from `'894d21f9b4b79f6175f1'` to `'b947f34e37fca06ae80c'` **Explanation:** This change does not introduce, fix, or relate to any security vulnerability. The file is a PHP asset manifest that declares JavaScript dependencies and a version hash for WordPress enqueuing purposes. - Removing a dependency (`wp-compose`) is a normal dependency management change with no security implications - The version hash update reflects the asset rebuild and is not a security-related modification - No sensitive data exposure, injection vulnerabilities, or security configurations are affected - This is routine build artifact maintenance for WordPress plugin development **Conclusion:** This is a standard build/dependency update with no security significance.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Attendee/Api/AttendeeController.php 2026-01-09 00:38:09.760531387 +0000+++ cache/wp-event-solution_4.0.52/core/Attendee/Api/AttendeeController.php 2026-01-09 00:43:15.767207071 +0000@@ -400,6 +400,32 @@ public function update_item( $request ) { $prepared_item = $this->prepare_item_for_database( $request ); + $order_id = get_post_meta( $request['id'], 'eventin_order_id', true );+ $previous_status = get_post_meta( $request['id'], 'etn_status', true );+ $current_status = $prepared_item['etn_status'];++ if ( $current_status == 'success' && $previous_status != 'success' ) {+ $order_status = get_post_meta( $order_id, 'status', true );+ if ($order_status != 'completed') {+ return new WP_Error(+ 'attendee_update_error',+ __('Attendee status can not be success if order status is not completed.', 'eventin'),+ array('status' => 500)+ );+ }+ }++ if ( $current_status == 'failed' && $previous_status != 'failed' ) {+ $order_status = get_post_meta( $order_id, 'status', true );+ if ($order_status == 'completed') {+ return new WP_Error(+ 'attendee_update_error',+ __('Attendee status can not be failed if order status is completed.', 'eventin'),+ array('status' => 500)+ );+ }+ }+ if ( is_wp_error( $prepared_item ) ) { return $prepared_item; }
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - core/Attendee/Api/AttendeeController.php Lines 403-427
Old Code:
```php
public function update_item( $request ) {
$prepared_item = $this->prepare_item_for_database( $request );
if ( is_wp_error( $prepared_item ) ) {
return $prepared_item;
}
```
Fixed Code:
```php
public function update_item( $request ) {
$prepared_item = $this->prepare_item_for_database( $request );
$order_id = get_post_meta( $request['id'], 'eventin_order_id', true );
$previous_status = get_post_meta( $request['id'], 'etn_status', true );
$current_status = $prepared_item['etn_status'];
if ( $current_status == 'success' && $previous_status != 'success' ) {
$order_status = get_post_meta( $order_id, 'status', true );
if ($order_status != 'completed') {
return new WP_Error(
'attendee_update_error',
__('Attendee status can not be success if order status is not completed.', 'eventin'),
array('status' => 500)
);
}
}
if ( $current_status == 'failed' && $previous_status != 'failed' ) {
$order_status = get_post_meta( $order_id, 'status', true );
if ($order_status == 'completed') {
return new WP_Error(
'attendee_update_error',
__('Attendee status can not be failed if order status is completed.', 'eventin'),
array('status' => 500)
);
}
}
if ( is_wp_error( $prepared_item ) ) {
return $prepared_item;
}
```
Explanation:
The vulnerability was a business logic bypass where attendee status could be updated to 'success' or 'failed' without validating the corresponding order status. This allowed inconsistent state where an attendee could be marked successful even if the order was not completed, or marked failed when the order was completed. The fix adds validation checks before status updates to ensure attendee status transitions only occur when the associated order is in the appropriate state, preventing state inconsistencies that could lead to data integrity issues or unauthorized access to event resources.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Attendee/AttendeeExporter.php 2026-01-09 00:38:09.760531387 +0000+++ cache/wp-event-solution_4.0.52/core/Attendee/AttendeeExporter.php 2026-01-09 00:43:15.779207804 +0000@@ -106,10 +106,13 @@ } if ( $extra_fields ) {- foreach ( $extra_fields as $value ) {+ foreach ( $extra_fields as $index=>$value ) { $key = \Etn_Pro\Utils\Helper::generate_name_from_label( "etn_attendee_extra_field_", $value['label'] ); $this->extra_fields[$key] = $value['label']; $extra_field_value = get_post_meta( $attendee_id, $key, true );+ if(empty($extra_field_value)){+ $extra_field_value = get_post_meta( $attendee_id, $key . '_' . $index+1, true );+ } switch($value['field_type']){ case 'radio': $data[$key] = $extra_field_value;@@ -131,7 +134,7 @@ break; default:- $data[$key] = get_post_meta( $attendee_id, $key, true );+ $data[$key] = $extra_field_value; } } }
Based on my analysis of the code diff, here are the security findings:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Arithmetic Operation on Concatenated String - CWE-1025 - core/Attendee/AttendeeExporter.php [Line 114]
Old Code:
```php
$extra_field_value = get_post_meta( $attendee_id, $key, true );
```
Fixed Code:
```php
if(empty($extra_field_value)){
$extra_field_value = get_post_meta( $attendee_id, $key . '_' . $index+1, true );
}
```
Explanation:
The fixed code has a type juggling vulnerability. The expression `$index+1` performs arithmetic on `$index` without explicit type checking or casting. In PHP, `$index` comes from array iteration (likely a string or integer). When concatenating with `$key . '_' . $index+1`, if `$index` is not explicitly an integer, PHP will attempt type coercion, which could lead to unexpected behavior. The safe approach would be `$key . '_' . intval($index+1)` or `$key . '_' . ((int)$index + 1)`. However, this is a minor type safety issue rather than a critical security vulnerability.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
Improper Input Validation - CWE-20 - core/Attendee/AttendeeExporter.php [Lines 113-115]
Old Code:
```php
$extra_field_value = get_post_meta( $attendee_id, $key, true );
switch($value['field_type']){
```
Fixed Code:
```php
if(empty($extra_field_value)){
$extra_field_value = get_post_meta( $attendee_id, $key . '_' . $index+1, true );
}
```
Explanation:
Uncertain whether this is a security fix or functional fix. The change adds a fallback meta key lookup pattern (`$key . '_' . $index+1`). Without knowing the intent of the original code and whether field metadata could be legitimately stored in both key formats, it's unclear if this addresses a vulnerability or simply handles a data migration/compatibility scenario. The change appears defensive in nature but lacks clear security context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Attendee/TicketTemplate.php 2026-01-09 00:38:09.764531630 +0000+++ cache/wp-event-solution_4.0.52/core/Attendee/TicketTemplate.php 2026-01-09 00:43:15.919216369 +0000@@ -65,11 +65,11 @@ $get_arr = filter_input_array( INPUT_GET, FILTER_SANITIZE_FULL_SPECIAL_CHARS ); if ( empty( $get_arr["attendee_id"] ) || empty( $get_arr["etn_info_edit_token"] ) ) {- wp_die( __( 'Invalid data', 'eventin' ));+ wp_die( esc_html__( 'Invalid data', 'eventin' ) ); } if ( ! $this->verify_attendee_edit_token( $get_arr["attendee_id"], $get_arr["etn_info_edit_token"] ) ) {- wp_die( __( 'Invalid data', 'eventin' ));+ wp_die( esc_html__( 'Invalid data', 'eventin' ) ); } $attendee_id = $get_arr["attendee_id"]; $event_id = get_post_meta( $attendee_id, "etn_event_id", true );
Analyzing the security diff for `core/Attendee/TicketTemplate.php`: Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Attendee/TicketTemplate.php lines 68, 73 Old Code: ```php wp_die( __( 'Invalid data', 'eventin' )); ``` Fixed Code: ```php wp_die( esc_html__( 'Invalid data', 'eventin' ) ); ``` Explanation: The original code used `__()` for translation without escaping the output before passing it to `wp_die()`. While in this specific case the string is hardcoded and not derived from user input, using `esc_html__()` instead of `__()` is a WordPress security best practice. The `esc_html__()` function properly escapes the translated string for safe HTML output, preventing potential XSS vulnerabilities if the translation strings were ever modified or if similar patterns were used with dynamic content. This fix follows WordPress security guidelines by ensuring all user-facing output is properly escaped at the point of output.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockService.php 2026-01-09 00:38:09.768531874 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockService.php 2026-01-09 00:43:15.931217103 +0000@@ -1,54 +1,57 @@ <?php namespace Eventin\Blocks; -use Eventin\Interfaces\HookableInterface;+use Eventin\Blocks\BlockTypes\AttendeeInfo; use Eventin\Blocks\BlockTypes\BuyTicket;+use Eventin\Blocks\BlockTypes\Container;+use Eventin\Blocks\BlockTypes\CustomButton;+use Eventin\Blocks\BlockTypes\CustomImage;+use Eventin\Blocks\BlockTypes\DiamondSeparator; use Eventin\Blocks\BlockTypes\EventAddToCalender;+use Eventin\Blocks\BlockTypes\EventAttendee; use Eventin\Blocks\BlockTypes\EventBanner;+use Eventin\Blocks\BlockTypes\EventCalendar; use Eventin\Blocks\BlockTypes\EventCategory; use Eventin\Blocks\BlockTypes\EventCountDownTimer; use Eventin\Blocks\BlockTypes\EventDateTime; use Eventin\Blocks\BlockTypes\EventDescription;-use Eventin\Blocks\BlockTypes\EventOrganizer;-use Eventin\Blocks\BlockTypes\EventSchedule;-use Eventin\Blocks\BlockTypes\EventSpeaker;-use Eventin\Blocks\BlockTypes\EventTag;-use Eventin\Blocks\BlockTypes\EventVenue;-use Eventin\Blocks\BlockTypes\EventLogo; use Eventin\Blocks\BlockTypes\EventFaq;+use Eventin\Blocks\BlockTypes\EventInfo; use Eventin\Blocks\BlockTypes\EventList;+use Eventin\Blocks\BlockTypes\EventLogo;+use Eventin\Blocks\BlockTypes\EventOrganizer; use Eventin\Blocks\BlockTypes\EventRSVP;+use Eventin\Blocks\BlockTypes\EventSchedule; use Eventin\Blocks\BlockTypes\EventSocial;+use Eventin\Blocks\BlockTypes\EventSpeaker;+use Eventin\Blocks\BlockTypes\EventTag; use Eventin\Blocks\BlockTypes\EventTitle;+use Eventin\Blocks\BlockTypes\EventVenue;+use Eventin\Blocks\BlockTypes\QRCodeBlock; use Eventin\Blocks\BlockTypes\RecurringEvent; use Eventin\Blocks\BlockTypes\RelatedEventsEnhanced;-use Eventin\Blocks\BlockTypes\EventCalendar; use Eventin\Blocks\BlockTypes\ScheduleTab; use Eventin\Blocks\BlockTypes\SpeakerList;-use Eventin\Blocks\BlockTypes\ZoomMeeting;-use Eventin\Blocks\BlockTypes\Ticket;-use Eventin\Blocks\BlockTypes\QRCodeBlock; use Eventin\Blocks\BlockTypes\TemplateContainer; use Eventin\Blocks\BlockTypes\TemplateHeading;-use Eventin\Blocks\BlockTypes\DiamondSeparator;-use Eventin\Blocks\BlockTypes\AttendeeInfo;-use Eventin\Blocks\BlockTypes\EventInfo;+use Eventin\Blocks\BlockTypes\Ticket; use Eventin\Blocks\BlockTypes\TicketInfo;-use Eventin\Blocks\BlockTypes\Container;-use Eventin\Blocks\BlockTypes\CustomImage;-use Eventin\Blocks\BlockTypes\CustomButton;+use Eventin\Blocks\BlockTypes\ZoomMeeting;+use Eventin\Interfaces\HookableInterface; /** * Block Service Class */-class BlockService implements HookableInterface {+class BlockService implements HookableInterface+{ /** * Register all hooks * * @return void */- public function register_hooks(): void {- add_filter( 'eventin_gutenberg_blocks', [ $this, 'add_blocks' ],5 ); + public function register_hooks(): void+ {+ add_filter('eventin_gutenberg_blocks', [$this, 'add_blocks'], 5); } /**@@ -56,7 +59,8 @@ * * @return array */- public function add_blocks( $blocks ) {+ public function add_blocks($blocks)+ { $new_blocks = [ EventVenue::class, BuyTicket::class,@@ -93,10 +97,9 @@ Container::class, CustomImage::class, CustomButton::class,+ EventAttendee::class, ]; - return array_unique( array_merge( $blocks, $new_blocks ) );+ return array_unique(array_merge($blocks, $new_blocks)); } }--
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed: no** This diff contains only code style and formatting changes along with import statement reorganization. There are no security vulnerabilities present. **Details of Analysis:** The changes made are: 1. **Import reorganization** - Imports are alphabetically sorted and reorganized (no security impact) 2. **Code formatting** - Opening braces moved to new lines following PSR-12 standard 3. **Whitespace standardization** - Consistent spacing around function parameters and method calls 4. **Removed trailing whitespace** - Cleanup of empty lines at end of file **Why not vulnerable:** - No changes to authentication or authorization logic - No changes to input validation or sanitization - No changes to data handling or storage - No SQL queries or database interactions modified - No external API calls or network operations affected - No cryptographic operations modified - No file operations changed - No user input processing logic altered The diff is a pure code style/formatting refactor with no functional changes to security-sensitive code paths. The `add_filter()` call and block registration logic remain functionally identical.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/AbstractBlock.php 2026-01-09 00:38:09.772532117 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/AbstractBlock.php 2026-01-09 00:43:15.935217348 +0000@@ -185,9 +185,12 @@ * @return string[]|null */ protected function get_block_type_style() {- $this->register_style( 'eventin-blocks-style-' . $this->block_name, $this->get_block_asset_build_path( $this->block_name, 'css' ), [], 'all', true );+ // Register the main blocks style if not already registered+ if ( ! wp_style_is( 'etn-blocks-style', 'registered' ) ) {+ wp_register_style( 'etn-blocks-style', \Wpeventin::plugin_url() . 'build/css/etn-block-styles.css', [], \Wpeventin::version(), 'all' );+ } - return [ 'eventin-blocks-style', 'wc-blocks-style-' . $this->block_name ];+ return [ 'etn-blocks-style' ]; } /**@@ -279,7 +282,8 @@ $css .= "}\n"; } - return $css;+ $safe_css = preg_replace( '/<script\b[^>]*>(.*?)<\/script>/is', '', $css );+ return $safe_css; } /**@@ -368,6 +372,14 @@ return $path; } + // Fallback to source directory if build directory doesn't exist+ $source_dir = Wpeventin::plugin_dir() . 'src/blocks/';+ $source_path = $source_dir . $this->block_name . '/block.json';+ + if ( file_exists( $source_path ) ) {+ return $source_path;+ }+ return false; }
Based on my analysis of the provided code diff, here are the security findings:
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
Stored Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/AbstractBlock.php Lines 282-286
Old Code:
```php
return $css;
```
Fixed Code:
```php
$safe_css = preg_replace( '/<script\b[^>]*>(.*?)<\/script>/is', '', $css );
return $safe_css;
```
Explanation:
The original code returned unsanitized CSS without filtering for embedded script tags. The fixed code adds a `preg_replace` that strips `<script>` tags from the CSS output. While this is a partial mitigation, it only addresses one attack vector. A more complete fix would use WordPress's `wp_kses_post()` or similar sanitization functions, as regex-based script filtering can be bypassed with event handlers (e.g., `<img onerror="...">`), HTML entity encoding, or other obfuscation techniques. However, the fix does reduce the attack surface for direct script injection.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Path Traversal / Arbitrary File Access - CWE-22 - core/Blocks/BlockTypes/AbstractBlock.php Lines 375-380
Old Code:
```php
return false;
```
Fixed Code:
```php
// Fallback to source directory if build directory doesn't exist
$source_dir = Wpeventin::plugin_dir() . 'src/blocks/';
$source_path = $source_dir . $this->block_name . '/block.json';
if ( file_exists( $source_path ) ) {
return $source_path;
}
return false;
```
Explanation:
The added fallback code constructs a file path using `$this->block_name` which appears to be user-controllable or externally-influenced input. Without proper path validation, this could allow an attacker to use directory traversal sequences (e.g., `../../`) in the `block_name` parameter to access files outside the intended `src/blocks/` directory. The code does not sanitize or validate the `$this->block_name` value before concatenating it into the path. A fix would require validating that `$this->block_name` contains only alphanumeric characters and hyphens/underscores.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
Improper Resource Handling - CWE-400 - core/Blocks/BlockTypes/AbstractBlock.php Lines 185-192
Old Code:
```php
$this->register_style( 'eventin-blocks-style-' . $this->block_name, $this->get_block_asset_build_path( $this->block_name, 'css' ), [], 'all', true );
return [ 'eventin-blocks-style', 'wc-blocks-style-' . $this->block_name ];
```
Fixed Code:
```php
// Register the main blocks style if not already registered
if ( ! wp_style_is( 'etn-blocks-style', 'registered' ) ) {
wp_register_style( 'etn-blocks-style', \Wpeventin::plugin_url() . 'build/css/etn-block-styles.css', [], \Wpeventin::version(), 'all' );
}
return [ 'etn-blocks-style' ];
```
Explanation:
The refactored code consolidates multiple style registrations into a single checked registration with `wp_style_is()` guard. This prevents duplicate style registration attempts, which is a best practice. However, without seeing the original `$this->register_style()` implementation, it's unclear if this was a latent issue or just a code quality improvement. The change reduces potential resource contention and is a defensive programming practice rather than fixing an active vulnerability.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/BuyTicket.php 2026-01-09 00:38:09.772532117 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/BuyTicket.php 2026-01-09 00:43:15.943217837 +0000@@ -29,6 +29,8 @@ */ protected function render($attributes, $content, $block) {+ $style_variant = ! empty($attributes['styleVariant']) ? $attributes['styleVariant'] : 'style-1';+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : ''; $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : []; // Check if we're in editor/admin@@ -62,9 +64,9 @@ ob_start(); - + ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php require_once Wpeventin::templates_dir() . 'event/parts/buy-ticket.php'; ?>
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - core/Blocks/BlockTypes/BuyTicket.php - Line 68
Old Code:
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```
Fixed Code:
```php
<?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
```
Explanation:
The `$container_class` variable is derived from user-controlled block attributes (`$attributes['containerClassName']`) and was being passed directly to `render_frontend_css()` without sanitization. If this value is later output in an HTML context (such as in a class attribute), it could allow an attacker to inject malicious JavaScript through carefully crafted class names. The fix applies `esc_attr()` to properly escape the value for safe use in HTML attributes, preventing XSS attacks. This is a valid security improvement that follows WordPress security best practices for handling user-supplied data.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventAddToCalender.php 2026-01-09 00:38:09.772532117 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventAddToCalender.php 2026-01-09 00:43:15.971219550 +0000@@ -42,9 +42,9 @@ ob_start(); - + ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php require_once Wpeventin::templates_dir() . 'event/parts/event-add-calender.php'; ?>
``` Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventAddToCalender.php (line 47) Old Code: <?php echo $this->render_frontend_css( $styles, $container_class ); ?> Fixed Code: <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> Explanation: The `$container_class` variable was being passed directly to `render_frontend_css()` without any sanitization or escaping. If this variable contains user-controlled input (e.g., from block attributes, query parameters, or database values), an attacker could inject malicious JavaScript code through HTML attributes. The fix applies `esc_attr()`, which is the appropriate WordPress escaping function for escaping HTML attributes, preventing XSS attacks by converting special characters to HTML entities. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventAttendee.php@@ -0,0 +1,91 @@+<?php+ namespace Eventin\Blocks\BlockTypes;++ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin;++ /**+ * Event Attendee Gutenberg block+ */+ class EventAttendee extends AbstractBlock+ {+ /**+ * Block namespace.+ *+ * @var string+ */+ protected $namespace = 'eventin-pro';++ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-attendee';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $items_per_row = ! empty($attributes['itemsPerRow']) ? intval($attributes['itemsPerRow']) : 3;+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];++ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;++ if ($event_id == 0) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ }+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID();+ }++ $event = new Event_Model($event_id);+ $event_attendees = $event->get_attendees();++ $attendee_page_url = get_post_meta($event_id, 'attende_page_link', true);+ ob_start();+ ?>+ <?php+ // Generate CSS with !important for attendee block to override SCSS+ $frontend_css = $this->generate_frontend_css($styles, $container_class);+ if (! empty($frontend_css)) {+ // Add !important to common properties that need to override SCSS+ $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'margin', 'padding', 'border-radius'];+ foreach ($important_properties as $prop) {+ $frontend_css = preg_replace(+ "/({$prop}):\s*([^;!]+?)(?!\s*!important)\s*;/im",+ "$1: $2 !important;",+ $frontend_css+ );+ }+ + // Ensure img always uses 100% width/height to fill container, overriding any saved styles+ $avatar_img_selector = ".{$container_class} .etn-attendee-item .etn-attendee-avatar img";+ $frontend_css .= "\n{$avatar_img_selector} {\n";+ $frontend_css .= " width: 100% !important;\n";+ $frontend_css .= " height: 100% !important;\n";+ $frontend_css .= "}\n";+ + echo '<style>' . $frontend_css . '</style>';+ }+ ?>+ <?php+ $items_per_row = $items_per_row; // Make available to template+ require_once Wpeventin::templates_dir() . 'event/parts/event-attendee.php';+ return ob_get_clean();+ }+ }
```
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventAttendee.php - Lines 75-82
[Old Code]
$avatar_img_selector = ".{$container_class} .etn-attendee-item .etn-attendee-avatar img";
$frontend_css .= "\n{$avatar_img_selector} {\n";
$frontend_css .= " width: 100% !important;\n";
$frontend_css .= " height: 100% !important;\n";
$frontend_css .= "}\n";
echo '<style>' . $frontend_css . '</style>';
[Fixed Code]
(No fix present in this diff - this is a new file)
Explanation:
The `$container_class` variable is directly interpolated into a CSS selector without sanitization or escaping. This variable comes from block attributes (`$attributes['containerClassName']`) which are user-controlled. An attacker could inject malicious CSS or break out of the style tag by providing a specially crafted `containerClassName` value. For example, `containerClassName: "test</style><script>alert('xss')</script><style>"` would execute arbitrary JavaScript. The variable should be sanitized using `sanitize_html_class()` before being used in the CSS selector.
---
```
Vulnerability Existed: not sure
Unvalidated Output - CWE-94 - core/Blocks/BlockTypes/EventAttendee.php - Line 83
[Old Code]
echo '<style>' . $frontend_css . '</style>';
[Fixed Code]
(No fix present in this diff - this is a new file)
Explanation:
While `preg_replace()` is used to manipulate the CSS string, the source of `$frontend_css` comes from `$this->generate_frontend_css($styles, $container_class)`, which is not shown in this diff. Without seeing the implementation of `generate_frontend_css()`, it's uncertain whether the styles parameter is properly validated/escaped. If the styles come from unsanitized user input (from block attributes), this could allow CSS injection. The output should ideally be passed through `wp_kses_post()` or similar sanitization before echoing if it contains user-controlled content.
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventBanner.php 2026-01-09 00:38:09.776532361 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventBanner.php 2026-01-09 00:43:15.979220039 +0000@@ -1,61 +1,83 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Banner Gutenberg block- */-class EventBanner extends AbstractBlock {- /**- * Block name.- *- * @var string- */- protected $block_name = 'event-banner';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Event Banner Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];+ class EventBanner extends AbstractBlock+ {+ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-banner';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];+ $style_variant = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++ $allowed_variants = ['style-1', 'style-2'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ } - if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;+ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0; - if ( $event_id == 0 ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );+ if ($event_id == 0) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ }+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID()); $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID(); }- } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );- $event_id = $template->get_preview_event_id();- } else {- $event_id = get_the_ID();- } - $event = new Event_Model( $event_id );+ $event = new Event_Model($event_id); - $event_banner = $event->event_banner;+ $event_banner = $event->event_banner; - ob_start();+ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/event-banner.php';- ?>-+ // Generate CSS with !important to override SCSS+ $frontend_css = $this->generate_frontend_css($styles, $container_class);+ if (! empty($frontend_css)) {+ // Add !important to common properties that need to override SCSS+ $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];+ foreach ($important_properties as $prop) {+ $frontend_css = preg_replace(+ "/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",+ "$1: $2 !important;",+ $frontend_css+ );+ }+ echo '<style>' . $frontend_css . '</style>';+ }+ ?> <?php- return ob_get_clean();- }-}-+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-banner/' . $style_variant . '.php';+ require $style_template;+ ?>+ <?php+ return ob_get_clean();+ }+ }
Based on my analysis of the diff, here are the security findings:
---
**Vulnerability 1: Unescaped CSS Output**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventBanner.php - Lines 62-73 (new code)
Old Code:
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```
Fixed Code:
```php
$frontend_css = $this->generate_frontend_css($styles, $container_class);
if (! empty($frontend_css)) {
// Add !important to common properties that need to override SCSS
$important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];
foreach ($important_properties as $prop) {
$frontend_css = preg_replace(
"/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",
"$1: $2 !important;",
$frontend_css
);
}
echo '<style>' . $frontend_css . '</style>';
}
```
Explanation:
The original code echoed the output of `render_frontend_css()` directly without sanitization. However, the new code **introduces a critical vulnerability**. The CSS is still output without escaping via `echo '<style>' . $frontend_css . '</style>'` at line 73. If `$frontend_css` contains malicious input (e.g., CSS injection payloads like `</style><script>alert('XSS')</script><style>`), it could be injected into the page. While the code attempts to process CSS properties with `preg_replace`, this does not prevent CSS-based injection attacks or context breakout.
---
**Vulnerability 2: Path Traversal in Template Inclusion**
Vulnerability Existed: not sure
Path Traversal / Local File Inclusion - CWE-22 - core/Blocks/BlockTypes/EventBanner.php - Lines 77-78 (new code)
Old Code:
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-banner.php';
```
Fixed Code:
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-banner/' . $style_variant . '.php';
require $style_template;
```
Explanation:
The new code constructs a file path using `$style_variant`, which is sanitized with `sanitize_key()` at line 33 and validated against an allowlist at lines 35-38. This provides reasonable protection against path traversal. However, there is uncertainty because: (1) `sanitize_key()` may not prevent all attacks depending on implementation, (2) the validation happens early but before the full path construction, and (3) if `generate_frontend_css()` or the template file itself processes user input unsafely, vulnerabilities could exist downstream. The fix is better than the original since it adds whitelist validation, but the full security depends on implementation details of referenced functions.
---
**Vulnerability 3: Potential Unsafe Output in CSS Processing**
Vulnerability Existed: not sure
Cross-Site Scripting (XSS) / Code Injection - CWE-79/CWE-94 - core/Blocks/BlockTypes/EventBanner.php - Lines 62-73 (new code)
Old Code:
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```
Fixed Code:
```php
$frontend_css = $this->generate_frontend_css($styles, $container_class);
if (! empty($frontend_css)) {
// ...preg_replace processing...
echo '<style>' . $frontend_css . '</style>';
}
```
Explanation:
Uncertainty exists about whether `$styles` and `$container_class` (which originate from `$attributes` - user-provided block attributes) are properly sanitized before being passed to `generate_frontend_css()`. The preg_replace on lines 67-71 only adds `!important` flags to properties but does **not sanitize or escape** the CSS content itself. If `$styles` contains malicious CSS or JavaScript-like content, it could be injected. The fix needs proper output escaping (e.g., `wp_kses_post()` or CSS-specific escaping functions) to be secure.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventCategory.php 2026-01-09 00:38:09.776532361 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventCategory.php 2026-01-09 00:43:15.991220774 +0000@@ -44,7 +44,7 @@ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php require_once Wpeventin::templates_dir() . 'event/parts/event-category.php'; ?>
Analyzing the provided code diff for security vulnerabilities: --- **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventCategory.php - Line 47 **Old Code:** ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` **Fixed Code:** ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` **Explanation:** The `$container_class` variable was being passed directly to `render_frontend_css()` without sanitization. If this variable contains user-controlled input (from query parameters, POST data, or other sources), it could contain malicious HTML/JavaScript that would be output to the page without escaping. The fix applies `esc_attr()` to escape the value before passing it to the rendering function, preventing XSS attacks. The `esc_attr()` function is the appropriate WordPress escaping function for values used in HTML attributes, which is likely where `$container_class` is used in the CSS rendering context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventCountDownTimer.php 2026-01-09 00:38:09.776532361 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventCountDownTimer.php 2026-01-09 00:43:15.995221018 +0000@@ -74,7 +74,7 @@ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php require_once Wpeventin::templates_dir() . 'event/parts/event-count-down-timer.php'; ?>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventCountDownTimer.php - Line 77 Old Code: ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` Fixed Code: ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` Explanation: The vulnerability was a reflected Cross-Site Scripting (XSS) flaw. The `$container_class` variable was being passed directly to the `render_frontend_css()` method without proper sanitization or escaping. If `$container_class` contains user-controlled input that wasn't properly validated upstream, an attacker could inject malicious JavaScript code that would execute in the context of the page. The fix applies `esc_attr()`, a WordPress escaping function designed to safely escape data for use within HTML attributes, preventing XSS attacks by converting special characters to their HTML entity equivalents.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventDateTime.php 2026-01-09 00:38:09.776532361 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventDateTime.php 2026-01-09 00:43:16.003221507 +0000@@ -1,69 +1,70 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Date Time Gutenberg block- */-class EventDateTime extends AbstractBlock {- /**- * Block name.- *- * @var string- */- protected $block_name = 'event-datetime';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Event Date Time Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];- $style_variant = ! empty( $attributes['styleVariant'] ) ? sanitize_key( $attributes['styleVariant'] ) : 'style-1';-- $allowed_variants = [ 'style-1', 'style-2' ];- if ( ! in_array( $style_variant, $allowed_variants, true ) ) {- $style_variant = 'style-1';- }-- if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;- } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );- $event_id = $template->get_preview_event_id();- } else {- $event_id = get_the_ID();- }-- $event = new Event_Model( $event_id );- $date_format = etn_date_format();- $time_format = etn_time_format();-- $start_date = $event->get_start_date( $date_format );- $start_time = $event->get_start_time( $time_format );- $end_date = $event->get_end_date( $date_format );- $end_time = $event->get_end_time( $time_format );- $timezone = $event->get_timezone();+ class EventDateTime extends AbstractBlock+ {+ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-datetime';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];+ $style_variant = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++ $allowed_variants = ['style-1', 'style-2', 'style-3'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ }++ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID();+ }++ $event = new Event_Model($event_id);+ $date_format = etn_date_format();+ $time_format = etn_time_format();++ $start_date = $event->get_start_date($date_format);+ $start_time = $event->get_start_time($time_format);+ $end_date = $event->get_end_date($date_format);+ $end_time = $event->get_end_time($time_format);+ $timezone = $event->get_timezone(); - ob_start();+ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php- $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-datetime/' . $style_variant . '.php';- require $style_template;- ?>+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-datetime/' . $style_variant . '.php';+ require $style_template;+ ?> <?php- return ob_get_clean();- }-}-+ return ob_get_clean();+ }+ }
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventDateTime.php - Line 59 → Line 61 Old Code: ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` Fixed Code: ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` Explanation: The `$container_class` variable is derived from user-provided block attributes (`$attributes['containerClassName']`) and is output directly in an HTML attribute context without proper escaping. While `sanitize_key()` is applied to `$style_variant`, `$container_class` only checks if it's empty but doesn't sanitize or escape it. In the fixed version, `esc_attr()` is applied to properly escape the value for safe use in HTML attributes, preventing XSS attacks where malicious input could inject JavaScript code through the class attribute.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventDescription.php 2026-01-09 00:38:09.776532361 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventDescription.php 2026-01-09 00:43:16.007221752 +0000@@ -1,66 +1,67 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Description Gutenberg block- */-class EventDescription extends AbstractBlock {- /**- * Namespace for the block- * - * @var string- */- protected $namespace = 'eventin-pro';-- /**- * Block name.- *- * @var string- */- protected $block_name = 'event-description';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Event Description Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];-- if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;-- if ( $event_id == 0 ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );+ class EventDescription extends AbstractBlock+ {+ /**+ * Namespace for the block+ *+ * @var string+ */+ protected $namespace = 'eventin-pro';++ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-description';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];++ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;++ if ($event_id == 0) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ }+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID()); $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID(); }- } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );- $event_id = $template->get_preview_event_id();- } else {- $event_id = get_the_ID();- } - $event = new Event_Model( $event_id );+ $event = new Event_Model($event_id); - ob_start();+ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/event-description.php';- ?>+ require Wpeventin::templates_dir() . 'event/parts/event-description.php';+ ?> <?php- return ob_get_clean();- }-}-+ return ob_get_clean();+ }+ }
Based on my analysis of the provided code diff for `core/Blocks/BlockTypes/EventDescription.php`, here are the security findings: --- **Vulnerability 1:** Vulnerability Existed: **yes** **Cross-Site Scripting (XSS) - CWE-79** - EventDescription.php - Line 52 **Old Code:** ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` **Fixed Code:** ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` **Explanation:** The `$container_class` variable is derived from user-supplied block attributes (`$attributes['containerClassName']`) without sanitization. By directly echoing it within an HTML context without escaping, an attacker could inject malicious JavaScript code through the block attributes. The fix applies `esc_attr()` to properly escape the value for safe use in HTML attributes, preventing XSS attacks. --- **Vulnerability 2:** Vulnerability Existed: **no** **Potential Code Injection via file inclusion - CWE-98** - EventDescription.php - Lines 61-62 **Old Code:** ```php require_once Wpeventin::templates_dir() . 'event/parts/event-description.php'; ``` **Fixed Code:** ```php require Wpeventin::templates_dir() . 'event/parts/event-description.php'; ``` **Explanation:** While the change from `require_once` to `require` appears minor, this is not a security fix. The included path is constructed from a controlled internal constant (`Wpeventin::templates_dir()`) with a hardcoded filename, so there is no injection risk. The change is a code style/refactoring decision, not a security mitigation.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventFaq.php 2026-01-09 00:38:09.776532361 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventFaq.php 2026-01-09 00:43:16.075225912 +0000@@ -26,10 +26,21 @@ */ protected function render( $attributes, $content, $block ) { $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];+ $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];+ $style_variant = ! empty( $attributes['styleVariant'] ) ? sanitize_key( $attributes['styleVariant'] ) : 'style-1';++ $allowed_variants = ['style-1', 'style-2'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ } if ( $this->is_editor() ) { $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;++ if ($event_id == 0) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ } } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) { $template = new \Eventin\Template\TemplateModel( get_the_ID() ); $event_id = $template->get_preview_event_id();@@ -38,9 +49,25 @@ } ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/faq.php';+ // Generate CSS with !important to override SCSS+ $frontend_css = $this->generate_frontend_css($styles, $container_class);+ if (! empty($frontend_css)) {+ // Add !important to common properties that need to override SCSS+ $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];+ foreach ($important_properties as $prop) {+ $frontend_css = preg_replace(+ "/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",+ "$1: $2 !important;",+ $frontend_css+ );+ }+ echo '<style>' . $frontend_css . '</style>';+ }+ ?>+ <?php+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-faq/' . $style_variant . '.php';+ require $style_template; ?> <?php return ob_get_clean();
I'll analyze this code diff for security vulnerabilities.
```
Vulnerability Existed: yes
FALSE POSITIVE
Path Traversal / Local File Inclusion - CWE-22 - core/Blocks/BlockTypes/EventFaq.php Lines 69-70
[Old Code]
require_once Wpeventin::templates_dir() . 'event/parts/faq.php';
[Fixed Code]
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-faq/' . $style_variant . '.php';
require $style_template;
Explanation:
The old code used a hardcoded template path, which was safe. However, the new code introduces a Path Traversal vulnerability by directly concatenating user-controlled input ($style_variant) into a file path used with require. Although the code attempts to sanitize $style_variant with sanitize_key() and validates it against a whitelist ['style-1', 'style-2'], the validation check happens AFTER the variable is used in the require statement on line 70. Additionally, even with the whitelist validation, the require statement uses the unsanitized path concatenation, and an attacker could potentially bypass this by using directory traversal sequences (e.g., '../../../etc/passwd') if the whitelist check is insufficient. The require statement should use the validated $style_variant value, not a direct file path concatenation.
```
```
Vulnerability Existed: not sure
Code Injection via Regular Expression - CWE-94 - core/Blocks/BlockTypes/EventFaq.php Lines 56-64
[Old Code]
N/A (new code)
[Fixed Code]
$important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];
foreach ($important_properties as $prop) {
$frontend_css = preg_replace(
"/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",
"$1: $2 !important;",
$frontend_css
);
}
Explanation:
The code uses preg_replace with user-controlled CSS data ($frontend_css). While the property names come from a hardcoded whitelist, the regex pattern itself could be vulnerable to ReDoS (Regular Expression Denial of Service) attacks if the CSS content is maliciously crafted. The negative lookahead (?!\s*!important) combined with the lazy quantifier ([^;!]+?) and the global modifiers could potentially cause exponential backtracking on specially crafted input. However, since $frontend_css comes from the application's own CSS generation logic (not direct user input), the risk is reduced but not entirely eliminated.
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventLogo.php 2026-01-09 00:38:09.780532605 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventLogo.php 2026-01-09 00:43:16.119228604 +0000@@ -38,7 +38,7 @@ } ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php require_once Wpeventin::templates_dir() . 'event/parts/logo.php'; ?>
I'll analyze this code diff for security vulnerabilities. ``` Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventLogo.php lines 41 Old Code: <?php echo $this->render_frontend_css( $styles, $container_class ); ?> Fixed Code: <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> Explanation: The vulnerability existed in the old code where `$container_class` was passed directly to `render_frontend_css()` without proper escaping. The `$container_class` variable likely originates from block attributes or user-controlled data. When this value is eventually output in an HTML attribute context (such as in a CSS class attribute), unescaped user input could allow an attacker to break out of the attribute and inject malicious HTML/JavaScript, leading to Stored XSS. The fix applies `esc_attr()` to escape the `$container_class` parameter before passing it to the render function. This WordPress escaping function is appropriate for sanitizing values intended for use in HTML attributes, preventing XSS by converting special characters to HTML entities. This ensures that even if `$container_class` contains malicious content, it will be safely rendered as literal text within the attribute context. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventOrganizer.php 2026-01-09 00:38:09.780532605 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventOrganizer.php 2026-01-09 00:43:16.123228848 +0000@@ -1,61 +1,84 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Organizer Gutenberg block- */-class EventOrganizer extends AbstractBlock {- /**- * Block name.- *- * @var string- */- protected $block_name = 'event-organizer';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Event Organizer Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];+ class EventOrganizer extends AbstractBlock+ {+ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-organizer';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];+ $style_variant = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++ $allowed_variants = ['style-1', 'style-2'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ } - if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;+ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0; - if ( $event_id == 0 ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );+ if ($event_id == 0) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ }+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID()); $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID(); }- } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );- $event_id = $template->get_preview_event_id();- } else {- $event_id = get_the_ID();- } - $event = new Event_Model( $event_id );+ $event = new Event_Model($event_id); - $event_organizers = $event->get_organizers();+ $event_organizers = $event->get_organizers(); - ob_start();+ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/event-organizer.php';- ?>-+ // Generate CSS with !important to override SCSS+ $frontend_css = $this->generate_frontend_css($styles, $container_class);+ if (! empty($frontend_css)) {+ // Add !important to common properties that need to override SCSS+ $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];+ foreach ($important_properties as $prop) {+ $frontend_css = preg_replace(+ "/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",+ "$1: $2 !important;",+ $frontend_css+ );+ }+ echo '<style>' . $frontend_css . '</style>';+ }+ ?> <?php- return ob_get_clean();- }-}+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-organizer/' . $style_variant . '.php';+ require $style_template;+ ?> + <?php+ return ob_get_clean();+ }+ }
Based on my analysis of the code diff, here are the security findings:
---
**Vulnerability 1: Local File Inclusion (LFI)**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-427 - Uncontrolled Search Path Element (Path Traversal) - core/Blocks/BlockTypes/EventOrganizer.php - Lines 77-78
**Old Code (v4.0.51):**
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-organizer.php';
```
**Fixed Code (v4.0.52):**
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-organizer/' . $style_variant . '.php';
require $style_template;
```
**Explanation:**
The old code had a hardcoded template path, which was safe. However, the new code introduces a path traversal vulnerability. Although `$style_variant` is sanitized with `sanitize_key()` and validated against an allowed list ['style-1', 'style-2'], there is a critical security flaw: the `sanitize_key()` function in WordPress only removes special characters and may not prevent directory traversal in all contexts. More importantly, the validation check happens but could theoretically be bypassed if `sanitize_key()` doesn't completely eliminate path traversal sequences. Additionally, if `$style_variant` is manipulated to contain sequences like `../`, an attacker could traverse directories and include arbitrary PHP files. The fix should use a strict whitelist without any path concatenation, or use a mapping array rather than direct file path construction.
---
**Vulnerability 2: CSS Injection / Unescaped Output**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) - core/Blocks/BlockTypes/EventOrganizer.php - Line 73
**Old Code (v4.0.51):**
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```
**Fixed Code (v4.0.52):**
```php
$frontend_css = $this->generate_frontend_css($styles, $container_class);
if (! empty($frontend_css)) {
// ... processing ...
echo '<style>' . $frontend_css . '</style>';
}
```
**Explanation:**
While the old code called `render_frontend_css()` without escaping, the new code generates CSS and outputs it without sanitization. The `$frontend_css` variable is processed with regex to add `!important` flags, but the output is echoed directly into a `<style>` tag without any escaping or sanitization. If `$styles` contains malicious CSS (e.g., CSS expressions, behaviors, or JavaScript-like content), it could be injected. The `$container_class` and `$styles` array come directly from block attributes and should be properly sanitized/escaped before being used in CSS context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventRSVP.php 2026-01-09 00:38:09.780532605 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventRSVP.php 2026-01-09 00:43:16.123228848 +0000@@ -44,9 +44,9 @@ } ob_start(); - + ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php require_once Wpeventin::templates_dir() . 'event/parts/rsvp.php'; ?>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventRSVP.php [49] Old Code: ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` Fixed Code: ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` Explanation: The `$container_class` variable is being output within an HTML attribute context (passed as a parameter to `render_frontend_css` which likely uses it in HTML class attributes). Without proper escaping, an attacker could inject malicious JavaScript or HTML attributes through a crafted `$container_class` value. The fix applies `esc_attr()`, which is WordPress's standard function for escaping data intended for HTML attributes. This prevents attribute-based XSS attacks by encoding special characters like quotes and angle brackets. The vulnerability existed because user-controlled or insufficiently validated data was being used in an attribute context without proper escaping.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventSchedule.php 2026-01-09 00:38:09.780532605 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventSchedule.php 2026-01-09 00:43:16.131229338 +0000@@ -1,70 +1,98 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Schedule Gutenberg block- */-class EventSchedule extends AbstractBlock {- /**- * Block name.- *- * @var string- */- protected $block_name = 'event-schedule';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Event Schedule Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];+ class EventSchedule extends AbstractBlock+ {+ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-schedule';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];+ $style_variant = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++ $allowed_variants = ['style-1', 'style-2', 'style-3'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ } - if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;+ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0; - if ( $event_id == 0 ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );+ if ($event_id == 0) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ }+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID()); $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID(); }- } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );- $event_id = $template->get_preview_event_id();- } else {- $event_id = get_the_ID();- } - $event = new Event_Model( $event_id );- $event_location = $event->get_address();+ $event = new Event_Model($event_id);+ $event_location = $event->get_address(); - ob_start();+ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/event-schedule.php';- ?>-+ // Generate CSS with !important to override SCSS+ $frontend_css = $this->generate_frontend_css($styles, $container_class);+ if (! empty($frontend_css)) {+ // Add !important to common properties that need to override SCSS+ // Note: Properties are already converted to kebab-case in generate_device_css+ $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];+ foreach ($important_properties as $prop) {+ // Match property with optional whitespace, value (can contain spaces and multiple values), and semicolon+ // Avoid matching if !important already exists+ // Use multiline flag and handle whitespace properly+ $frontend_css = preg_replace(+ "/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",+ "$1: $2 !important;",+ $frontend_css+ );+ }+ echo '<style>' . $frontend_css . '</style>';+ }+ ?> <?php- return ob_get_clean();- }+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-schedule/' . $style_variant . '.php';+ require $style_template;+ ?> - /**- * Get the editor style handle for this block type.- *- * @see $this->register_block_type()- * @return string|null- */- protected function get_block_type_editor_style() {- return 'etn-public-css';- }-}+ <?php+ return ob_get_clean();+ } + /**+ * Get the editor style handle for this block type.+ *+ * @see $this->register_block_type()+ * @return string|null+ */+ protected function get_block_type_editor_style()+ {+ return 'etn-public-css';+ }+ }
Let me analyze the diff provided for security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: **yes**
FALSE POSITIVE
**Unvalidated File Inclusion / Path Traversal - CWE-426 / CWE-22** - File: core/Blocks/BlockTypes/EventSchedule.php - Lines 80-81 (new code)
**Old Code:**
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-schedule.php';
```
**Fixed Code:**
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-schedule/' . $style_variant . '.php';
require $style_template;
```
**Explanation:**
The fixed code constructs a file path using user-controlled input (`$style_variant`) from the attributes. While the code does sanitize `$style_variant` with `sanitize_key()` and validates it against an allowlist, there is still a **potential path traversal vulnerability**. The sanitization using `sanitize_key()` removes special characters but may not be sufficient to prevent all path traversal attacks. The validation against `['style-1', 'style-2', 'style-3']` provides some protection, but the architecture of dynamically constructing file paths is inherently risky. Additionally, using `require` instead of `require_once` could lead to repeated code execution if the file is included multiple times.
---
**Vulnerability 2:**
Vulnerability Existed: **yes**
FALSE POSITIVE
**Unvalidated CSS Output / Improper Output Encoding - CWE-79 / CWE-94** - File: core/Blocks/BlockTypes/EventSchedule.php - Lines 60-75 (new code)
**Old Code:**
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```
**Fixed Code:**
```php
$frontend_css = $this->generate_frontend_css($styles, $container_class);
if (! empty($frontend_css)) {
$important_properties = ['width', 'height', 'font-size', ...];
foreach ($important_properties as $prop) {
$frontend_css = preg_replace(
"/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",
"$1: $2 !important;",
$frontend_css
);
}
echo '<style>' . $frontend_css . '</style>';
}
```
**Explanation:**
**Potential XSS vulnerability** - The `$frontend_css` is output directly into a `<style>` tag without proper sanitization or escaping. While CSS within style tags is not directly executable JavaScript, CSS injection attacks can occur (e.g., `behavior: url()`, `expression()`, or `@import` directives). The code modifies CSS with regex patterns but doesn't sanitize the original `$frontend_css` from `generate_frontend_css()`. If that function doesn't properly escape or validate the styles, an attacker could inject malicious CSS. The code should use `wp_kses_post()`, `wp_strip_all_tags()`, or proper CSS validation before outputting.
---
**Vulnerability 3:**
Vulnerability Existed: **not sure**
**Code Injection via Dynamic File Inclusion** - CWE-426 - File: core/Blocks/BlockTypes/EventSchedule.php - Lines 80-81
**Old Code:**
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-schedule.php';
```
**Fixed Code:**
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-schedule/' . $style_variant . '.php';
require $style_template;
```
**Explanation:**
The uncertainty here is whether `Wpeventin::templates_dir()` returns a trusted, immutable path. If this function can be compromised or returns a user-controlled value, the file inclusion becomes vulnerable to remote code execution. The validation of `$style_variant` against an allowlist is good, but the overall pattern of dynamic file inclusion is risky. Best practice would be to use a static mapping array instead of constructing file paths dynamically.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventSocial.php 2026-01-09 00:38:09.780532605 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventSocial.php 2026-01-09 00:43:16.131229338 +0000@@ -1,53 +1,61 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Social Gutenberg block- */-class EventSocial extends AbstractBlock {- /**- * Block name.- *- * @var string- */- protected $block_name = 'event-social';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Event Social Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];-- if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;- } else {- $event_id = get_the_ID();- }+ class EventSocial extends AbstractBlock+ {+ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-social';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];+ $style_variant = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++ $allowed_variants = ['style-1'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ }++ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;+ } else {+ $event_id = get_the_ID();+ } - $event = new Event_Model( $event_id );+ $event = new Event_Model($event_id); - $event_socials = $event->get_social();+ $event_socials = $event->get_social(); - ob_start();+ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/event-social.php';- ?>+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-social/' . $style_variant . '.php';+ require $style_template;+ ?> <?php- return ob_get_clean();- }-}-+ return ob_get_clean();+ }+ }
--- **Vulnerability 1:** Vulnerability Existed: yes TRUE POSITIVE Path Traversal / Local File Inclusion (LFI) - CWE-22 - EventSocial.php Lines 54-55 **Old Code:** ```php require_once Wpeventin::templates_dir() . 'event/parts/event-social.php'; ``` **Fixed Code:** ```php $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-social/' . $style_variant . '.php'; require $style_template; ``` **Explanation:** The old code had a critical path traversal vulnerability where `$style_variant` was directly concatenated into a file path without proper validation. Although `sanitize_key()` was applied to `$style_variant` on line 33 in the fixed version, the original code did not have this sanitization step. In the fixed code, the vulnerability is mitigated by: (1) applying `sanitize_key()` to user input, (2) creating a whitelist of allowed variants, and (3) resetting to a safe default if the value is not in the allowlist. This prevents an attacker from using directory traversal sequences like `../` to include arbitrary files. --- **Vulnerability 2:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - EventSocial.php Line 44/52 **Old Code:** ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` **Fixed Code:** ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` **Explanation:** The `$container_class` variable was passed to `render_frontend_css()` without escaping. Since it derives from user-controlled block attributes (`$attributes['containerClassName']`), it could contain malicious HTML/JavaScript. The fix applies `esc_attr()` to properly escape the value for HTML attribute context, preventing XSS injection.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventSpeaker.php 2026-01-09 00:38:09.780532605 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventSpeaker.php 2026-01-09 00:43:16.135229583 +0000@@ -1,61 +1,88 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Venue Gutenberg block- */-class EventSpeaker extends AbstractBlock {- /**- * Block name.- *- * @var string- */- protected $block_name = 'event-speaker';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Event Venue Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];+ class EventSpeaker extends AbstractBlock+ {+ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-speaker';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];+ $style_variant = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++ $allowed_variants = ['style-1', 'style-2'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ } - if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;+ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0; - if ( $event_id == 0 ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );+ if ($event_id == 0) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ }+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID()); $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID(); }- } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );- $event_id = $template->get_preview_event_id();- } else {- $event_id = get_the_ID();- } - $event = new Event_Model( $event_id );+ $event = new Event_Model($event_id); - $event_speakers = $event->get_speakers();+ $event_speakers = $event->get_speakers(); - ob_start();+ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/event-speaker.php';- ?>-+ // Generate CSS with !important to override SCSS+ $frontend_css = $this->generate_frontend_css($styles, $container_class);+ if (! empty($frontend_css)) {+ // Add !important to common properties that need to override SCSS+ // Note: Properties are already converted to kebab-case in generate_device_css+ $important_properties = ['width', 'height', 'font-size', 'color', 'background-color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];+ foreach ($important_properties as $prop) {+ // Match property with optional whitespace, value (can contain spaces and multiple values), and semicolon+ // Avoid matching if !important already exists+ // Use multiline flag and handle whitespace properly+ $frontend_css = preg_replace(+ "/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",+ "$1: $2 !important;",+ $frontend_css+ );+ }+ echo '<style>' . $frontend_css . '</style>';+ }+ ?> <?php- return ob_get_clean();- }-}+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-speaker/' . $style_variant . '.php';+ require $style_template;+ ?> + <?php+ return ob_get_clean();+ }+ }
Based on my analysis of the code diff, here are the security vulnerabilities:
---
**Vulnerability 1: Path Traversal in Template Loading**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-22 - Path Traversal - EventSpeaker.php Lines 81-82
Old Code:
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-speaker.php';
```
Fixed Code:
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-speaker/' . $style_variant . '.php';
require $style_template;
```
Explanation:
The new code introduces a path traversal vulnerability. While `sanitize_key()` is applied to `$style_variant` at line 33, the sanitization only removes invalid key characters—it does NOT prevent directory traversal sequences. An attacker could pass a value like `../../../etc/passwd` to the `styleVariant` attribute, which would not be blocked by `sanitize_key()`. The fixed code also removes the whitelist validation after the sanitization—the `in_array()` check at lines 35-38 restricts to `['style-1', 'style-2']`, which does prevent the traversal in this specific case. However, if the whitelist is removed or bypassed in future updates, the path traversal vulnerability becomes critical. The old code directly included a fixed path without user-controlled input, making it secure.
---
**Vulnerability 2: Cross-Site Scripting (XSS) via Unsanitized CSS Output**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-79 - Improper Neutralization of Input During Web Page Generation - EventSpeaker.php Lines 77
Old Code:
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```
Fixed Code:
```php
echo '<style>' . $frontend_css . '</style>';
```
Explanation:
The fixed code outputs CSS directly into a `<style>` tag without proper escaping or sanitization. The `$frontend_css` variable is generated from user-controlled `$styles` input via `$this->generate_frontend_css()`. Although the code attempts to use regex replacement to modify CSS properties, there is no validation that `$frontend_css` is actually valid CSS or that it doesn't contain script injection payloads. An attacker could inject malicious content like `</style><script>alert('XSS')</script><style>` into the styles array. The old code called `$this->render_frontend_css()` which presumably had proper escaping/sanitization built-in, but this new direct output bypasses those protections.
---
**Vulnerability 3: Code Injection via Dynamic Template Path**
Vulnerability Existed: not sure
CWE-426 - Untrusted Search Path - EventSpeaker.php Lines 81-82
Old Code:
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-speaker.php';
```
Fixed Code:
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-speaker/' . $style_variant . '.php';
require $style_template;
```
Explanation:
While the whitelist at lines 35-38 restricts `$style_variant` to safe values, using `require` instead of `require_once` could allow multiple inclusions of the same file, and more critically, the dynamic path construction is inherently risky if future code modifications remove the whitelist validation. Additionally, if `Wpeventin::templates_dir()` is compromised or the filesystem permissions are misconfigured, an attacker could place a malicious PHP file in the template directory. The security depends entirely on the whitelist being maintained and filesystem integrity.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventTag.php 2026-01-09 00:38:09.780532605 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventTag.php 2026-01-09 00:43:16.139229827 +0000@@ -41,7 +41,7 @@ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php require_once Wpeventin::templates_dir() . 'event/parts/event-tag.php'; ?>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventTag.php [44] ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` Explanation: The `$container_class` variable was being passed directly to `render_frontend_css()` without sanitization. If this variable contains user-controlled input (such as from block attributes or dynamic data), an attacker could inject malicious JavaScript code that would be executed in the browser context. The fix applies `esc_attr()` to sanitize the value for safe use in HTML attributes, preventing XSS attacks. This is a critical fix for reflected/stored XSS vulnerabilities in WordPress environments where unsanitized data can reach the frontend output.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventTitle.php 2026-01-09 00:38:09.784532848 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventTitle.php 2026-01-09 00:43:16.143230072 +0000@@ -49,8 +49,8 @@ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>- + <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>+ <div class="<?php echo esc_attr( $container_class ); ?>"> <div class="eventin-block-container"> <<?php echo esc_attr($tag); ?> class="etn-event-entry-title"><?php echo esc_html( $event->get_title() ); ?>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventTitle.php [52] Old Code: ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` Fixed Code: ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` Explanation: The `$container_class` variable was being passed directly to the `render_frontend_css()` method without sanitization. If this variable contains user-controlled or dynamically generated data that includes malicious JavaScript, it could be injected into the output. The fix applies `esc_attr()` to escape the variable before passing it to the function, preventing XSS attacks by properly encoding any special characters that could break out of an HTML attribute context. This is a critical security fix for a WordPress plugin where untrusted data could potentially be reflected in HTML output.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventVenue.php 2026-01-09 00:38:09.784532848 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventVenue.php 2026-01-09 00:43:16.143230072 +0000@@ -1,61 +1,99 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Venue Gutenberg block- */-class EventVenue extends AbstractBlock {- /**- * Block name.- *- * @var string- */- protected $block_name = 'event-venue';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Event Venue Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];+ class EventVenue extends AbstractBlock+ {+ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'event-venue';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];+ $style_variant = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++ $allowed_variants = ['style-1', 'style-2', 'style-3', 'style-4'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ } - if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;+ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0; - if ( $event_id == 0 ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );+ if ($event_id == 0) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ }+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID()); $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID(); }- } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );- $event_id = $template->get_preview_event_id();- } else {- $event_id = get_the_ID();- } - $event = new Event_Model( $event_id );+ $event = new Event_Model($event_id); - $event_location = $event->get_address();+ // Get location data+ $location = get_post_meta($event_id, 'etn_event_location', true);+ $event_location = $event->get_address();+ $venue_latitude = ! empty($location['latitude']) ? $location['latitude'] : '';+ $venue_longitude = ! empty($location['longitude']) ? $location['longitude'] : '';++ // Get event dates and times+ $date_format = etn_date_format();+ $time_format = etn_time_format();+ $start_date = $event->get_start_date($date_format);+ $end_date = $event->get_end_date($date_format);+ $start_time = $event->get_start_time($time_format);+ $end_time = $event->get_end_time($time_format); - ob_start();+ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/event-venue.php';- ?>-+ // Generate CSS with !important to override SCSS+ $frontend_css = $this->generate_frontend_css($styles, $container_class);+ if (! empty($frontend_css)) {+ // Add !important to common properties that need to override SCSS+ // Note: Properties are already converted to kebab-case in generate_device_css+ $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'word-spacing', 'text-transform', 'text-decoration', 'margin', 'padding', 'gap', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];+ foreach ($important_properties as $prop) {+ // Match property with optional whitespace, value (can contain spaces and multiple values), and semicolon+ // Avoid matching if !important already exists+ // Use multiline flag and handle whitespace properly+ $frontend_css = preg_replace(+ "/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",+ "$1: $2 !important;",+ $frontend_css+ );+ }+ echo '<style>' . $frontend_css . '</style>';+ }+ ?> <?php- return ob_get_clean();- }-}-+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/venue/' . $style_variant . '.php';+ require $style_template;+ ?>+ <?php+ return ob_get_clean();+ }+ }
Based on my analysis of the code diff, here are the security findings:
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventVenue.php - Lines 52 (old) / 89 (new)
Old Code:
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```
Fixed Code:
```php
$frontend_css = $this->generate_frontend_css($styles, $container_class);
if (! empty($frontend_css)) {
// ... regex processing ...
echo '<style>' . $frontend_css . '</style>';
}
```
Explanation:
The old code directly echoed the return value of `render_frontend_css()` without visible sanitization. The new code replaces this with `generate_frontend_css()` that processes the CSS through regex-based property validation. While the regex approach (lines 83-87) adds some validation by targeting specific CSS properties, it still echoes unescaped CSS content. However, the fix demonstrates improved security through the addition of an allowlist-based approach (`$important_properties` array) that limits which CSS properties are modified, reducing attack surface compared to the original approach.
---
Vulnerability Existed: yes
FALSE POSITIVE
Path Traversal - CWE-22 - core/Blocks/BlockTypes/EventVenue.php - Lines 93-94 (new)
Old Code:
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-venue.php';
```
Fixed Code:
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/venue/' . $style_variant . '.php';
require $style_template;
```
Explanation:
The new code adds a significant security improvement by implementing path validation for `$style_variant` (lines 33-38). The value is sanitized with `sanitize_key()` and validated against a whitelist of allowed variants `['style-1', 'style-2', 'style-3', 'style-4']` using `in_array()` with strict comparison. This prevents path traversal attacks that could otherwise allow including arbitrary files via manipulated `styleVariant` parameters. The old code used a hardcoded path with no user input in the filename, making this a net improvement in security.
---
Vulnerability Existed: not sure
Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventVenue.php - Lines 59-60 (new)
Old Code:
```php
// Code path did not exist in original version
```
Fixed Code:
```php
$venue_latitude = ! empty($location['latitude']) ? $location['latitude'] : '';
$venue_longitude = ! empty($location['longitude']) ? $location['longitude'] : '';
```
Explanation:
These variables extract data from post metadata without visible escaping/sanitization before they would be used. While the code shown doesn't display these values directly, the data is obtained from user-controlled metadata via `get_post_meta()`. Uncertainty exists because the actual usage of these variables in the included template file (`styles/venue/{$style_variant}.php`) is not visible in this diff. If these values are echoed without escaping in the template, it would constitute an XSS vulnerability.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/QRCodeBlock.php 2026-01-09 00:38:09.784532848 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/QRCodeBlock.php 2026-01-09 00:43:16.151230562 +0000@@ -110,7 +110,7 @@ ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <div class="eventin-ticket-qrcode" style="<?php echo esc_attr( $content_styles ); ?>"> <p class="etn-ticket-id" id="ticketUnqId" data-ticketverifyurl="<?php echo esc_url( $ticket_verify_url ) ?>"></p> <img class="etn-qrImage" src="" alt="" id="qrImage" />
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/QRCodeBlock.php [113] Old Code: ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` Fixed Code: ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` Explanation: The `$container_class` variable was being passed directly to `render_frontend_css()` without sanitization. If this variable contains user-controlled input or untrusted data, it could be exploited to inject malicious JavaScript or HTML attributes. The fix applies `esc_attr()`, a WordPress escaping function that escapes data for safe use in HTML attributes. This prevents XSS attacks by ensuring that any special characters in `$container_class` are properly encoded before being output to the DOM.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/RecurringEvent.php 2026-01-09 00:38:09.784532848 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/RecurringEvent.php 2026-01-09 00:43:16.155230806 +0000@@ -42,9 +42,9 @@ ob_start(); - + ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+ <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> <?php require_once Wpeventin::templates_dir() . 'event/parts/recurring-event.php'; ?>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/RecurringEvent.php - Line 47 Old Code: ```php <?php echo $this->render_frontend_css( $styles, $container_class ); ?> ``` Fixed Code: ```php <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?> ``` Explanation: The `$container_class` variable is being passed directly to the `render_frontend_css()` method without sanitization or escaping. If this variable contains user-controlled data (from block attributes, query parameters, or other external sources), an attacker could inject malicious JavaScript or HTML through a crafted class name. The fix applies `esc_attr()`, which is WordPress's standard function for escaping HTML attribute values, preventing XSS attacks by encoding special characters that could break out of the attribute context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/RelatedEvents.php 2026-01-09 00:38:09.784532848 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/RelatedEvents.php 2026-01-09 00:43:16.175232030 +0000@@ -1,9 +1,11 @@ <?php namespace Eventin\Blocks\BlockTypes;+ /** * RelatedEvents Class. */-class RelatedEvents extends AbstractBlock {+class RelatedEvents extends AbstractBlock+{ /** * Block name. *@@ -20,13 +22,14 @@ * * @return string Rendered block type output */- protected function render( $attributes, $content, $block ) {+ protected function render($attributes, $content, $block)+ { $data = [ 'attributes' => $attributes, 'content' => $content,- 'block' => $block+ 'block' => $block, ];- - return $this->include_template( 'event/related-events', $data );++ return $this->include_template('event/related-events', $data); } }
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no No vulnerabilities detected. Explanation: This diff contains only code formatting and style changes: - Adding blank lines for spacing - Reformatting opening braces to follow PSR-12 coding standards - Adjusting whitespace and indentation - Trailing commas in arrays - Consistent spacing around function parameters and parentheses These are purely cosmetic changes with no impact on security. The underlying logic remains unchanged: - No new input handling introduced - No changes to data validation or sanitization - No modifications to authentication or authorization logic - No database queries or external API calls affected - No changes to output escaping or encoding The code maintains the same security posture before and after the formatting changes.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/RelatedEventsEnhanced.php 2026-01-09 00:38:09.784532848 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/RelatedEventsEnhanced.php 2026-01-09 00:43:16.159231051 +0000@@ -1,59 +1,86 @@ <?php-namespace Eventin\Blocks\BlockTypes;+ namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Related Events Gutenberg block- */-class RelatedEventsEnhanced extends AbstractBlock {- /**- * Block name.- *- * @var string- */- protected $block_name = 'related-events';+ use Etn\Core\Event\Event_Model;+ use Eventin\Blocks\BlockTypes\AbstractBlock;+ use Wpeventin; /**- * Include and render the block- *- * @param array $attributes Block attributes. Default empty array- * @param string $content Block content. Default empty string- * @param WP_Block $block Block instance- *- * @return string Rendered block type output+ * Related Events Gutenberg block */- protected function render( $attributes, $content, $block ) {- $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';- $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];-- if ( $this->is_editor() ) {- $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;- } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {- $template = new \Eventin\Template\TemplateModel( get_the_ID() );- $event_id = $template->get_preview_event_id();- } else {- $event_id = get_the_ID();- }+ class RelatedEventsEnhanced extends AbstractBlock+ {+ /**+ * Block name.+ *+ * @var string+ */+ protected $block_name = 'related-events';++ /**+ * Include and render the block+ *+ * @param array $attributes Block attributes. Default empty array+ * @param string $content Block content. Default empty string+ * @param WP_Block $block Block instance+ *+ * @return string Rendered block type output+ */+ protected function render($attributes, $content, $block)+ {+ $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+ $styles = ! empty($attributes['styles']) ? $attributes['styles'] : [];+ $style_variant = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++ $allowed_variants = ['style-1', 'style-2'];+ if (! in_array($style_variant, $allowed_variants, true)) {+ $style_variant = 'style-1';+ }++ if ($this->is_editor()) {+ $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;+ } else if ('etn-template' == get_post_type(get_the_ID())) {+ $template = new \Eventin\Template\TemplateModel(get_the_ID());+ $event_id = $template->get_preview_event_id();+ } else {+ $event_id = get_the_ID();+ } - $event = new Event_Model( $event_id );+ $event = new Event_Model($event_id); - $related_events = $event->get_related_events();+ $related_events = $event->get_related_events(); - ob_start();-- + ob_start(); ?>- <?php echo $this->render_frontend_css( $styles, $container_class ); ?> <?php- require_once Wpeventin::templates_dir() . 'event/parts/related-events.php';- ?>-+ // Generate CSS with !important to override SCSS+ $frontend_css = $this->generate_frontend_css($styles, $container_class);+ if (! empty($frontend_css)) {+ // Add !important to common properties that need to override SCSS+ // Include typography properties: word-spacing, text-transform, text-decoration+ $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'word-spacing', 'text-transform', 'text-decoration', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];+ foreach ($important_properties as $prop) {+ $frontend_css = preg_replace(+ "/({$prop})\s*:\s*([^;!]+?)(?!\s*!important)\s*;/im",+ "$1: $2 !important;",+ $frontend_css+ );+ }+ echo '<style>' . $frontend_css . '</style>';+ }+ ?>+ <?php+ // Load the style template+ $style_template = Wpeventin::templates_dir() . 'event/parts/styles/related-events/' . $style_variant . '.php';+ if (file_exists($style_template)) {+ require $style_template;+ } else {+ // Fallback to default template if style template doesn't exist+ require_once Wpeventin::templates_dir() . 'event/parts/related-events.php';+ }+ ?> <?php - return ob_get_clean();- }-}-+ return ob_get_clean();+ }+ }
Based on my analysis of the code diff, here are the security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - RelatedEventsEnhanced.php Lines 69
**Old Code:**
```php
(No direct output of $frontend_css - it was handled by render_frontend_css method)
```
**Fixed Code:**
```php
echo '<style>' . $frontend_css . '</style>';
```
Explanation: The new code directly echoes CSS content without sanitization. While CSS is typically less dangerous than HTML/JavaScript, the `$frontend_css` variable is generated via `preg_replace()` on user-controlled `$styles` attributes. If the input contains malicious CSS (e.g., CSS expressions, property injection), it could be exploited. The `$container_class` variable is also unsanitized and incorporated into the CSS string via `generate_frontend_css()`, creating a potential XSS vector through CSS injection.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
Arbitrary Code Execution via Dynamic File Inclusion - CWE-426/CWE-427 - RelatedEventsEnhanced.php Lines 74-76
**Old Code:**
```php
require_once Wpeventin::templates_dir() . 'event/parts/related-events.php';
```
**Fixed Code:**
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/related-events/' . $style_variant . '.php';
if (file_exists($style_template)) {
require $style_template;
} else {
require_once Wpeventin::templates_dir() . 'event/parts/related-events.php';
}
```
Explanation: While `sanitize_key()` is applied to `$style_variant` (line 33) and validated against an allowlist (lines 35-38), the path construction at line 74 concatenates user input into a file path. The allowlist check mitigates risk, but if `sanitize_key()` or the allowlist validation can be bypassed, a path traversal attack could occur. Additionally, `require` (not `require_once`) at line 76 could allow multiple includes if manipulated. The validation appears adequate, making this "not sure" rather than confirmed vulnerable.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
Reflected XSS via `$container_class` - CWE-79 - RelatedEventsEnhanced.php Lines 31, 57
**Old Code:**
```php
$container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';
```
**Fixed Code:**
```php
$container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';
```
Explanation: The `$container_class` variable is assigned from user-controlled block attributes without sanitization. While it's used in CSS generation via `generate_frontend_css()`, without seeing that method's implementation, it's uncertain whether it properly escapes the value. If `generate_frontend_css()` doesn't sanitize, the CSS output at line 69 could contain injected CSS/HTML through a malicious `containerClassName` attribute.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Extensions/Api/ExtensionController.php 2026-01-09 00:38:09.808534308 +0000+++ cache/wp-event-solution_4.0.52/core/Extensions/Api/ExtensionController.php 2026-01-09 00:43:16.675262617 +0000@@ -140,7 +140,7 @@ etn_update_option('etn_ai_api',$status??null); } - if ( $name == 'eventin-surecart-addon' ) {+ if ( $name == 'eventin-addon-for-surecart' ) { etn_update_option('etn_surecart_enabled',$status=='on'?true:false); if($status=='off'){ etn_update_option('surecart_status',false);
Vulnerability Existed: no
[No Vulnerability] - [N/A] - core/Extensions/Api/ExtensionController.php [143]
Old Code:
```
if ( $name == 'eventin-surecart-addon' ) {
```
Fixed Code:
```
if ( $name == 'eventin-addon-for-surecart' ) {
```
Explanation:
This change is a string literal comparison update and does not introduce or fix any security vulnerability. The modification corrects the addon name identifier from 'eventin-surecart-addon' to 'eventin-addon-for-surecart', which is a configuration/naming fix rather than a security-related change. String comparison using the `==` operator in this context (comparing against a hardcoded string literal) does not pose a security risk. There is no vulnerability in the old code that this change addresses.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Extensions/Extension.php 2026-01-09 00:38:09.808534308 +0000+++ cache/wp-event-solution_4.0.52/core/Extensions/Extension.php 2026-01-09 00:43:16.683263106 +0000@@ -661,9 +661,9 @@ ], ]; - $extensions['eventin-surecart-addon'] = [- 'name' => 'eventin-surecart-addon',- 'slug' => 'eventin-surecart-addon',+ $extensions['eventin-addon-for-surecart'] = [+ 'name' => 'eventin-addon-for-surecart',+ 'slug' => 'eventin-addon-for-surecart', 'type' => 'addon', 'status' => 'off', 'is_pro' => false,
Vulnerability Existed: no
No CWE - N/A - core/Extensions/Extension.php Lines 664-666
Old Code:
```php
$extensions['eventin-surecart-addon'] = [
'name' => 'eventin-surecart-addon',
'slug' => 'eventin-surecart-addon',
```
Fixed Code:
```php
$extensions['eventin-addon-for-surecart'] = [
'name' => 'eventin-addon-for-surecart',
'slug' => 'eventin-addon-for-surecart',
```
Explanation:
This diff represents a simple string replacement/renaming of an extension identifier from 'eventin-surecart-addon' to 'eventin-addon-for-surecart'. This is a cosmetic change that updates the extension key, name, and slug to match a new naming convention. No security vulnerability exists in this change. The modification maintains the same data structure and does not introduce or remove any security-sensitive logic, input validation, authentication mechanisms, or access controls. This is a safe refactoring change.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Extensions/PluginManager.php 2026-01-09 00:38:09.828535526 +0000+++ cache/wp-event-solution_4.0.52/core/Extensions/PluginManager.php 2026-01-09 00:43:16.695263840 +0000@@ -68,11 +68,7 @@ $skin = new \Automatic_Upgrader_Skin(); $upgrader = new \Plugin_Upgrader($skin); - if($slug === 'eventin-surecart-addon') {- $result = $upgrader->install('https://www.test.devwed.com/wp-content/uploads/eventin-surecart-addon-1.0.2.zip');- } else {- $result = $upgrader->install('https://downloads.wordpress.org/plugin/' . $slug . '.latest-stable.zip');- }+ $result = $upgrader->install('https://downloads.wordpress.org/plugin/' . $slug . '.latest-stable.zip'); return $result ? true : false; }
Vulnerability Existed: yes
FALSE POSITIVE
[CWE-94: Improper Control of Generation of Code ('Code Injection')] - [CWE-94] - [core/Extensions/PluginManager.php] [Lines 71-74]
Old Code:
```php
if($slug === 'eventin-surecart-addon') {
$result = $upgrader->install('https://www.test.devwed.com/wp-content/uploads/eventin-surecart-addon-1.0.2.zip');
} else {
$result = $upgrader->install('https://downloads.wordpress.org/plugin/' . $slug . '.latest-stable.zip');
}
```
Fixed Code:
```php
$result = $upgrader->install('https://downloads.wordpress.org/plugin/' . $slug . '.latest-stable.zip');
```
Explanation:
The old code contained a hardcoded exception that redirected plugin installation for 'eventin-surecart-addon' to an external third-party domain (test.devwed.com). This represents a critical supply chain vulnerability where:
1. **Arbitrary Code Execution Risk**: WordPress plugin files are executable PHP code. Installing from an untrusted external source allows arbitrary code execution on the server.
2. **Integrity Compromise**: The external domain is not the official WordPress plugin repository, bypassing WordPress's security checks and code review process.
3. **Malware Vector**: This creates an attack surface for injecting malicious code into the WordPress installation disguised as a legitimate plugin update.
The fix properly removes this dangerous exception and forces all plugin installations to use the official WordPress.org plugin repository (downloads.wordpress.org), ensuring all plugins come from a trusted, vetted source. This eliminates the supply chain attack vector and ensures plugin integrity.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Integrations/Zoom/ZoomClient.php 2026-01-09 00:38:09.840536256 +0000+++ cache/wp-event-solution_4.0.52/core/Integrations/Zoom/ZoomClient.php 2026-01-09 00:43:16.727265798 +0000@@ -33,7 +33,7 @@ */ public function __construct( $token = '' ) { if ( ! $token ) {- throw new \Exception( __( 'You must provide access token', 'eventin' ) );+ throw new \Exception( esc_html__( 'You must provide access token', 'eventin' ) ); } $this->token = $token;
Vulnerability Existed: no Information Disclosure - CWE-209 - core/Integrations/Zoom/ZoomClient.php - Line 36 Old Code: ```php throw new \Exception( __( 'You must provide access token', 'eventin' ) ); ``` Fixed Code: ```php throw new \Exception( esc_html__( 'You must provide access token', 'eventin' ) ); ``` Explanation: This change does not fix a security vulnerability. The modification replaces `__()` with `esc_html__()`, which is a WordPress best practice for internationalization. However, since this is an error message being passed to an Exception constructor (not output directly to HTML), this change provides no security benefit. The Exception message is not rendered in HTML context by default. The original code using `__()` was not vulnerable to XSS or other attacks in this context. This appears to be a defensive coding improvement following WordPress standards rather than a security vulnerability fix. The change is harmless but unnecessary for security purposes in this specific usage.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Order/OrderController.php 2026-01-09 00:38:09.860537474 +0000+++ cache/wp-event-solution_4.0.52/core/Order/OrderController.php 2026-01-09 00:43:16.811270936 +0000@@ -344,6 +344,11 @@ $response = $this->prepare_item_for_response( $order, $request ); do_action( 'eventin_after_order_create', $order, $attendees);++ if ( 'pending' == $order->status ) {+ $remaining_time_to_pay = get_post_meta( $order->id, 'remaining_time_to_pay', true ); + wp_schedule_single_event( time() + ( (int)$remaining_time_to_pay + 1 ), 'eventin_release_held_tickets', [ $order->id ] );+ } return rest_ensure_response( $response ); }@@ -370,12 +375,25 @@ $event_tickets = maybe_unserialize( get_post_meta( $event_id, 'etn_ticket_variations', true ) ); $pending_seats = maybe_unserialize( get_post_meta( $event_id, 'pending_seats', true ));-- if ( !is_array($pending_seats) ) {+ if(empty($pending_seats)){ $pending_seats = []; }+ $booked_seats = get_post_meta( $event_id, '_etn_seat_unique_id', true );+ $already_booked_seats = $booked_seats ? explode(',', $booked_seats) : [];++ // Validate tickets+ $ticket_validation = etn_validate_event_tickets( $event_id, $booked_tickets );+ if (is_wp_error($ticket_validation)) {+ $response = [+ 'success' => false,+ 'message' => __('The number of tickets u have selected is not available.', 'eventin'),+ 'booked_tickets' => $booked_tickets,+ ];+ return rest_ensure_response($response);+ } - if ( is_array( $pending_seats ) ) {+ // Validate seats+ if ( !empty($pending_seats) ) { $duplicate_seats = array_intersect($seat_ids, $pending_seats); if (!empty($duplicate_seats)) { $response = [@@ -387,6 +405,19 @@ } } + // Validate seats+ if ( !empty($already_booked_seats) ) {+ $duplicate_seats = array_intersect($seat_ids, $already_booked_seats);+ if (!empty($duplicate_seats)) {+ $response = [+ 'success' => false,+ 'message' => __( 'Some of selected seats are already booked.', 'eventin' ),+ 'booked_tickets' => $duplicate_seats,+ ];+ return rest_ensure_response( $response );+ }+ }+ if ( is_array($event_tickets) ) { foreach ( $event_tickets as &$ticket ) { foreach( $booked_tickets as $booked_ticket ) {@@ -415,7 +446,9 @@ } $ticket_purchase_timer = etn_get_option( 'ticket_purchase_timer', 10 ) + 1;- wp_schedule_single_event( time() + ( $ticket_purchase_timer * MINUTE_IN_SECONDS ), 'eventin_release_held_seats_and_tickets', [ $event_id, $seat_ids,$booked_tickets ] );+ $data = [ $event_id, $seat_ids, $booked_tickets ];++ wp_schedule_single_event( time() + ( $ticket_purchase_timer * MINUTE_IN_SECONDS ), 'eventin_release_held_seats_and_tickets', $data ); $response = [ 'success' => true,@@ -457,12 +490,41 @@ } $id = intval( $request['id'] );- $order = new OrderModel( $id );+ $seat_ids = maybe_unserialize(get_post_meta($id, 'seat_ids', true));+ $event_id = get_post_meta($id, 'event_id', true);+ $tickets = maybe_unserialize(get_post_meta($id, 'tickets', true));++ if ( $status === "completed" ) {+ if (!empty($seat_ids)) {+ $validate_seats = etn_validate_seat_ids( $event_id, $seat_ids );+ if (is_wp_error($validate_seats)) {+ return $validate_seats;+ }+ }+ else{+ $validate_tickets = etn_validate_event_tickets( $event_id, $tickets );+ if (is_wp_error($validate_tickets)) {+ return $validate_tickets;+ }+ }+ }+ + $order = new OrderModel( $id );+ $current_status = $order->status;+ if ( $current_status === 'failed' && $status === 'refunded' ) {+ return new WP_Error( 'order_update_booking_status_error', "You can't refund a failed order", ['status' => 400] );+ }++ if ( $current_status === 'refunded' && $status === 'failed' ) {+ return new WP_Error( 'order_update_booking_status_error', "You can't fail a refunded order", ['status' => 400] );+ }+ $order->update(["status" => $status]); $attendeeModel = new Attendee_Model(); $attendees = $attendeeModel->get_attendees_model_by_eventin_order_id(intval($order->id));+ foreach ($attendees as $attendee) { if ( $status === "completed") {@@ -472,11 +534,10 @@ } } + if ( $order->payment_method == "wc" ) { $status = $status == "failed" ? "cancelled" : $status; $this->wc_order_status_update($id, $status);-- do_action( 'eventin_order_status_failed', $order ); } $response = $this->prepare_item_for_response( $order, $request );@@ -487,6 +548,7 @@ $order->send_email(); } + if ( 'refunded' === $status ) { if ( $order->payment_method == "sure_cart" ) { $payment = PaymentFactory::get_method( $order->payment_method );@@ -510,6 +572,11 @@ do_action( 'eventin_order_refund', $order ); } }++ + if ( 'failed' === $status || 'cancelled' === $status ) {+ do_action( 'eventin_order_status_failed', $order );+ } return rest_ensure_response( $response ); }@@ -727,12 +794,21 @@ return $validate; } - $ticket_validation = etn_validate_event_tickets( $input_data['event_id'], $input_data['tickets'] );++ $ticket_validation = etn_validate_event_tickets( $input_data['event_id'], $input_data['tickets'],true ); if ( is_wp_error( $ticket_validation ) ) { return $ticket_validation; } + if ( isset( $input_data['seat_ids'] ) ) {+ $seat_validation = etn_validate_seat_ids( $input_data['event_id'], $input_data['seat_ids'] );++ if ( is_wp_error( $seat_validation ) ) {+ return $seat_validation;+ }+ }+ $order_data = []; // Prepare customer data.
I'll analyze this security diff following the specified format.
Vulnerability Existed: yes
TRUE POSITIVE
[CWE-367 - Time-of-check to time-of-use (TOCTOU) Race Condition] - CWE-367 - core/Order/OrderController.php - Lines 376-393
Old Code:
```php
if ( !is_array($pending_seats) ) {
$pending_seats = [];
}
if ( is_array( $pending_seats ) ) {
$duplicate_seats = array_intersect($seat_ids, $pending_seats);
```
Fixed Code:
```php
if(empty($pending_seats)){
$pending_seats = [];
}
// Validate tickets
$ticket_validation = etn_validate_event_tickets( $event_id, $booked_tickets );
if (is_wp_error($ticket_validation)) {
$response = [
'success' => false,
'message' => __('The number of tickets u have selected is not available.', 'eventin'),
'booked_tickets' => $booked_tickets,
];
return rest_ensure_response($response);
}
// Validate seats
if ( !empty($pending_seats) ) {
$duplicate_seats = array_intersect($seat_ids, $pending_seats);
```
Explanation:
The fix adds explicit ticket validation before seat checking. The original code only checked if pending_seats was an array but didn't validate if the booked tickets were actually available. This created a race condition where between the time seats were checked and reserved, another concurrent request could book the same tickets. The new validation step ensures ticket availability is verified before proceeding.
---
Vulnerability Existed: yes
FALSE POSITIVE
[CWE-552 - Files and Directories Accessible to External Parties] - CWE-552 - core/Order/OrderController.php - Lines 405-419
Old Code:
```php
// No validation of already booked seats
```
Fixed Code:
```php
// Validate seats
if ( !empty($already_booked_seats) ) {
$duplicate_seats = array_intersect($seat_ids, $already_booked_seats);
if (!empty($duplicate_seats)) {
$response = [
'success' => false,
'message' => __( 'Some of selected seats are already booked.', 'eventin' ),
'booked_tickets' => $duplicate_seats,
];
return rest_ensure_response( $response );
}
}
```
Explanation:
The original code failed to validate against already_booked_seats metadata, only checking pending_seats. This allowed users to book seats that were already permanently booked, causing double-booking vulnerabilities. The fix adds explicit validation against booked seats stored in '_etn_seat_unique_id' post meta.
---
Vulnerability Existed: yes
TRUE POSITIVE
[CWE-639 - Authorization Bypass Through User-Controlled Key] - CWE-639 - core/Order/OrderController.php - Lines 490-520
Old Code:
```php
$id = intval( $request['id'] );
$order = new OrderModel( $id );
$order->update(["status" => $status]);
```
Fixed Code:
```php
$id = intval( $request['id'] );
$seat_ids = maybe_unserialize(get_post_meta($id, 'seat_ids', true));
$event_id = get_post_meta($id, 'event_id', true);
$tickets = maybe_unserialize(get_post_meta($id, 'tickets', true));
if ( $status === "completed" ) {
if (!empty($seat_ids)) {
$validate_seats = etn_validate_seat_ids( $event_id, $seat_ids );
if (is_wp_error($validate_seats)) {
return $validate_seats;
}
}
else{
$validate_tickets = etn_validate_event_tickets( $event_id, $tickets );
if (is_wp_error($validate_tickets)) {
return $validate_tickets;
}
}
}
$order = new OrderModel( $id );
$current_status = $order->status;
if ( $current_status === 'failed' && $status === 'refunded' ) {
return new WP_Error( 'order_update_booking_status_error', "You can't refund a failed order", ['status' => 400] );
}
if ( $current_status === 'refunded' && $status === 'failed' ) {
return new WP_Error( 'order_update_booking_status_error', "You can't fail a refunded order", ['status' => 400] );
}
```
Explanation:
The original code allowed arbitrary status transitions without validation of business logic constraints. The fix adds state machine validation: prevents refunding failed orders, prevents failing refunded orders, and validates seats/tickets before completing orders. This prevents unauthorized state transitions that could lead to double refunds or invalid bookings.
---
Vulnerability Existed: not sure
[CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization] - CWE-362 - core/Order/OrderController.php - Lines 448-450
Old Code:
```php
wp_schedule_single_event( time() + ( $ticket_purchase_timer * MINUTE_IN_SECONDS ), 'eventin_release_held_seats_and_tickets', [ $event_id, $seat_ids,$booked_tickets ] );
```
Fixed Code:
```php
$data = [ $event_id, $seat_ids, $booked_tickets ];
wp_schedule_single_event( time() + ( $ticket_purchase_timer * MINUTE_IN_SECONDS ), 'eventin_release_held_seats_and_tickets', $data );
```
Explanation:
The fix extracts array parameters into a named variable before passing to wp_schedule_single_event(). While the security impact is unclear, this could address issues with array handling in scheduled events or improve code clarity. The functional change is minimal and may reflect a WordPress API requirement or a race condition fix in event queuing.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Order/OrderModel.php 2026-01-09 00:38:09.860537474 +0000+++ cache/wp-event-solution_4.0.52/core/Order/OrderModel.php 2026-01-09 00:43:16.823271671 +0000@@ -179,8 +179,8 @@ * * @return bool | WP_Error */- public function validate_ticket() {- return etn_validate_event_tickets( $this->event_id, $this->tickets );+ public function validate_ticket($is_for_update = false) {+ return etn_validate_event_tickets( $this->event_id, $this->tickets,$is_for_update ); }
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: no
No CWE/Security Vulnerability Identified
Old Code:
```php
public function validate_ticket() {
return etn_validate_event_tickets( $this->event_id, $this->tickets );
}
```
Fixed Code:
```php
public function validate_ticket($is_for_update = false) {
return etn_validate_event_tickets( $this->event_id, $this->tickets,$is_for_update );
}
```
Explanation:
This diff adds a parameter `$is_for_update` with a default value of `false` to the `validate_ticket()` method and passes it to the underlying `etn_validate_event_tickets()` function. This is a refactoring change that adds flexibility to the validation logic to handle different validation scenarios (create vs. update operations). There is no introduction of security vulnerabilities in this change. The parameter addition follows proper PHP conventions with a safe default value, and there is no indication of injection risks, authentication bypass, authorization issues, or other common vulnerabilities. This appears to be a legitimate enhancement to support conditional validation logic.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Order/OrderTicket.php 2026-01-09 00:38:09.864537717 +0000+++ cache/wp-event-solution_4.0.52/core/Order/OrderTicket.php 2026-01-09 00:43:16.831272160 +0000@@ -8,6 +8,7 @@ use Wpeventin; use Eventin\Order\OrderModel; use Etn\Core\Attendee\Attendee_Model;+use Etn\Utils\Helper; class OrderTicket implements HookableInterface { /**@@ -16,7 +17,7 @@ * @return void */ public function register_hooks(): void {- add_action( 'eventin_order_completed', [$this, 'update_event_ticket'] );+ add_action( 'eventin_order_completed', [$this, 'order_status_completed'] ); add_action( 'eventin_order_status_completed', [$this, 'order_status_completed'] ); add_action( 'eventin_order_status_failed', [$this, 'order_status_failed'] ); @@ -30,45 +31,186 @@ add_action( 'eventin_attendee_before_delete', [ $this, 'decrese_event_sold_ticket_after_attendee_delete' ] ); + add_action( 'eventin_release_held_tickets', [ $this, 'release_held_tickets' ] ); // from cron+ add_action( 'eventin_release_held_seats_and_tickets', [ $this, 'release_held_seats_and_tickets' ], 10, 3 );+ add_action( 'eventin_release_pending_seats_and_tickets', [ $this, 'eventin_release_pending_seats_and_tickets' ] ); // from cron++ /**+ * Add custom cron schedule+ *+ * @param array $schedules Schedules.+ *+ * @return array+ */+ add_filter( 'cron_schedules', function ( $schedules ) {+ $schedules['every_sixty_minutes'] = [+ 'interval' => 60 * 60,+ 'display' => 'Every 60 Minutes'+ ];++ return $schedules;+ });++ /**+ * Schedule event to release pending seats and tickets+ *+ * @return void+ */+ add_action( 'init', function () {+ if ( ! wp_next_scheduled( 'eventin_release_pending_seats_and_tickets' ) ) {+ wp_schedule_event( time(), 'every_sixty_minutes', 'eventin_release_pending_seats_and_tickets' );+ }+ });+ }++ /**+ * Release pending seats and tickets+ *+ * @return void+ */+ public function eventin_release_pending_seats_and_tickets() {+ // Calculate timestamp for 20 minutes ago+ $twenty_minutes_ago = gmdate( 'Y-m-d H:i:s', strtotime( '-20 minutes' ) );++ // Fetch all failed bookings from the last 20 minutes using WP_Query+ $args = [+ 'post_type' => 'etn-order',+ 'post_status' => 'any',+ 'posts_per_page' => -1,+ 'date_query' => [+ [+ 'after' => $twenty_minutes_ago,+ 'inclusive' => true,+ 'column' => 'post_modified',+ ],+ ],+ 'meta_query' => [+ [+ 'key' => 'status',+ 'value' => 'failed',+ ],+ ],+ ];++ $failed_orders_query = new \WP_Query( $args );++ // Group orders by event_id for efficient processing+ $event_orders = [];++ if ( $failed_orders_query->have_posts() ) {+ while ( $failed_orders_query->have_posts() ) {+ $failed_orders_query->the_post();+ $order_id = get_the_ID();+ $event_id = get_post_meta( $order_id, 'event_id', true ); - $is_enable_payment_timer = etn_get_option( 'ticket_purchase_timer_enable', 'off' );+ if ( ! $event_id ) {+ continue;+ } - if ( $is_enable_payment_timer == 'on' ) {- add_action( 'eventin_after_order_create', [ $this, 'temporary_hold_tickets' ] );- add_action( 'eventin_order_completed', [ $this, 'clear_hold_tickets_cron' ] );+ if ( ! isset( $event_orders[$event_id] ) ) {+ $event_orders[$event_id] = [];+ }+ $event_orders[$event_id][] = $order_id;+ }++ wp_reset_postdata(); } - add_action( 'eventin_release_held_tickets', [ $this, 'release_held_tickets' ] ); // from cron- add_action( 'eventin_release_held_seats_and_tickets', [ $this, 'release_held_seats_and_tickets' ], 10, 3 );- }+ // Get all events to process+ $events_args = [+ 'post_type' => 'etn',+ 'post_status' => 'publish',+ 'posts_per_page' => -1,+ ]; - /**- * After booking an event ticket decrese ticket amount- *- * @return void- */- public function update_event_ticket( $order ) {- if ( 'completed' !== $order->status ) {+ $events_query = new \WP_Query( $events_args );++ if ( ! $events_query->have_posts() ) { return; } - $event = new Event_Model( $order->event_id );+ // Process each event+ while ( $events_query->have_posts() ) {+ $events_query->the_post();+ $event_id = get_the_ID();+ $allocated_seats = [];+ $allocated_tickets = [];++ // Collect allocated seats and tickets from failed orders for this event (if any)+ if ( isset( $event_orders[$event_id] ) ) {+ foreach ( $event_orders[$event_id] as $order_id ) {+ // Get allocated seats+ $order_seats = maybe_unserialize( get_post_meta( $order_id, 'seat_ids', true ) );+ if ( is_array( $order_seats ) && ! empty( $order_seats ) ) {+ $allocated_seats = array_merge( $allocated_seats, $order_seats );+ } - $event_tickets = $event->etn_ticket_variations;+ // Get allocated tickets+ $order_tickets = maybe_unserialize( get_post_meta( $order_id, 'tickets', true ) );+ if ( is_array( $order_tickets ) && ! empty( $order_tickets ) ) {+ foreach ( $order_tickets as $ticket ) {+ $ticket_slug = $ticket['ticket_slug'];+ $ticket_quantity = isset( $ticket['ticket_quantity'] ) ? (int) $ticket['ticket_quantity'] : 0;++ if ( ! isset( $allocated_tickets[$ticket_slug] ) ) {+ $allocated_tickets[$ticket_slug] = 0;+ }+ $allocated_tickets[$ticket_slug] += $ticket_quantity;+ }+ }+ } - $updated_tickets = [];+ // Remove duplicate seats+ $allocated_seats = array_unique( $allocated_seats );+ } - if ( $event_tickets ) {- foreach( $event_tickets as $ticket ) {- $updated_ticket = $this->prepare_event_ticket( $order, $ticket );+ // Get event's pending seats+ $pending_seats = maybe_unserialize( get_post_meta( $event_id, 'pending_seats', true ) );+ if ( ! is_array( $pending_seats ) ) {+ $pending_seats = [];+ }++ // If there are allocated seats from failed orders, remove them from pending seats+ // Otherwise, clear all pending seats+ if ( ! empty( $allocated_seats ) && ! empty( $pending_seats ) ) {+ $seats_to_remove = array_intersect( $pending_seats, $allocated_seats );+ if ( ! empty( $seats_to_remove ) ) {+ $pending_seats = array_diff( $pending_seats, $seats_to_remove );+ update_post_meta( $event_id, 'pending_seats', array_values( $pending_seats ) );+ }+ } elseif ( empty( $allocated_seats ) && ! empty( $pending_seats ) ) {+ // No failed bookings for this event, clear all pending seats+ update_post_meta( $event_id, 'pending_seats', [] );+ }++ // Get event tickets+ $event_tickets = maybe_unserialize( get_post_meta( $event_id, 'etn_ticket_variations', true ) );++ if ( is_array( $event_tickets ) ) {+ $tickets_updated = false;++ foreach ( $event_tickets as &$ticket ) {+ $ticket_slug = isset( $ticket['etn_ticket_slug'] ) ? $ticket['etn_ticket_slug'] : '';++ if ( ! empty( $allocated_tickets ) && isset( $allocated_tickets[$ticket_slug] ) ) {+ // Decrease pending count by allocated tickets from failed orders+ $pending_count = isset( $ticket['pending'] ) ? (int) $ticket['pending'] : 0;+ $ticket['pending'] = max( 0, $pending_count - $allocated_tickets[$ticket_slug] );+ $tickets_updated = true;+ } elseif ( empty( $allocated_tickets ) && isset( $ticket['pending'] ) && $ticket['pending'] > 0 ) {+ // No failed bookings for this event, set pending to 0+ $ticket['pending'] = 0;+ $tickets_updated = true;+ }+ } - $updated_tickets[] = $updated_ticket;+ if ( $tickets_updated ) {+ update_post_meta( $event_id, 'etn_ticket_variations', $event_tickets );+ } } }- - $event->update([ 'etn_ticket_variations' => $updated_tickets ]); - $this->update_booked_seat($event, $order);+ wp_reset_postdata(); } /**@@ -96,10 +238,32 @@ $updated_tickets[] = $updated_ticket; } }- + $event->update([ 'etn_ticket_variations' => $updated_tickets ]); $this->update_booked_seat($event, $order);+ $this->update_pending_seat($event, $order);++ $booked_seats = maybe_unserialize(get_post_meta($order->id, 'seat_ids', true));+ $booked_tickets = $order->tickets;+ $formatted_booked_tickets = [];+ if (empty($booked_tickets)) {+ foreach ($booked_tickets as $ticket) {+ $formatted_booked_tickets[] = [+ 'ticket_slug' => $ticket['ticket_slug'],+ 'ticket_quantity' => $ticket['ticket_quantity']+ ];+ }+ }+ ++ $data = [+ $event->id,+ $booked_seats,+ $formatted_booked_tickets,+ ];++ $this->clear_hold_seats_and_tickets_cron($data); } /**@@ -112,10 +276,12 @@ */ private function prepare_event_ticket( $order, $event_ticket ) { $order_tickets = $order->tickets;+ $event_id = $order->event_id ?? null;+ $sold_tickets = $event_id ? (array)Helper::etn_get_sold_tickets_by_event( $event_id ) : []; foreach( $order_tickets as $ticket ) { if ( $ticket['ticket_slug'] === $event_ticket['etn_ticket_slug'] ) {- $event_ticket['etn_sold_tickets'] = $event_ticket['etn_sold_tickets'] + $ticket['ticket_quantity'];+ $event_ticket['etn_sold_tickets'] = $sold_tickets[$ticket['ticket_slug']] ?? 0; $event_ticket['pending'] = isset( $event_ticket['pending'] ) ? $event_ticket['pending'] - $ticket['ticket_quantity'] : 0; if ( $event_ticket['pending'] < 0 ) { $event_ticket['pending'] = 0;@@ -153,6 +319,31 @@ } /**+ * Update pending seats after booking+ *+ * @param Event_Model $event [$event description]+ * @param Order_Model $order [$order description]+ *+ * @return void+ */+ public function update_pending_seat( $event, $order ) {+ $order_seats = $order->seat_ids;++ if ( empty( $order_seats ) ) {+ return;+ }++ $pending_seats = maybe_unserialize(get_post_meta($event->id, 'pending_seats', true));+ if (! is_array($pending_seats)) {+ $pending_seats = [];+ }++ $pending = array_diff($pending_seats, $order_seats);+ + update_post_meta($event->id, 'pending_seats', $pending);+ }++ /** * Send attendee ticket after creating a attendee * * @param Attendee_Model $attendee [$attendee description]@@ -190,10 +381,13 @@ $event_tickets = $event->etn_ticket_variations; + $event_id = $attendee->etn_event_id ?? null;+ $sold_tickets = !empty($event_id) ? (array)Helper::etn_get_sold_tickets_by_event($event_id) : [];+ if ( $event_tickets ) { foreach( $event_tickets as &$ticket ) { if ( $ticket['etn_ticket_name'] === $attendee->ticket_name ) {- $ticket['etn_sold_tickets'] = $ticket['etn_sold_tickets'] + 1;+ $ticket['etn_sold_tickets'] = $sold_tickets[$ticket['etn_ticket_slug']] ?? 0; } } }@@ -220,11 +414,14 @@ $event_tickets = $event->etn_ticket_variations; + $event_id = $order->event_id ?? null;+ $sold_tickets = !empty($event_id) ? (array)Helper::etn_get_sold_tickets_by_event($event_id) : [];+ if ( $event_tickets ) { foreach( $event_tickets as &$ticket ) { $ticket_amount = $order->get_total_ticket_by_ticket( $ticket['etn_ticket_slug'] ); if ( $ticket_amount > 0 ) {- $ticket['etn_sold_tickets'] = $ticket['etn_sold_tickets'] - $ticket_amount;+ $ticket['etn_sold_tickets'] = $sold_tickets[$ticket['etn_ticket_slug']] ?? 0; } } }@@ -263,11 +460,15 @@ $event_tickets = $event->etn_ticket_variations; ++ $event_id = $order->event_id ?? null;+ $sold_tickets = !empty($event_id) ? (array)Helper::etn_get_sold_tickets_by_event($event_id) : [];+ if ( $event_tickets ) { foreach( $event_tickets as &$ticket ) { $ticket_amount = $order->get_total_ticket_by_ticket( $ticket['etn_ticket_slug'] ); if ( $ticket_amount > 0 ) {- $ticket['etn_sold_tickets'] = $ticket['etn_sold_tickets'] - $ticket_amount;+ $ticket['etn_sold_tickets'] = $sold_tickets[$ticket['etn_ticket_slug']] ?? 0; } } }@@ -278,7 +479,7 @@ // Update seat on refunded. $event_seats = get_post_meta( $event->id, '_etn_seat_unique_id', true );- $order_seats = $order->seat_ids;+ $order_seats = maybe_unserialize(get_post_meta( $order->id, 'seat_ids', true )); if ( $order_seats ) { $event_seats = explode(',', $event_seats );@@ -305,11 +506,14 @@ $event_tickets = $event->etn_ticket_variations; + $event_id = $order->event_id ?? null;+ $sold_tickets = !empty($event_id) ? Helper::etn_get_sold_tickets_by_event($event_id) : [];+ if ( $event_tickets ) { foreach( $event_tickets as &$ticket ) { $ticket_amount = $order->get_total_ticket_by_ticket( $ticket['etn_ticket_slug'] ); if ( $ticket_amount > 0 ) {- $ticket['etn_sold_tickets'] = $ticket['etn_sold_tickets'] - $ticket_amount;+ $ticket['etn_sold_tickets'] = $sold_tickets[$ticket['etn_ticket_slug']] ?? 0; } } }@@ -350,10 +554,14 @@ // Decrease sold ticket quantity from event $event_tickets = $event->etn_ticket_variations; ++ $event_id = $attendee->etn_event_id ?? null;+ $sold_tickets = !empty($event_id) ? (array)Helper::etn_get_sold_tickets_by_event($event_id) : [];+ if ( $event_tickets ) { foreach( $event_tickets as &$ticket ) { if ( $ticket['etn_ticket_name'] == $attendee->ticket_name ) {- $ticket['etn_sold_tickets'] = $ticket['etn_sold_tickets'] - 1;+ $ticket['etn_sold_tickets'] = $sold_tickets[$ticket['etn_ticket_slug']] ?? 0; } } }@@ -387,28 +595,9 @@ } /**- * Temporary hold tickets after order created- *- * @param OrderModel $order The order need to hold tickets- *- * it's ok- * @return void- */- public function temporary_hold_tickets( OrderModel $order ) {- if ( 'pending' !== $order->status ) {- return;- }-- $remaining_time_to_pay = get_post_meta( $order->id, 'remaining_time_to_pay', true ); - wp_schedule_single_event( time() + ( (int)$remaining_time_to_pay ), 'eventin_release_held_tickets', [ $order->id ] );- }-- /** * Release held tickets after order status changed to pending * * @param integer $order_id The order ID- *- * ok * * @return void */@@ -438,15 +627,15 @@ /** * Release held seats and tickets *- * @param integer $order_id The order ID- * + * @param integer $event_id The event ID+ * * @param array $seat_ids The seat IDs to release- * + * * @param array $booked_tickets The booked tickets to release * * @return void */- public function release_held_seats_and_tickets( $event_id, $seat_ids, $booked_tickets ) {+ public function release_held_seats_and_tickets( $event_id, $seat_ids = [], $booked_tickets = [] ) { $event_tickets = maybe_unserialize( get_post_meta( $event_id, 'etn_ticket_variations', true ) ); $pending_seats = maybe_unserialize( get_post_meta( $event_id, 'pending_seats', true )); @@ -487,7 +676,11 @@ * * @return void */- public function clear_hold_tickets_cron( $order ) {- wp_clear_scheduled_hook( 'eventin_release_held_tickets', [ $order->id ] );+ // public function clear_hold_tickets_cron( $order ) {+ // wp_clear_scheduled_hook( 'eventin_release_held_tickets', [ $order->id ] );+ // }++ public function clear_hold_seats_and_tickets_cron( $data ) {+ wp_clear_scheduled_hook( 'eventin_release_held_seats_and_tickets', $data ); } }
Let me analyze the security aspects of this code diff systematically.
---
**Vulnerability 1:**
Vulnerability Existed: **yes**
TRUE POSITIVE
**Insecure Deserialization / Data Integrity Issue - CWE-502 - core/Order/OrderTicket.php - Lines 105-107, 119, 166-167**
Old Code:
```php
$order_seats = maybe_unserialize( get_post_meta( $order_id, 'seat_ids', true ) );
if ( is_array( $order_seats ) && ! empty( $order_seats ) ) {
$allocated_seats = array_merge( $allocated_seats, $order_seats );
}
// And similar patterns throughout
$order_tickets = maybe_unserialize( get_post_meta( $order_id, 'tickets', true ) );
```
Fixed Code:
```php
// Now using Helper::etn_get_sold_tickets_by_event() for retrieving sold tickets
$sold_tickets = $event_id ? (array)Helper::etn_get_sold_tickets_by_event( $event_id ) : [];
// Direct assignment instead of arithmetic operations on unvalidated data
$event_ticket['etn_sold_tickets'] = $sold_tickets[$ticket['ticket_slug']] ?? 0;
```
Explanation:
The original code performed direct arithmetic operations on deserialized data without proper validation. Lines 282 and 320 show operations like `$ticket['etn_sold_tickets'] + $ticket['ticket_quantity']` and `$ticket['etn_sold_tickets'] - $ticket_amount` which could result in incorrect ticket counts if the serialized data was corrupted or tampered with. The fix replaces these with calls to a dedicated helper function `Helper::etn_get_sold_tickets_by_event()` that presumably performs proper validation and returns authoritative data, preventing ticket count manipulation via data tampering.
---
**Vulnerability 2:**
Vulnerability Existed: **yes**
TRUE POSITIVE
**Improper Data State Management / Race Condition - CWE-362 - core/Order/OrderTicket.php - Lines 278-282**
Old Code:
```php
private function prepare_event_ticket( $order, $event_ticket ) {
$order_tickets = $order->tickets;
foreach( $order_tickets as $ticket ) {
if ( $ticket['ticket_slug'] === $event_ticket['etn_ticket_slug'] ) {
$event_ticket['etn_sold_tickets'] = $event_ticket['etn_sold_tickets'] + $ticket['ticket_quantity'];
```
Fixed Code:
```php
private function prepare_event_ticket( $order, $event_ticket ) {
$order_tickets = $order->tickets;
$event_id = $order->event_id ?? null;
$sold_tickets = $event_id ? (array)Helper::etn_get_sold_tickets_by_event( $event_id ) : [];
foreach( $order_tickets as $ticket ) {
if ( $ticket['ticket_slug'] === $event_ticket['etn_ticket_slug'] ) {
$event_ticket['etn_sold_tickets'] = $sold_tickets[$ticket['ticket_slug']] ?? 0;
```
Explanation:
The original code performed arithmetic on `etn_sold_tickets` by reading from the event object and adding to it. This is vulnerable to race conditions where concurrent orders could lead to lost updates. If two orders process simultaneously, both might read the same base value and add to it, resulting in one increment being lost. The fix retrieves the authoritative sold ticket count from the database via `Helper::etn_get_sold_tickets_by_event()` at the time of processing, ensuring accurate counts regardless of concurrent operations.
---
**Vulnerability 3:**
Vulnerability Existed: **yes**
FALSE POSITIVE
**Insecure Post Meta Retrieval - CWE-94 / CWE-400 - core/Order/OrderTicket.php - Line 482**
Old Code:
```php
$order_seats = $order->seat_ids;
```
Fixed Code:
```php
$order_seats = maybe_unserialize(get_post_meta( $order->id, 'seat_ids', true ));
```
Explanation:
The original code relied on a magic property accessor `$order->seat_ids` which could bypass proper data handling. The fix explicitly retrieves the seat IDs from post meta and safely deserializes them using `maybe_unserialize()`. This ensures the data source is explicit and properly validated, preventing potential access of unintended properties or stale cached data.
---
**Vulnerability 4:**
Vulnerability Existed: **not sure**
**Logic Error in Conditional - CWE-480 - core/Order/OrderTicket.php - Line 247**
Old Code:
```php
$booked_tickets = $order->tickets;
$formatted_booked_tickets = [];
if (empty($booked_tickets)) {
foreach ($booked_tickets as $ticket) {
```
Fixed Code:
```php
$booked_tickets = $order->tickets;
$formatted_booked_tickets = [];
if (empty($booked_tickets)) {
foreach ($booked_tickets as $ticket) {
```
Explanation:
The condition checks `if (empty($booked_tickets))` but then attempts to iterate over `$booked_tickets`. This will never execute the loop since empty arrays cannot be iterated. The fix maintains the same logic, suggesting this may have been intentional (dead code), but it's uncertain whether this represents a security issue or simply unreachable code. This could lead to missing ticket processing if the condition should have been `if (!empty($booked_tickets))`, but without additional context, the vulnerability classification is uncertain.
---
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Order/PaymentController.php 2026-01-09 00:38:09.864537717 +0000+++ cache/wp-event-solution_4.0.52/core/Order/PaymentController.php 2026-01-09 00:43:16.835272404 +0000@@ -92,7 +92,7 @@ $payment = PaymentFactory::get_method($payment_method); $order = new OrderModel($order_id);- $validate_ticket = $order->validate_ticket();+ $validate_ticket = $order->validate_ticket(true); if(($payment instanceof WCPayment) && !class_exists('WooCommerce')){ return new WP_Error('payment_error', 'WooCommerce is not active');@@ -132,7 +132,7 @@ $payment_status = !empty($data['payment_status']) ? $data['payment_status'] : 0; $payment_method = !empty($data['payment_method']) ? $data['payment_method'] : null; $order = new OrderModel( $order_id );- $validate_ticket = $order->validate_ticket();+ $validate_ticket = $order->validate_ticket(true); $temporary_status = 'failed'; $is_enable_payment_timer = etn_get_option( 'ticket_purchase_timer_enable', 'off' );
I'll analyze the code diff for security vulnerabilities. ``` Vulnerability Existed: yes FALSE POSITIVE Insufficient Input Validation - CWE-20 - core/Order/PaymentController.php Lines 95, 135 [Old Code] $validate_ticket = $order->validate_ticket(); [Fixed Code] $validate_ticket = $order->validate_ticket(true); Explanation: The fix adds a `true` parameter to the `validate_ticket()` method calls. Without seeing the method implementation, this appears to be enabling stricter validation. The vulnerability likely involved insufficient validation of ticket data during payment processing, which could allow: - Invalid or expired tickets to be processed - Bypass of ticket validation logic - Potential double-spending or ticket duplication attacks The fix enforces stricter validation (the `true` parameter likely enables strict mode) to prevent these issues. This is a critical security fix for payment processing as improper ticket validation could lead to financial loss or fraud. The same issue appears in two locations (lines 95 and 135), both in payment-related code paths, suggesting this was a systemic validation gap across the payment controller. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Order/PaymentFactory.php 2026-01-09 00:38:09.868537961 +0000+++ cache/wp-event-solution_4.0.52/core/Order/PaymentFactory.php 2026-01-09 00:43:16.839272650 +0000@@ -27,7 +27,7 @@ return new $methods[$payment_methods]; } - throw new Exception( __( 'Unknown payment method.', 'eventin' ) );+ throw new Exception( esc_html__( 'Unknown payment method.', 'eventin' ) ); } /**
Vulnerability Existed: no Cross-Site Scripting (XSS) - CWE-79 - core/Order/PaymentFactory.php (line 30) Old Code: ```php throw new Exception( __( 'Unknown payment method.', 'eventin' ) ); ``` Fixed Code: ```php throw new Exception( esc_html__( 'Unknown payment method.', 'eventin' ) ); ``` Explanation: The fix changes `__()` to `esc_html__()`, which is a security improvement in WordPress context. While this particular string is a hardcoded error message that doesn't contain user input, using `esc_html__()` instead of `__()` ensures proper HTML escaping when the exception message is displayed. This prevents potential XSS vulnerabilities if the exception message were ever output directly to HTML without additional escaping. The vulnerability didn't strictly exist in this isolated case (hardcoded string), but the fix represents a defensive programming practice that prevents XSS if the code were to be modified in the future to include dynamic content.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Template/Api/TemplateController.php 2026-01-09 00:38:09.908540395 +0000+++ cache/wp-event-solution_4.0.52/core/Template/Api/TemplateController.php 2026-01-09 00:43:16.967280480 +0000@@ -256,13 +256,18 @@ public function prepare_item_for_response( $item, $request ) { $is_static = $item instanceof StaticTemplate; + // Get thumbnail: WordPress featured image if available, otherwise use item thumbnail+ $post_id = $is_static ? $item->get_id() : $item->id;+ $featured_image = ! $is_static ? get_the_post_thumbnail_url( $post_id, 'full' ) : false;+ $thumbnail = $featured_image ? $featured_image : $item->thumbnail;+ $response = [ 'id' => $is_static ? $item->get_id() : $item->id, 'name' => $item->get_name(), 'status' => $item->get_status(), 'type' => $item->get_type(), 'orientation' => $item->get_orientation(),- 'thumbnail' => $item->thumbnail,+ 'thumbnail' => $thumbnail, 'content' => $item->get_content(), 'is_clone' => $item->is_clone, 'is_pro' => $item->is_pro,@@ -352,8 +357,7 @@ * @return WP_Rest_Response | WP_Error */ public function get_item_permissions_check( $request ) {- return current_user_can( 'etn_manage_template' ) - || current_user_can( 'etn_manage_event' );+ return true; } /**
I'll analyze this code diff for security vulnerabilities.
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
**Improper Access Control - CWE-639** - CWE-639 - core/Template/Api/TemplateController.php [360]
Old Code:
```php
return current_user_can( 'etn_manage_template' )
|| current_user_can( 'etn_manage_event' );
```
Fixed Code:
```php
return true;
```
Explanation:
This is a critical security vulnerability. The permission check for `get_item_permissions_check()` was replaced with an unconditional `return true;`. This removes all access control, allowing any user (including unauthenticated users) to access template API endpoints. Previously, the code properly checked if the user had either 'etn_manage_template' or 'etn_manage_event' capabilities. Now, there are no capability checks whatsoever, creating an authorization bypass vulnerability.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
**Cross-Site Scripting (XSS) - CWE-79** - CWE-79 - core/Template/Api/TemplateController.php [259-262]
Old Code:
```php
'thumbnail' => $item->thumbnail,
```
Fixed Code:
```php
// Get thumbnail: WordPress featured image if available, otherwise use item thumbnail
$post_id = $is_static ? $item->get_id() : $item->id;
$featured_image = ! $is_static ? get_the_post_thumbnail_url( $post_id, 'full' ) : false;
$thumbnail = $featured_image ? $featured_image : $item->thumbnail;
```
Explanation:
Uncertain about XSS vulnerability. The change adds `get_the_post_thumbnail_url()` which is a WordPress core function that should return a sanitized URL. However, without seeing how `$item->thumbnail` is stored/generated and how the API response is escaped when output, it's difficult to confirm if XSS protection exists. If `$item->thumbnail` is user-controlled and not properly escaped in the API response output, this could be vulnerable. The use of WordPress's core function is positive, but the fallback to `$item->thumbnail` needs proper output escaping when rendered.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Template/TemplateBlockAssets.php 2026-01-09 00:38:09.924541369 +0000+++ cache/wp-event-solution_4.0.52/core/Template/TemplateBlockAssets.php 2026-01-09 00:43:17.011283172 +0000@@ -6,24 +6,27 @@ */ namespace Eventin\Template; -use Wpeventin; use Eventin\Interfaces\HookableInterface;+use Wpeventin; /** * TemplateBlockAssets class * * Handles template builder specific scripts and assets */-class TemplateBlockAssets implements HookableInterface {+class TemplateBlockAssets implements HookableInterface+{ /** * Register hooks * * @return void */- public function register_hooks(): void {- add_action( 'enqueue_block_assets', [ $this, 'blocks_assets' ] );- add_action( 'enqueue_block_assets', [ $this, 'register_event_selection_button'] );- add_action( 'elementor/editor/before_enqueue_scripts', [ $this, 'register_template_save_elementor'] );+ public function register_hooks(): void+ {+ add_action('enqueue_block_assets', [$this, 'blocks_assets']);+ add_action('enqueue_block_assets', [$this, 'register_event_selection_button']);+ add_action('wp_enqueue_scripts', [$this, 'frontend_blocks_assets']);+ add_action('elementor/editor/before_enqueue_scripts', [$this, 'register_template_save_elementor']); } /**@@ -31,31 +34,46 @@ * * @return void */- public function blocks_assets() {+ public function blocks_assets()+ { $screen = get_current_screen();- if ( is_admin() && $screen && $screen->is_block_editor() ) {- wp_enqueue_script('etn-blocks', Wpeventin::plugin_url() . 'build/js/gutenberg-blocks.js', [ 'wp-blocks', 'wp-element', 'wp-editor', "etn-dashboard" ], Wpeventin::version(), true);- wp_set_script_translations( 'etn-blocks', 'eventin' );+ if (is_admin() && $screen && $screen->is_block_editor()) {+ wp_enqueue_script('etn-blocks', Wpeventin::plugin_url() . 'build/js/gutenberg-blocks.js', ['wp-blocks', 'wp-element', 'wp-editor', "etn-dashboard"], Wpeventin::version(), true);+ wp_set_script_translations('etn-blocks', 'eventin'); wp_enqueue_style('eventin-blocks-editor-style', Wpeventin::plugin_url() . 'build/css/gutenberg-blocks.css', [], Wpeventin::version(), 'all'); }+ // Load blocks-style.css on both editor and frontend+ // Note: After editing src/blocks/blocks-style.scss, run: npm run build wp_enqueue_style('etn-blocks-style', Wpeventin::plugin_url() . 'build/css/etn-block-styles.css', [], Wpeventin::version(), 'all'); - if ( class_exists('Wpeventin_Pro') ) {- wp_register_script('etn-qr-code-block', ETN_PRO_ASSETS . 'js/qr-code.js', array('jquery'), Wpeventin::version(), false);- wp_register_script('etn-qr-code-custom-block', ETN_PRO_ASSETS . 'js/qr-code-custom.js', array('jquery', 'etn-qr-code-block'), Wpeventin::version(), false);+ if (class_exists('Wpeventin_Pro')) {+ wp_register_script('etn-qr-code-block', ETN_PRO_ASSETS . 'js/qr-code.js', ['jquery'], Wpeventin::version(), false);+ wp_register_script('etn-qr-code-custom-block', ETN_PRO_ASSETS . 'js/qr-code-custom.js', ['jquery', 'etn-qr-code-block'], Wpeventin::version(), false); } } /**+ * Register block assets for frontend+ *+ * @return void+ */+ public function frontend_blocks_assets()+ {+ // Ensure blocks-style.css loads on frontend+ wp_enqueue_style('etn-blocks-style', Wpeventin::plugin_url() . 'build/css/etn-block-styles.css', [], Wpeventin::version(), 'all');+ }++ /** * Register event selection button script for gutenberg editor * * @return void */- public function register_event_selection_button() {+ public function register_event_selection_button()+ { $screen = get_current_screen(); - if ( is_admin() && $screen && $screen->post_type === 'etn-template' && $screen->is_block_editor() ) {- wp_enqueue_script('etn-header-toolbar', Wpeventin::plugin_url() . 'build/js/template-builder-header-toolbar.js', [ 'wp-blocks', 'wp-element', 'wp-editor' ], Wpeventin::version(), true);+ if (is_admin() && $screen && $screen->post_type === 'etn-template' && $screen->is_block_editor()) {+ wp_enqueue_script('etn-header-toolbar', Wpeventin::plugin_url() . 'build/js/template-builder-header-toolbar.js', ['wp-blocks', 'wp-element', 'wp-editor'], Wpeventin::version(), true); } } @@ -64,17 +82,18 @@ * * @return void */- public function register_template_save_elementor() {+ public function register_template_save_elementor()+ { $screen = get_current_screen(); // Check if we're in Elementor editor- if ( is_admin() && $screen && $screen->post_type === 'etn-template' && isset( $_GET['action'] ) && $_GET['action'] === 'elementor' ) {+ if (is_admin() && $screen && $screen->post_type === 'etn-template' && isset($_GET['action']) && $_GET['action'] === 'elementor') { // Register the html2canvas script if not already registered- if ( ! wp_script_is( 'etn-html-2-canvas', 'registered' ) ) {- wp_register_script( 'etn-html-2-canvas', Wpeventin::plugin_url() . 'assets/lib/js/html2canvas.min.js', ['jquery'], Wpeventin::version(), false );+ if (! wp_script_is('etn-html-2-canvas', 'registered')) {+ wp_register_script('etn-html-2-canvas', Wpeventin::plugin_url() . 'assets/lib/js/html2canvas.min.js', ['jquery'], Wpeventin::version(), false); } wp_enqueue_script('etn-template-save-elementor', Wpeventin::plugin_url() . 'build/js/elementor-scripts.js', ['etn-html-2-canvas'], Wpeventin::version(), true);- wp_enqueue_script( 'etn-html-2-canvas');+ wp_enqueue_script('etn-html-2-canvas'); } } }
Based on my analysis of the diff between versions 4.0.51 and 4.0.52 of TemplateBlockAssets.php:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - core/Template/TemplateBlockAssets.php Lines 71, 90
Old Code:
```php
if ( is_admin() && $screen && $screen->post_type === 'etn-template' && isset( $_GET['action'] ) && $_GET['action'] === 'elementor' ) {
```
Fixed Code:
```php
if (is_admin() && $screen && $screen->post_type === 'etn-template' && isset($_GET['action']) && $_GET['action'] === 'elementor') {
```
Explanation:
The diff shows no security fix was applied to this vulnerability. The code directly accesses `$_GET['action']` without sanitization or nonce verification. While the comparison uses strict equality (`===`) which provides some protection, direct access to user input without sanitization or validation through WordPress functions like `sanitize_text_field()` or `wp_verify_nonce()` is a security vulnerability. Additionally, there is no CSRF protection (nonce check) before processing the action parameter. This remains vulnerable in version 4.0.52 as the code is functionally identical to 4.0.51.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
Improper Asset Loading - CWE-829 - core/Template/TemplateBlockAssets.php Lines 45-47, 60-64
Old Code:
```php
wp_enqueue_style('etn-blocks-style', Wpeventin::plugin_url() . 'build/css/etn-block-styles.css', [], Wpeventin::version(), 'all');
```
Fixed Code (New method added):
```php
public function frontend_blocks_assets()
{
// Ensure blocks-style.css loads on frontend
wp_enqueue_style('etn-blocks-style', Wpeventin::plugin_url() . 'build/css/etn-block-styles.css', [], Wpeventin::version(), 'all');
}
```
Plus hook registration:
```php
add_action('wp_enqueue_scripts', [$this, 'frontend_blocks_assets']);
```
Explanation:
The old code loaded `etn-blocks-style` in `blocks_assets()` which was hooked to `enqueue_block_assets` (editor-only). The fix moves this stylesheet to a new `frontend_blocks_assets()` method hooked to `wp_enqueue_scripts` (frontend-only) AND keeps it in the editor context. This is uncertain regarding security because it depends on the context where these stylesheets should load. The change appears to be fixing a functional issue rather than a security vulnerability. If the stylesheet was not loading on the frontend before, this fixes it, but there's no inherent security issue being addressed here.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Template/TemplateLimitHooks.php 2026-01-09 00:38:09.928541612 +0000+++ cache/wp-event-solution_4.0.52/core/Template/TemplateLimitHooks.php 2026-01-09 00:43:17.015283416 +0000@@ -66,8 +66,8 @@ if ( $total >= self::MAX_TEMPLATES_FOR_EVENTIN_FREE && empty( $postarr['ID'] ) ) { wp_die(- __('You cannot create more than 1 template for landing page without eventin-pro.', 'eventin'),- __('Template Limit Reached', 'eventin'),+ esc_html__('You cannot create more than 1 template for landing page without eventin-pro.', 'eventin'),+ esc_html__('Template Limit Reached', 'eventin'), ['back_link' => true] ); }
Vulnerability Existed: yes
FALSE POSITIVE
Output Escaping - CWE-79 - core/Template/TemplateLimitHooks.php [69-70]
Old Code:
```php
__('You cannot create more than 1 template for landing page without eventin-pro.', 'eventin'),
__('Template Limit Reached', 'eventin'),
```
Fixed Code:
```php
esc_html__('You cannot create more than 1 template for landing page without eventin-pro.', 'eventin'),
esc_html__('Template Limit Reached', 'eventin'),
```
Explanation:
The vulnerability was a missing output escaping issue (CWE-79: Improper Neutralization of Input During Web Page Generation). The original code used the `__()` translation function without proper HTML escaping when passing strings to `wp_die()`. While `wp_die()` does perform some sanitization, the best practice in WordPress is to explicitly escape translated strings intended for HTML context using `esc_html__()`. This ensures that any special characters in the translated strings (e.g., quotes, angle brackets) are properly converted to HTML entities, preventing potential XSS (Cross-Site Scripting) attacks. The fix correctly applies `esc_html__()` instead of `__()` for both the error message and title, which is the appropriate escaping function for text displayed in HTML context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/Template/TemplatePreview.php 2026-01-09 00:38:09.936542099 +0000+++ cache/wp-event-solution_4.0.52/core/Template/TemplatePreview.php 2026-01-09 00:43:17.027284150 +0000@@ -39,7 +39,7 @@ $template_id = ! empty( $_GET['template_id'] ) ? intval( $_GET['template_id'] ) : 0; if ( ! $template_id ) {- printf( '<p>%s</p>', __( 'No template found. Please select one first.', 'eventin' ) );+ printf( '<p>%s</p>', esc_html__( 'No template found. Please select one first.', 'eventin' ) ); return; } @@ -56,7 +56,7 @@ <div class="etn-ticket-wrapper"> <div class="etn-ticket-main-wrapper"> <div class="etn-ticket">- <?php echo $template_html; ?>+ <?php echo wp_kses_post( $template_html ); ?> </div> <!-- <div class="etn-ticket-action"></div> --> </div>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/Template/TemplatePreview.php Line 59 [Old Code] <?php echo $template_html; ?> [Fixed Code] <?php echo wp_kses_post( $template_html ); ?> Explanation: The original code directly echoes `$template_html` without any sanitization or escaping. This is a Stored XSS vulnerability if `$template_html` contains user-controlled or untrusted content. An attacker could inject malicious JavaScript that would be executed in the browser of anyone viewing the template preview. The fix applies `wp_kses_post()`, which is the WordPress function that safely sanitizes HTML while allowing safe tags like `<p>`, `<a>`, `<strong>`, etc., while stripping out potentially dangerous content like `<script>` tags and event handlers. --- Vulnerability Existed: not sure Internationalization/Localization Output Encoding - CWE-80 - core/Template/TemplatePreview.php Line 42 [Old Code] printf( '<p>%s</p>', __( 'No template found. Please select one first.', 'eventin' ) ); [Fixed Code] printf( '<p>%s</p>', esc_html__( 'No template found. Please select one first.', 'eventin' ) ); Explanation: The change replaces `__()` with `esc_html__()`. While this is a defensive improvement, whether this was truly a vulnerability depends on the source of the string. Since this is a hardcoded string in the code (not user-controlled), the original code would not have been vulnerable to XSS in this specific case. However, `esc_html__()` is the WordPress best practice for echoing translated strings in HTML context, as it provides defense-in-depth against potential future modifications or plugin conflicts. This change represents hardening rather than fixing an exploitable vulnerability in the current code.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/calendar/iCalender/download-ics.php 2026-01-09 00:38:09.792533335 +0000+++ cache/wp-event-solution_4.0.52/core/calendar/iCalender/download-ics.php 2026-01-09 00:43:16.239235944 +0000@@ -1,11 +1,34 @@ <?php // download-ics.php -$start_date = $_GET['date_start'] ?? '';-$end_date = $_GET['date_end'] ?? '';-$summary = $_GET['summary'] ?? '';-$location = $_GET['location'] ?? '';-$description = $_GET['description'] ?? '';+// Load WordPress+if (!defined('ABSPATH')) {+ // Find WordPress root directory+ $wp_root = dirname(__FILE__);+ for ($i = 0; $i < 10; $i++) {+ if (file_exists($wp_root . '/wp-load.php')) {+ require_once($wp_root . '/wp-load.php');+ break;+ }+ $wp_root = dirname($wp_root);+ }+} ++$start_date = isset($_GET['date_start']) ? sanitize_text_field($_GET['date_start']) : '';+$end_date = isset($_GET['date_end']) ? sanitize_text_field($_GET['date_end']) : '';+$summary = isset($_GET['summary']) ? sanitize_text_field($_GET['summary']) : '';+$location = isset($_GET['location']) ? sanitize_text_field($_GET['location']) : '';+$description = isset($_GET['description']) ? sanitize_textarea_field($_GET['description']) : '';++// Escape special characters for ICS format (RFC 5545)+function esc_ics_text($text) {+ $text = str_replace('\\', '\\\\', $text);+ $text = str_replace(',', '\\,', $text);+ $text = str_replace(';', '\\;', $text);+ $text = str_replace("\n", '\\n', $text);+ $text = str_replace("\r", '', $text);+ return $text;+} // Send headers to download as .ics file header('Content-Type: text/calendar; charset=utf-8');@@ -17,9 +40,9 @@ $ics .= "CALSCALE:GREGORIAN\r\n"; $ics .= "METHOD:PUBLISH\r\n"; $ics .= "BEGIN:VEVENT\r\n";-$ics .= "SUMMARY:$summary\r\n";-$ics .= "DESCRIPTION:$description\r\n";-$ics .= "LOCATION:$location\r\n";+$ics .= "SUMMARY:" . esc_ics_text($summary) . "\r\n";+$ics .= "DESCRIPTION:" . esc_ics_text($description) . "\r\n";+$ics .= "LOCATION:" . esc_ics_text($location) . "\r\n"; $ics .= "DTSTAMP:" . gmdate('Ymd\THis\Z') . "\r\n"; // Timed event using input date-time strings
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Special Elements used in an ICS File ('ICS Injection') - CWE-643 - core/calendar/iCalender/download-ics.php - Lines 4-8 (old code)
Old Code:
$start_date = $_GET['date_start'] ?? '';
$end_date = $_GET['date_end'] ?? '';
$summary = $_GET['summary'] ?? '';
$location = $_GET['location'] ?? '';
$description = $_GET['description'] ?? '';
...
$ics .= "SUMMARY:$summary\r\n";
$ics .= "DESCRIPTION:$description\r\n";
$ics .= "LOCATION:$location\r\n";
Fixed Code:
$start_date = isset($_GET['date_start']) ? sanitize_text_field($_GET['date_start']) : '';
$end_date = isset($_GET['date_end']) ? sanitize_text_field($_GET['date_end']) : '';
$summary = isset($_GET['summary']) ? sanitize_text_field($_GET['summary']) : '';
$location = isset($_GET['location']) ? sanitize_text_field($_GET['location']) : '';
$description = isset($_GET['description']) ? sanitize_textarea_field($_GET['description']) : '';
// Escape special characters for ICS format (RFC 5545)
function esc_ics_text($text) {
$text = str_replace('\\', '\\\\', $text);
$text = str_replace(',', '\\,', $text);
$text = str_replace(';', '\\;', $text);
$text = str_replace("\n", '\\n', $text);
$text = str_replace("\r", '', $text);
return $text;
}
...
$ics .= "SUMMARY:" . esc_ics_text($summary) . "\r\n";
$ics .= "DESCRIPTION:" . esc_ics_text($description) . "\r\n";
$ics .= "LOCATION:" . esc_ics_text($location) . "\r\n";
Explanation:
The original code directly interpolated unsanitized user input from GET parameters into ICS file content. This allowed attackers to inject arbitrary ICS properties by including newlines and special characters in the GET parameters. For example, `?summary=Meeting%0AUID:[email protected]` would inject arbitrary fields into the ICS file, potentially hijacking calendar events or causing parsing issues. The fix applies two layers of protection: (1) sanitize_text_field/sanitize_textarea_field remove HTML/script tags and sanitize input, and (2) the esc_ics_text function properly escapes ICS-specific special characters (backslash, comma, semicolon, newlines) according to RFC 5545 specification, preventing injection of arbitrary ICS properties.
```
---
```
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/calendar/iCalender/download-ics.php - Lines 4-8 (old code)
Old Code:
$start_date = $_GET['date_start'] ?? '';
$end_date = $_GET['date_end'] ?? '';
$summary = $_GET['summary'] ?? '';
$location = $_GET['location'] ?? '';
$description = $_GET['description'] ?? '';
Fixed Code:
$start_date = isset($_GET['date_start']) ? sanitize_text_field($_GET['date_start']) : '';
$end_date = isset($_GET['date_end']) ? sanitize_text_field($_GET['date_end']) : '';
$summary = isset($_GET['summary']) ? sanitize_text_field($_GET['summary']) : '';
$location = isset($_GET['location']) ? sanitize_text_field($_GET['location']) : '';
$description = isset($_GET['description']) ? sanitize_textarea_field($_GET['description']) : '';
Explanation:
While this particular endpoint generates ICS files (not HTML), if these parameters were ever displayed in HTML context or logged without sanitization, unescaped GET parameters could enable reflected XSS attacks. The fix applies WordPress sanitization functions (sanitize_text_field and sanitize_textarea_field) which remove potentially dangerous content including HTML tags and script payloads, providing defense-in-depth protection even if the data is used outside the ICS context.
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/event/Api/EventController.php 2026-01-09 00:38:09.796533579 +0000+++ cache/wp-event-solution_4.0.52/core/event/Api/EventController.php 2026-01-09 00:43:16.411246467 +0000@@ -884,6 +884,13 @@ $organizer_type = get_post_meta( $id, 'organizer_type', true ); $seat_plan = get_post_meta( $id, 'seat_plan', true ); $enable_seatmap = get_post_meta( $id, 'enable_seatmap', true );+ $sold_tickets = (array)Helper::etn_get_sold_tickets_by_event( $id );+ $ticket_variations = maybe_unserialize(get_post_meta( $id, 'etn_ticket_variations', true ));++ foreach( $ticket_variations as &$ticket ) {+ $ticket['etn_sold_tickets'] = !empty($sold_tickets[$ticket['etn_ticket_slug']]) ? $sold_tickets[$ticket['etn_ticket_slug']] : 0;+ }+ unset($ticket); $seat_map_switcher = ! metadata_exists( 'post', $id, 'enable_seatmap' ) && $seat_plan ? true : $enable_seatmap; @@ -935,7 +942,7 @@ 'zoom_id' => get_post_meta( $id, 'etn_zoom_id', true ), 'total_ticket' => $event->get_total_ticket(), 'sold_tickets' => $event->get_total_sold_ticket(),- 'ticket_variations' => get_post_meta( $id, 'etn_ticket_variations', true ),+ 'ticket_variations' => $ticket_variations, 'event_socials' => get_post_meta( $id, 'etn_event_socials', true ), 'google_meet' => get_post_meta( $id, 'etn_google_meet', true ), 'google_meet_link' => get_post_meta( $id, 'etn_google_meet_link', true ),@@ -967,7 +974,7 @@ 'elementor_supported' => $this->is_etn_post_type_supported_by_elementor( ), 'enable_legacy_certificate_template' => get_post_meta( $id, 'enable_legacy_certificate_template', true ), '_tax_status' => get_post_meta( $id, '_tax_status', true ),- 'sold_ticket_count' => Helper::etn_get_sold_tickets_by_event( $id )+ 'sold_ticket_count' => $sold_tickets ]; $location_type = get_post_meta( $id, 'etn_event_location_type', true );@@ -1443,6 +1450,16 @@ if ( isset( $input_data['_etn_buddy_group_id'] ) ) { $event_data['menu_order'] = $input_data['_etn_buddy_group_id']; }++ $sold_tickets = (array)Helper::etn_get_sold_tickets_by_event( $input_data['id'] );++ foreach($event_data['etn_ticket_variations'] as &$ticket){+ $ticket['etn_sold_tickets'] = !empty($sold_tickets[$ticket['etn_ticket_slug']]) ? $sold_tickets[$ticket['etn_ticket_slug']] : 0;+ $ticket['etn_avaiilable_tickets'] = (int)$ticket['etn_avaiilable_tickets'];+ if($ticket['etn_sold_tickets'] > $ticket['etn_avaiilable_tickets']){+ return new WP_Error( 'etn_ticket_sold_out', 'Available ticket must be greater than the sold ticket' );+ }+ } return $event_data; }
I'll analyze the provided code diff for security vulnerabilities.
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Unsafe Deserialization - CWE-502 - core/event/Api/EventController.php - Line 887
Old Code:
```php
$ticket_variations = maybe_unserialize(get_post_meta( $id, 'etn_ticket_variations', true ));
```
Fixed Code:
```php
$ticket_variations = maybe_unserialize(get_post_meta( $id, 'etn_ticket_variations', true ));
```
Explanation:
The code uses `maybe_unserialize()` on user-controlled data retrieved from post metadata. While `maybe_unserialize()` is a WordPress function, it still performs PHP object deserialization which can lead to object injection attacks if the serialized data contains malicious object payloads. An attacker with the ability to modify post metadata could craft a serialized payload that executes arbitrary code during deserialization. However, this is somewhat mitigated if post metadata access is properly restricted to authenticated users only.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
Reference Counting Issue in Loop - CWE-416 (potential) - core/event/Api/EventController.php - Lines 889-892
Old Code:
```php
// No loop iteration over ticket_variations
```
Fixed Code:
```php
foreach( $ticket_variations as &$ticket ) {
$ticket['etn_sold_tickets'] = !empty($sold_tickets[$ticket['etn_ticket_slug']]) ? $sold_tickets[$ticket['etn_ticket_slug']] : 0;
}
unset($ticket);
```
Explanation:
The code uses a reference variable (`&$ticket`) in the foreach loop and properly unsets it afterward. While the `unset($ticket)` call correctly removes the reference, this pattern can be dangerous if not handled carefully, as the reference persists after the loop without the unset. The code does include the unset, so this is properly handled. However, if `$ticket_variations` is null or not an array, the foreach will silently fail, potentially leaving `$ticket_variations` as null when it's later used.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
Potential Null Pointer/Type Error - CWE-476 - core/event/Api/EventController.php - Lines 1456-1463
Old Code:
```php
// No validation before iteration
```
Fixed Code:
```php
foreach($event_data['etn_ticket_variations'] as &$ticket){
$ticket['etn_sold_tickets'] = !empty($sold_tickets[$ticket['etn_ticket_slug']]) ? $sold_tickets[$ticket['etn_ticket_slug']] : 0;
$ticket['etn_avaiilable_tickets'] = (int)$ticket['etn_avaiilable_tickets'];
if($ticket['etn_sold_tickets'] > $ticket['etn_avaiilable_tickets']){
return new WP_Error( 'etn_ticket_sold_out', 'Available ticket must be greater than the sold ticket' );
}
}
```
Explanation:
The code iterates over `$event_data['etn_ticket_variations']` without verifying it exists or is an array. If this key is missing or null, the foreach will fail silently in PHP 7.4+, but could cause a warning or error in earlier versions. Additionally, the code accesses `$ticket['etn_ticket_slug']` and `$ticket['etn_avaiilable_tickets']` without validation, which could cause undefined index notices if these keys don't exist.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/event/EventTemplate.php 2026-01-09 00:38:09.804534065 +0000+++ cache/wp-event-solution_4.0.52/core/event/EventTemplate.php 2026-01-09 00:43:16.615258946 +0000@@ -33,7 +33,7 @@ // redirect to elementor pro archive page if any archive template is assigned if ($this->is_elementor_pro_archive_page('etn_archive')) {- echo \Elementor\Plugin::$instance->frontend->get_builder_content_for_display($template);+ echo wp_kses_post( \Elementor\Plugin::$instance->frontend->get_builder_content_for_display($template) ); return $template; }else{ $enable_event_template_builder = etn_get_option( 'enable_event_template_builder' );
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/event/EventTemplate.php lines 36 Old Code: ```php echo \Elementor\Plugin::$instance->frontend->get_builder_content_for_display($template); ``` Fixed Code: ```php echo wp_kses_post( \Elementor\Plugin::$instance->frontend->get_builder_content_for_display($template) ); ``` Explanation: The original code directly echoed output from Elementor's `get_builder_content_for_display()` method without any sanitization. This is vulnerable to Stored/Reflected XSS attacks because user-controlled content (such as malicious scripts embedded in Elementor templates) could be executed in the browser context without being filtered. The fix applies `wp_kses_post()`, which is WordPress's standard function for sanitizing HTML output. This function strips dangerous HTML tags and attributes while preserving safe formatting, preventing XSS payloads from being rendered to the page.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/event/MeetingPlatforms/MeetingPlatform.php 2026-01-09 00:38:09.804534065 +0000+++ cache/wp-event-solution_4.0.52/core/event/MeetingPlatforms/MeetingPlatform.php 2026-01-09 00:43:16.627259681 +0000@@ -46,7 +46,7 @@ $platforms = self::get_platforms(); if ( ! isset( $platforms[$platform] ) ) {- throw new Exception( __( 'Unsupported platform ' . $platform, 'eventin' ) );+ throw new Exception( esc_html__( 'Unsupported platform ' . $platform, 'eventin' ) ); } return $platforms[$platform];
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed: yes** FALSE POSITIVE **Improper Output Encoding - CWE-79 (Cross-Site Scripting) - core/event/MeetingPlatforms/MeetingPlatform.php - Line 49** **Old Code:** ```php throw new Exception( __( 'Unsupported platform ' . $platform, 'eventin' ) ); ``` **Fixed Code:** ```php throw new Exception( esc_html__( 'Unsupported platform ' . $platform, 'eventin' ) ); ``` **Explanation:** The vulnerability existed in the old code. The `$platform` variable is being concatenated directly into a translatable string without proper escaping. While the `__()` function handles translation, it does not escape the interpolated variable. If `$platform` contains user-controlled input or unsanitized data, an attacker could inject arbitrary content into the exception message. The fix replaces `__()` with `esc_html__()`, which applies HTML entity encoding to the output. This prevents XSS attacks by ensuring that any special characters in the `$platform` variable (such as `<`, `>`, `"`, etc.) are converted to their HTML entity equivalents, neutralizing potential script injection. However, it's worth noting that a more robust fix would be to use `esc_html()` on the `$platform` variable specifically before concatenation, rather than relying on `esc_html__()` to encode the entire string, since only the variable portion needs escaping. The current fix works but applies escaping to the static string portion as well.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/event/api.php 2026-01-09 00:38:09.800533822 +0000+++ cache/wp-event-solution_4.0.52/core/event/api.php 2026-01-09 00:43:16.499251850 +0000@@ -195,16 +195,14 @@ $request = $this->request; $settings = etn_get_option(); - if ( ! is_admin() && ! current_user_can( 'manage_options' ) ) {- if ( ! wp_verify_nonce( $this->request->get_header( 'X-WP-Nonce' ), 'wp_rest' ) ) {- $messages[] = esc_html__( 'Nonce is not valid! Please try again.', 'eventin' );- } else {- if ( ! empty( $settings ) ) {- $content['settings'] = $settings;- }- }+ // Require proper capability - permission callback handles this but double-check+ if ( ! current_user_can( 'manage_options' ) ) {+ $messages[] = esc_html__( 'You haven\'t authorization permission to view settings.', 'eventin' ); } else {- $messages[] = esc_html__( 'You haven\'t authorization permission to update settings.', 'eventin' );+ if ( ! empty( $settings ) ) {+ $status_code = 1;+ $content['settings'] = $settings;+ } } $sample_date = strtotime( date( 'd' ) . " " . date( 'M' ) . " " . date( 'Y' ) );@@ -235,27 +233,29 @@ $messages = $content = []; $request = json_decode( $this->request->get_body(), true ); - if ( ! is_admin() && ! current_user_can( 'manage_options' ) ) {+ // Require proper capability - permission callback handles this but double-check+ if ( ! current_user_can( 'manage_options' ) ) {+ $messages[] = esc_html__( 'You haven\'t authorization permission to update settings.', 'eventin' );+ } else {+ if ( isset( $request ) && ! empty( $request ) ) {+ $status_code = 1;+ $all_settings = get_option( 'etn_event_options', [] );+ $settings = $request;++ // Sanitize all inputs to prevent XSS and other attacks+ $all_settings['events_per_page'] = isset( $settings['events_per_page'] ) ? absint( $settings['events_per_page'] ) : 10;+ $all_settings['date_format'] = isset( $settings['date_format'] ) ? sanitize_text_field( $settings['date_format'] ) : "";+ $all_settings['time_format'] = isset( $settings['time_format'] ) ? sanitize_text_field( $settings['time_format'] ) : "";++ // CRITICAL: Sanitize color fields to prevent XSS+ $all_settings['etn_primary_color'] = isset( $settings['etn_primary_color'] ) ? sanitize_hex_color( $settings['etn_primary_color'] ) : "";+ $all_settings['etn_secondary_color'] = isset( $settings['etn_secondary_color'] ) ? sanitize_hex_color( $settings['etn_secondary_color'] ) : "";++ $all_settings['attendee_registration'] = isset( $settings['attendee_registration'] ) ? sanitize_text_field( $settings['attendee_registration'] ) : "";+ $all_settings['sell_tickets'] = isset( $settings['sell_tickets'] ) ? sanitize_text_field( $settings['sell_tickets'] ) : ""; - if ( ! wp_verify_nonce( $this->request->get_header( 'X-WP-Nonce' ), 'wp_rest' ) ) {- $messages[] = esc_html__( 'Nonce is not valid! Please try again.', 'eventin' );- } else {- if ( isset( $request ) && ! empty( $request ) ) {- $status_code = 1;- $all_settings = get_option( 'etn_event_options', [] );- $settings = $request;- $all_settings['events_per_page'] = isset( $settings['events_per_page'] ) ? absint( $settings['events_per_page'] ) : 10;- $all_settings['date_format'] = isset( $settings['date_format'] ) ? $settings['date_format'] : "";- $all_settings['time_format'] = isset( $settings['time_format'] ) ? $settings['time_format'] : "";- $all_settings['etn_primary_color'] = isset( $settings['etn_primary_color'] ) ? $settings['etn_primary_color'] : "";- $all_settings['etn_secondary_color'] = isset( $settings['etn_secondary_color'] ) ? $settings['etn_secondary_color'] : "";- $all_settings['attendee_registration'] = isset( $settings['attendee_registration'] ) ? $settings['attendee_registration'] : "";- $all_settings['sell_tickets'] = isset( $settings['sell_tickets'] ) ? $settings['sell_tickets'] : "";- update_option( 'etn_event_options', $all_settings );- }+ update_option( 'etn_event_options', $all_settings ); }- } else {- $messages[] = esc_html__( 'You haven\'t authorization permission to update settings.', 'eventin' ); } return [@@ -606,6 +606,7 @@ $event_id = ! empty( $request['event_id'] ) ? intval( $request['event_id'] ) : 0; $seat_plan = ! empty( $request['seat_plan'] ) ? $request['seat_plan'] : []; $seat_plan_settings = ! empty( $request['seat_plan_settings'] ) ? $request['seat_plan_settings'] : [];+ error_log(print_r($seat_plan,true)); if ( ! empty( $seat_plan ) ) { $chair_id = 1; foreach ($seat_plan as $key => &$seat) {@@ -615,8 +616,9 @@ $chair_id++; } }- - $seat['id'] = $key;+ // Set the seat id to the seat number+ $seat['id'] = $seat['number'];+ } }
I'll analyze this code diff for security vulnerabilities following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - core/event/api.php - Lines 248-251
Old Code:
```php
$all_settings['date_format'] = isset( $settings['date_format'] ) ? $settings['date_format'] : "";
$all_settings['time_format'] = isset( $settings['time_format'] ) ? $settings['time_format'] : "";
$all_settings['etn_primary_color'] = isset( $settings['etn_primary_color'] ) ? $settings['etn_primary_color'] : "";
$all_settings['etn_secondary_color'] = isset( $settings['etn_secondary_color'] ) ? $settings['etn_secondary_color'] : "";
$all_settings['attendee_registration'] = isset( $settings['attendee_registration'] ) ? $settings['attendee_registration'] : "";
$all_settings['sell_tickets'] = isset( $settings['sell_tickets'] ) ? $settings['sell_tickets'] : "";
```
Fixed Code:
```php
$all_settings['date_format'] = isset( $settings['date_format'] ) ? sanitize_text_field( $settings['date_format'] ) : "";
$all_settings['time_format'] = isset( $settings['time_format'] ) ? sanitize_text_field( $settings['time_format'] ) : "";
$all_settings['etn_primary_color'] = isset( $settings['etn_primary_color'] ) ? sanitize_hex_color( $settings['etn_primary_color'] ) : "";
$all_settings['etn_secondary_color'] = isset( $settings['etn_secondary_color'] ) ? sanitize_hex_color( $settings['etn_secondary_color'] ) : "";
$all_settings['attendee_registration'] = isset( $settings['attendee_registration'] ) ? sanitize_text_field( $settings['attendee_registration'] ) : "";
$all_settings['sell_tickets'] = isset( $settings['sell_tickets'] ) ? sanitize_text_field( $settings['sell_tickets'] ) : "";
```
Explanation:
The original code directly assigned unsanitized user input from the request to settings without any validation or sanitization. This allowed arbitrary HTML/JavaScript to be stored and later output, causing stored XSS vulnerabilities. The fix applies `sanitize_text_field()` for text inputs and `sanitize_hex_color()` for color fields, preventing malicious code from being persisted.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Authentication/Authorization - CWE-287** - core/event/api.php - Lines 197-211 and Lines 235-245
Old Code:
```php
if ( ! is_admin() && ! current_user_can( 'manage_options' ) ) {
if ( ! wp_verify_nonce( $this->request->get_header( 'X-WP-Nonce' ), 'wp_rest' ) ) {
$messages[] = esc_html__( 'Nonce is not valid! Please try again.', 'eventin' );
} else {
// allow access
}
} else {
$messages[] = esc_html__( 'You haven\'t authorization permission to update settings.', 'eventin' );
}
```
Fixed Code:
```php
if ( ! current_user_can( 'manage_options' ) ) {
$messages[] = esc_html__( 'You haven\'t authorization permission to view settings.', 'eventin' );
} else {
// allow access
}
```
Explanation:
The original logic was flawed: it only checked the nonce for non-admin users without `manage_options` capability, but allowed admins to bypass nonce verification. Additionally, the `is_admin()` check is unreliable for REST API endpoints. The fix properly enforces the capability check regardless of admin status, relying on the REST API permission callback for consistent authentication. However, the nonce verification was removed entirely—this is a trade-off assuming the REST API permission callback provides adequate protection.
---
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
**Debug Information Disclosure - CWE-215** - core/event/api.php - Line 609
Old Code:
```php
// (no debug output)
```
Fixed Code:
```php
error_log(print_r($seat_plan,true));
```
Explanation:
The addition of `error_log(print_r($seat_plan,true))` outputs detailed debugging information to server logs. While this doesn't directly expose data to users, it increases the risk of information disclosure if logs are accessed by unauthorized parties. Debug statements like this should be removed in production code or replaced with proper logging frameworks that respect security levels.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/event/helper.php 2026-01-09 00:38:09.804534065 +0000+++ cache/wp-event-solution_4.0.52/core/event/helper.php 2026-01-09 00:43:16.619259191 +0000@@ -37,14 +37,24 @@ /** * Return currency symbol with position+ *+ * @param string|float $price The price to format+ * @param object|null $order Optional order object to get currency from+ * @return string Formatted price with currency symbol */- public function currency_with_position( $price ) {+ public function currency_with_position( $price, $order = null ) {+ $payment_method = $order->payment_method ?? ''; $currency_position = 'left'; if ( class_exists( 'WooCommerce' ) ) { $currency_position = get_option( 'woocommerce_currency_pos', 'left' ); }- $currency_symbol = $this->get_currency();++ // If order is provided and has currency_symbol meta, use it+ // This ensures the correct currency is used for orders paid via SureCart or other gateways+ if ( $payment_method == 'sure_cart' ) {+ $currency_symbol = get_post_meta( $order->id, 'currency_symbol', true );+ } if ( $currency_position === 'left_space' ) { return sprintf( '%s %s', esc_html( $currency_symbol ), $price );
## Analysis
**Vulnerability Existed: Yes**
FALSE POSITIVE
**Null Pointer Dereference / Undefined Variable - CWE-476 - core/event/helper.php - Lines 46, 56**
**Old Code:**
```php
public function currency_with_position( $price ) {
$currency_position = 'left';
if ( class_exists( 'WooCommerce' ) ) {
$currency_position = get_option( 'woocommerce_currency_pos', 'left' );
}
$currency_symbol = $this->get_currency();
// ... rest of function
}
```
**Fixed Code:**
```php
public function currency_with_position( $price, $order = null ) {
$payment_method = $order->payment_method ?? '';
$currency_position = 'left';
if ( class_exists( 'WooCommerce' ) ) {
$currency_position = get_option( 'woocommerce_currency_pos', 'left' );
}
// If order is provided and has currency_symbol meta, use it
// This ensures the correct currency is used for orders paid via SureCart or other gateways
if ( $payment_method == 'sure_cart' ) {
$currency_symbol = get_post_meta( $order->id, 'currency_symbol', true );
}
// ... rest of function
}
```
**Explanation:**
The fix does not properly address the vulnerability it introduces. The code adds a critical bug:
1. **Line 46**: `$payment_method = $order->payment_method ?? '';` - When `$order` is `null` (the default), accessing `$order->payment_method` will trigger a fatal error in PHP 8+. The null coalescing operator only applies to the property, not to the null object itself.
2. **Line 56**: `$currency_symbol = get_post_meta( $order->id, 'currency_symbol', true );` - Similarly, if `$order` is null, this will cause a fatal error when accessing `$order->id`.
3. **Undefined Variable**: `$currency_symbol` is only defined conditionally (line 56) when `$payment_method == 'sure_cart'`. In all other code paths, `$currency_symbol` is undefined when used in the sprintf calls (lines 60, 62, 64, 66), creating an undefined variable vulnerability.
The proper fix should check if `$order` is not null before accessing its properties, and ensure `$currency_symbol` is always initialized (e.g., with the fallback to `$this->get_currency()`).
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/core/event/pages/event-single-post.php@@ -0,0 +1,69 @@+<?php++namespace Etn\Core\Event\Pages;++defined( 'ABSPATH' ) || exit;++class Event_single_post {++ use \Etn\Traits\Singleton;+ public function __construct() {+ add_filter('template_include', [$this, 'event_single_page'], 99);+ add_filter('template_include', [$this, 'event_archive_template'], 99);+ }++ public function event_archive_template($template) {+ if (is_post_type_archive('etn')) {+ $default_file = \Wpeventin::plugin_dir() . 'core/event/views/event-archive-page.php';+ if (file_exists($default_file)) {+ return $default_file;+ } + }+ return $template;+ }++ public function event_single_page($template) {+ global $post, $wp_query;+ + // Check if we are on a singular page for the post type 'etn'+ if ($post && $post->post_type === 'etn' && is_singular('etn')) {+ // Define the default file path+ $default_file = \Wpeventin::plugin_dir() . 'core/event/views/event-single-page.php';++ $build_with_elementor = false;+ + // Check if Elementor is active and the current post is built with Elementor+ if (class_exists('\Elementor\Plugin') && isset(\Elementor\Plugin::$instance)) {+ $elementor_instance = \Elementor\Plugin::$instance;+ + if (isset($elementor_instance->documents)) {+ $document = $elementor_instance->documents->get($post->ID);+ + if ($document && method_exists($document, 'is_built_with_elementor')) {+ $build_with_elementor = $document->is_built_with_elementor();+ }+ }+ }+ + // Get the template slug+ $template_slug = get_page_template_slug($post->ID);++ // If the template slug is empty and the default file exists, set the template slug to 'default'+ if(($template_slug == '') && file_exists($default_file)) {+ $template_slug = 'default';+ $build_with_elementor = false;+ return $default_file;+ }+ + // If the file exists and the post is not built with Elementor, return the default file+ if (file_exists($default_file) && !$build_with_elementor) {+ return $default_file;+ }+ }+ + // Return the original template if conditions are not met+ return $template;+ }+ ++}
I'll analyze this code diff for security vulnerabilities.
---
**Vulnerability 1: Path Traversal / Arbitrary File Inclusion**
Vulnerability Existed: yes
FALSE POSITIVE
Arbitrary File Inclusion - CWE-98 - core/event/pages/event-single-post.php [31, 51, 58]
Old Code:
```php
$default_file = \Wpeventin::plugin_dir() . 'core/event/views/event-single-page.php';
// ... later used in:
return $default_file;
```
Fixed Code:
The code should validate that the returned file path is within the intended directory and sanitize/validate the path before using it in template inclusion.
Explanation:
The code uses `\Wpeventin::plugin_dir()` to construct a file path that is later returned to WordPress's `template_include` filter. While the hardcoded path component (`'core/event/views/event-single-page.php'`) appears safe in this specific instance, there is no validation that `\Wpeventin::plugin_dir()` returns a safe path or that the constructed path is within the expected plugin directory. If `Wpeventin::plugin_dir()` could be influenced or if the plugin directory path is not properly secured, this could lead to arbitrary file inclusion. Additionally, `get_page_template_slug()` is retrieved but not used to construct the final path, which is good, but the general pattern of constructing file paths without validation is a potential attack vector if other code paths are added.
---
**Vulnerability 2: Information Disclosure via Error Handling**
Vulnerability Existed: not sure
Uncontrolled Error Message - CWE-209 - core/event/pages/event-single-post.php [17-19]
Old Code:
```php
if (file_exists($default_file)) {
return $default_file;
}
```
Fixed Code:
No change in this regard, but the code should ensure that missing template files do not expose filesystem paths to users through error messages.
Explanation:
The code checks `file_exists()` before returning a template file, which is good practice. However, if a template file is expected but missing, the code silently returns the original template without logging or indicating what went wrong. This is actually safe from an information disclosure perspective in this case, as no error details are exposed. However, if any upstream code logs missing template errors without sanitization, it could expose filesystem paths. The current code is likely secure for this specific pattern.
---
**Summary:**
One vulnerability of concern exists related to unchecked file path construction that could potentially be exploited if the underlying plugin directory function is compromised or if additional dynamic path components are added in the future. The specific hardcoded paths in this diff appear safe, but the pattern lacks defensive validation.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/event/template-functions.php 2026-01-09 00:38:09.804534065 +0000+++ cache/wp-event-solution_4.0.52/core/event/template-functions.php 2026-01-09 00:43:16.643260659 +0000@@ -214,7 +214,7 @@ function etn_after_single_event_meta_ticket_form( $single_event_id ) { $single_event_id = ! empty( $single_event_id ) ? $single_event_id : get_the_ID(); $disable_purchase_form = get_post_meta( $single_event_id, 'etn_disable_purchase_form', true );- + $rsv_settings = get_post_meta( get_the_ID(), 'rsvp_settings', true ); $recurring_enabled = get_post_meta( get_the_ID(), 'recurring_enabled', true ); @@ -227,12 +227,12 @@ // Whether to show ticket selector and sell tickets, are controlled in frontend now. ?>-<div class="etn-single-event-ticket-wrap">- <?php if ($recurring_enabled !== 'yes') { - Helper::eventin_ticket_widget( $single_event_id );- } ?>-</div>-<?php+ <div class="etn-single-event-ticket-wrap">+ <?php if ($recurring_enabled !== 'yes') { + Helper::eventin_ticket_widget( $single_event_id, "", "", "style-1" );+ } ?>+ </div>+ <?php } } @@ -772,6 +772,6 @@ ]; // Convert schema array into ld+json file and add into the DOM- echo '<script type="application/ld+json">' . wp_unslash( json_encode( $event_data ) ) . '</script>';+ echo '<script type="application/ld+json">' . wp_json_encode( $event_data ) . '</script>'; } }\ No newline at end of file
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - core/event/template-functions.php Line 775
[Old Code]
echo '<script type="application/ld+json">' . wp_unslash( json_encode( $event_data ) ) . '</script>';
[Fixed Code]
echo '<script type="application/ld+json">' . wp_json_encode( $event_data ) . '</script>';
Explanation:
The original code used `wp_unslash( json_encode( $event_data ) )` which is unsafe for outputting JSON in HTML context. The `wp_unslash()` function removes slashes and reduces escaping, which could allow malicious data within `$event_data` to break out of the JSON context and execute JavaScript. The fix uses `wp_json_encode()`, which is WordPress's safe JSON encoding function that properly escapes special characters to prevent JSON/script injection attacks. This prevents XSS vulnerabilities where malicious characters in event data could break the JSON structure and inject executable code.
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/modules/eventin-ai/admin/admin.php 2026-01-09 00:38:09.844536499 +0000+++ cache/wp-event-solution_4.0.52/core/modules/eventin-ai/admin/admin.php 2026-01-09 00:43:16.747267021 +0000@@ -34,10 +34,11 @@ /** * Enqueue the admin scripts- * + * * @return void */ public function eventin_ai_admin_scripts() {+ wp_enqueue_style( 'etn-ai-admin-css', \Wpeventin::plugin_url() . 'build/css/index-ai-style.css', [], \Wpeventin::version() ); wp_enqueue_script( 'etn-ai-admin-js', \Wpeventin::core_url() . 'modules/eventin-ai/assets/js/admin.js', [ 'jquery', 'wp-hooks' ], \Wpeventin::version(), true ); $eventin_ai_local_data = [ 'evnetin_ai_active' => class_exists( 'EventinAI' ) ? true : false,
I'll analyze the provided code diff for security vulnerabilities. ``` Vulnerability Existed: no [No Vulnerability Identified] - [N/A] - core/modules/eventin-ai/admin/admin.php [41] [No code addition] [wp_enqueue_style( 'etn-ai-admin-css', \Wpeventin::plugin_url() . 'build/css/index-ai-style.css', [], \Wpeventin::version() );] Explanation: The diff shows a minor code addition and formatting change. The new line adds a stylesheet enqueue call using WordPress's standard `wp_enqueue_style()` function. This is a legitimate WordPress admin script enqueuing operation that follows best practices: 1. Uses the standard WordPress API (`wp_enqueue_style()`) 2. Properly includes version parameter for cache busting 3. Uses the plugin's built-in utility methods (`\Wpeventin::plugin_url()` and `\Wpeventin::version()`) 4. The empty dependencies array `[]` is appropriate for a standalone stylesheet The only other change is a minor whitespace correction in the docblock (removing trailing space on line 37), which is not a security concern. No security vulnerabilities are present in this diff. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/modules/seat-plan/frontend/views/seatplan-form.php 2026-01-09 00:38:09.856537230 +0000+++ cache/wp-event-solution_4.0.52/core/modules/seat-plan/frontend/views/seatplan-form.php 2026-01-09 00:43:16.791269713 +0000@@ -89,7 +89,7 @@ <form method="POST"> <?php wp_nonce_field('ticket_purchase_next_step_two','ticket_purchase_next_step_two'); ?> <?php if ( ! empty( $errors['seat_limit_error'] ) ): ?>- <p style="text-align: center; color: red"><?php echo $errors['seat_limit_error'] ?></p>+ <p style="text-align: center; color: red"><?php echo esc_html( $errors['seat_limit_error'] ); ?></p> <?php endif; ?> <div class="wrap-seat-plan-form timetics-shortcode-wrapper"> <div id="etn-seat-plan" data-id="<?php echo intval(get_the_ID()); ?>"></div>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - core/modules/seat-plan/frontend/views/seatplan-form.php Lines 92 Old Code: ```php <p style="text-align: center; color: red"><?php echo $errors['seat_limit_error'] ?></p> ``` Fixed Code: ```php <p style="text-align: center; color: red"><?php echo esc_html( $errors['seat_limit_error'] ); ?></p> ``` Explanation: The original code directly echoed the `$errors['seat_limit_error']` variable without any sanitization or escaping. This allows arbitrary HTML and JavaScript to be injected and executed in the browser if an attacker can control the error message content. The fix applies `esc_html()`, a WordPress escaping function that converts HTML special characters to their entity equivalents, preventing XSS attacks. This ensures that any user-controlled or unsanitized data displayed in the error message cannot execute malicious scripts.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/woocommerce/hooks.php 2026-01-09 00:38:09.964543803 +0000+++ cache/wp-event-solution_4.0.52/core/woocommerce/hooks.php 2026-01-09 00:43:17.091288065 +0000@@ -328,7 +328,7 @@ <tr> <td><?php echo esc_html($attendee['etn_name']); ?></td> <td><?php echo esc_html($attendee['ticket_name']); ?></td>- <td><?php echo $event_display; ?></td>+ <td><?php echo wp_kses_post( $event_display ); ?></td> <td> <?php $url = add_query_arg(@@ -663,7 +663,7 @@ $thankyou_redirect = isset( $thankyou_redirect ) ? $thankyou_redirect : ''; $eventin_order = new OrderModel($order_id);- $validate_ticket = $eventin_order->validate_ticket();+ $validate_ticket = $eventin_order->validate_ticket(true); if ( is_wp_error( $validate_ticket ) ) { wp_redirect( site_url( 'eventin-purchase/checkout/#/failed?action=ticket-limit-exit' ) );@@ -700,17 +700,7 @@ $eventin_order->send_email(); } }- - - // deducing coupon discount from Order($post_type = 'etn-order')- -// $eventin_order->update_meta([-// "total_price" => $wc_order->order-// ]);- - //dd($wc_order->get_data()); - // Redirect to Eventin thank you page $url = ''; @@ -750,7 +740,7 @@ <ul class="single-ticket-seats__list"> <?php if (!empty($single_variation['selected_seats'])) {- echo "<li>". $single_variation['selected_seats']. "</li>";+ echo "<li>". esc_html( $single_variation['selected_seats'] ). "</li>"; } ?> </ul>@@ -1031,6 +1021,7 @@ foreach ( $order->get_items() as $item_id => $item ) { $event_id = \Etn\Core\Event\Helper::instance()->order_event_id($item); $event_object = get_post( $event_id );+ $sold_tickets = $event_id ? (array)Helper::etn_get_sold_tickets_by_event( $event_id ) : []; if ( !empty( $event_object ) ) { $ticket_variations = !empty( get_post_meta( $event_id, "etn_ticket_variations", true ) ) ? get_post_meta( $event_id, "etn_ticket_variations", true ) : []; @@ -1063,7 +1054,7 @@ $ticket_index = $this->search_array_by_value( $ticket_variations, $item_variation['etn_ticket_slug'] ); if ( isset( $ticket_variations[ $ticket_index ] ) ) { $variation_picked_qty = absint( $item_variation[ 'etn_ticket_qty' ] );- $etn_sold_tickets = absint( $ticket_variations[ $ticket_index ]['etn_sold_tickets'] );+ $etn_sold_tickets = $sold_tickets[$item_variation['etn_ticket_slug']] ?? 0; $total_tickets = absint( $ticket_variations[ $ticket_index ]['etn_avaiilable_tickets'] ); if ( $decrease_time ) {@@ -1508,6 +1499,7 @@ $error_messages = $ticket_qty_errors = $cart_picked_data = []; $event_id = $product_id;+ $sold_tickets = $event_id ? (array)Helper::etn_get_sold_tickets_by_event( $event_id ) : []; $event_name = get_the_title( $event_id ); $ticket_variations = !empty( get_post_meta( $event_id, "etn_ticket_variations", true ) ) ? get_post_meta( $event_id, "etn_ticket_variations", true ) : []; @@ -1544,7 +1536,7 @@ $error_cat = []; $total_tickets = absint( $ticket_variations[ $ticket_index ]['etn_avaiilable_tickets'] );- $etn_sold_tickets = absint( $ticket_variations[ $ticket_index ]['etn_sold_tickets'] );+ $etn_sold_tickets = $sold_tickets[$post_contents['ticket_slug'][ $quantity_index ]] ?? 0; $remaining_ticket = $total_tickets - $etn_sold_tickets; $etn_min_ticket = absint( $ticket_variations[ $ticket_index ]['etn_min_ticket'] );@@ -2222,8 +2214,8 @@ } $table_content .= "</div>";- - echo $table_content;++ echo wp_kses_post( $table_content ); } else { echo esc_html__('No Attendee Found', 'eventin'); }
I'll analyze the provided code diff for security vulnerabilities.
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - core/woocommerce/hooks.php Line 331
Old Code:
```php
<td><?php echo $event_display; ?></td>
```
Fixed Code:
```php
<td><?php echo wp_kses_post( $event_display ); ?></td>
```
Explanation:
The variable `$event_display` was being output directly without any sanitization. This is a stored XSS vulnerability because if `$event_display` contains user-controlled HTML/JavaScript, it will be executed in the browser. The fix uses `wp_kses_post()` which safely strips dangerous HTML tags while preserving safe formatting tags like `<p>`, `<br>`, etc. This is appropriate for WordPress post content.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - core/woocommerce/hooks.php Line 743
Old Code:
```php
echo "<li>". $single_variation['selected_seats']. "</li>";
```
Fixed Code:
```php
echo "<li>". esc_html( $single_variation['selected_seats'] ). "</li>";
```
Explanation:
The `$single_variation['selected_seats']` variable was being concatenated into HTML output without escaping. This is a stored XSS vulnerability because user-controlled data in the `selected_seats` field could contain malicious scripts. The fix uses `esc_html()` which converts HTML special characters to entities, preventing script execution.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - core/woocommerce/hooks.php Line 2217
Old Code:
```php
echo $table_content;
```
Fixed Code:
```php
echo wp_kses_post( $table_content );
```
Explanation:
The `$table_content` variable is being output without sanitization. Since this variable is constructed from post meta data and user input throughout the function, it could contain unintended HTML/JavaScript. The fix uses `wp_kses_post()` to allow safe post formatting while stripping dangerous tags.
---
**Additional Changes (Non-Security):**
The other changes in the diff (parameter addition to `validate_ticket(true)`, removal of commented code, and use of null coalescing operator `??` for safer array access) are improvements but not direct security vulnerability fixes. The null coalescing changes do improve type safety and prevent potential notice errors.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/core/woocommerce/payment-timer.php 2026-01-09 00:38:09.964543803 +0000+++ cache/wp-event-solution_4.0.52/core/woocommerce/payment-timer.php 2026-01-09 00:43:17.095288310 +0000@@ -97,10 +97,10 @@ container.insertBefore(timerBox, container.firstChild); - let is_payment_timer_enabled = "<?php echo (etn_get_option( 'ticket_purchase_timer_enable', 'off' )); ?>";+ let is_payment_timer_enabled = "<?php echo esc_js( etn_get_option( 'ticket_purchase_timer_enable', 'off' ) ); ?>"; if( is_payment_timer_enabled == 'on'){- let initial_time = <?php echo (etn_get_option( 'ticket_purchase_timer', 10 )* 60); ?>;+ let initial_time = <?php echo absint( etn_get_option( 'ticket_purchase_timer', 10 ) * 60 ); ?>; let timeLeft = <?php echo (int) $time_left; ?>; @@ -118,7 +118,7 @@ const interval = setInterval(function() { if (timeLeft <= 0) { clearInterval(interval);- window.location.href = "<?php echo wc_get_cart_url(); ?>?eventin_payment_time_expired=1";+ window.location.href = "<?php echo esc_url( wc_get_cart_url() ); ?>?eventin_payment_time_expired=1"; return; }
## Security Analysis Results Based on the code diff analysis, here are the identified vulnerabilities and their fixes: --- **Vulnerability 1:** Vulnerability Existed: yes TRUE POSITIVE **Improper Output Encoding - CWE-116** - CWE-116 - core/woocommerce/payment-timer.php Line 100 **Old Code:** ```php let is_payment_timer_enabled = "<?php echo (etn_get_option( 'ticket_purchase_timer_enable', 'off' )); ?>"; ``` **Fixed Code:** ```php let is_payment_timer_enabled = "<?php echo esc_js( etn_get_option( 'ticket_purchase_timer_enable', 'off' ) ); ?>"; ``` **Explanation:** The original code directly echoed a PHP option value into JavaScript without proper escaping. If the option contained special characters (quotes, backslashes, newlines), it could break the JavaScript string literal or introduce JavaScript injection vulnerabilities. The fix uses `esc_js()`, which properly escapes the output for safe use within JavaScript string contexts. --- **Vulnerability 2:** Vulnerability Existed: yes TRUE POSITIVE **Improper Input Validation/Type Handling - CWE-20** - CWE-20 - core/woocommerce/payment-timer.php Line 103 **Old Code:** ```php let initial_time = <?php echo (etn_get_option( 'ticket_purchase_timer', 10 )* 60); ?>; ``` **Fixed Code:** ```php let initial_time = <?php echo absint( etn_get_option( 'ticket_purchase_timer', 10 ) * 60 ); ?>; ``` **Explanation:** The original code echoed the timer option value without ensuring it was an integer. If `etn_get_option()` returned a non-numeric string, the JavaScript would receive invalid data, potentially leading to NaN values or unexpected behavior. The fix uses `absint()` to ensure the result is a non-negative integer, providing type safety and preventing injection of unexpected values into the JavaScript numeric context. --- **Vulnerability 3:** Vulnerability Existed: yes FALSE POSITIVE **Improper Output Encoding (URL Context) - CWE-116** - CWE-116 - core/woocommerce/payment-timer.php Line 121 **Old Code:** ```php window.location.href = "<?php echo wc_get_cart_url(); ?>?eventin_payment_time_expired=1"; ``` **Fixed Code:** ```php window.location.href = "<?php echo esc_url( wc_get_cart_url() ); ?>?eventin_payment_time_expired=1"; ``` **Explanation:** The original code echoed a URL directly into a JavaScript `window.location.href` assignment without escaping. While `wc_get_cart_url()` is a trusted WordPress function, if it ever contained special characters or if the function behavior changed, it could introduce JavaScript injection or malicious URL navigation. The fix uses `esc_url()` to properly escape the URL for safe use in the JavaScript context, ensuring it's a valid URL and preventing potential injection attacks.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/eventin.php 2026-01-09 00:38:09.964543803 +0000+++ cache/wp-event-solution_4.0.52/eventin.php 2026-01-09 00:43:17.103288800 +0000@@ -10,7 +10,7 @@ * Plugin Name: Eventin * Plugin URI: https://themewinter.com/eventin/ * Description: Simple and Easy to use Event Management Solution- * Version: 4.0.51+ * Version: 4.0.52 * Author: Themewinter * Author URI: https://themewinter.com/ * License: GPL-2.0+@@ -45,7 +45,7 @@ * @var string The plugin version. */ public static function version() {- return "4.0.51";+ return "4.0.52"; } /**
I'll analyze the provided code diff for security vulnerabilities. **Analysis Result:** Vulnerability Existed: **no** This diff contains only version number updates (4.0.51 → 4.0.52) in two locations: 1. The plugin header comment (line 13) 2. The version() method return value (line 48) **Explanation:** There are no security vulnerabilities in this diff. The changes are purely administrative version bumps with no modifications to: - Input validation logic - Authentication/authorization mechanisms - Data sanitization or escaping - File operations or system calls - Database queries - API endpoints or handlers - Cryptographic implementations - Dependency versions or libraries The diff represents a routine version increment with no code logic changes that could introduce or fix security issues.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/attendee/attendee-details.php 2026-01-09 00:38:09.976544534 +0000+++ cache/wp-event-solution_4.0.52/templates/attendee/attendee-details.php 2026-01-09 00:43:17.147291491 +0000@@ -70,7 +70,7 @@ <?php if ( $include_phone ) { ?> <td><?php echo esc_html( $etn_phone ); ?></td> <?php } ?>- <td><?php echo $event_display; ?></td>+ <td><?php echo wp_kses_post( $event_display ); ?></td> <td><?php echo esc_html( $ticket_status_arr[$ticket_status] ); ?></td> <td> <div class=''>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/attendee/attendee-details.php [73] Old Code: ```php <td><?php echo $event_display; ?></td> ``` Fixed Code: ```php <td><?php echo wp_kses_post( $event_display ); ?></td> ``` Explanation: The original code directly echoed the `$event_display` variable without any sanitization or escaping. This is a stored/reflected XSS vulnerability (CWE-79) because if `$event_display` contains user-controlled or unsanitized data with HTML/JavaScript content, it would be executed in the browser context. The fix applies `wp_kses_post()`, which is a WordPress function that sanitizes content by allowing only safe HTML tags and removing potentially malicious scripts. This prevents XSS attacks by ensuring any dangerous markup is stripped or escaped before output.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/attendee/info-update.php 2026-01-09 00:38:09.976544534 +0000+++ cache/wp-event-solution_4.0.52/templates/attendee/info-update.php 2026-01-09 00:43:17.151291736 +0000@@ -73,7 +73,7 @@ <div class="etn-<?php echo esc_attr( $class_name_from_label ); ?>-field etn-group-field"> <label for="etn_attendee_extra_field_<?php echo esc_attr( $index ); ?>">- <?php echo esc_html( $label_content ); echo Helper::kses( $required_span ); ?>+ <?php echo esc_html( $label_content ); echo Helper::kses( $required_span ); ?> </label> <?php if( $default_extra_field['field_type'] == 'radio' ){@@ -121,7 +121,7 @@ data-etn_required="<?php echo esc_attr( $etn_field_type );?>" <?php echo esc_attr( $etn_field_type ); ?> />- <label for="<?php esc_attr_e( $id, 'eventin' );?>"><?php echo html_entity_decode( $checkbox_val );?></label>+ <label for="<?php esc_attr_e( $id, 'eventin' );?>"><?php echo esc_html( html_entity_decode( $checkbox_val ) );?></label> </div> <?php }@@ -180,7 +180,7 @@ <div class="etn-<?php echo esc_attr( $class_name_from_label ); ?>-field etn-group-field"> <label for="etn_attendee_extra_field_<?php echo esc_attr( $index ); ?>">- <?php echo esc_html( $label_content ); echo Helper::kses( $required_span ); ?>+ <?php echo esc_html( $label_content ); echo Helper::kses( $required_span ); ?> </label> <?php if( $attendee_extra_field['field_type'] == 'radio' ){@@ -228,7 +228,7 @@ data-etn_required="<?php echo esc_attr( $etn_field_type );?>" <?php echo esc_attr( $etn_field_type ); ?> />- <label for="<?php esc_attr_e( $id, 'eventin' );?>"><?php echo html_entity_decode( $checkbox_val );?></label>+ <label for="<?php esc_attr_e( $id, 'eventin' );?>"><?php echo esc_html( html_entity_decode( $checkbox_val ) );?></label> </div> <?php }
I'll analyze the provided code diff for security vulnerabilities following the specified format. --- **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/attendee/info-update.php [124] Old Code: ```php <label for="<?php esc_attr_e( $id, 'eventin' );?>"><?php echo html_entity_decode( $checkbox_val );?></label> ``` Fixed Code: ```php <label for="<?php esc_attr_e( $id, 'eventin' );?>"><?php echo esc_html( html_entity_decode( $checkbox_val ) );?></label> ``` Explanation: The original code used `html_entity_decode()` without any output escaping, which converts HTML entities back to their character equivalents. If `$checkbox_val` contains user-controlled data with malicious HTML/JavaScript, it would be rendered directly in the DOM, allowing XSS attacks. The fix wraps the output with `esc_html()` to properly escape the decoded content before displaying it in the HTML context. --- **Vulnerability 2:** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/attendee/info-update.php [231] Old Code: ```php <label for="<?php esc_attr_e( $id, 'eventin' );?>"><?php echo html_entity_decode( $checkbox_val );?></label> ``` Fixed Code: ```php <label for="<?php esc_attr_e( $id, 'eventin' );?>"><?php echo esc_html( html_entity_decode( $checkbox_val ) );?></label> ``` Explanation: Identical vulnerability as #1. The same unescaped `html_entity_decode()` output vulnerability exists at line 231, with the same fix applied: wrapping with `esc_html()` to prevent XSS attacks. --- **Non-Security Changes (Formatting):** Lines 76, 183: Minor whitespace adjustments (removing extra spaces before `Helper::kses()`) - no security impact.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/attendee/purchased-events.php 2026-01-09 00:38:09.976544534 +0000+++ cache/wp-event-solution_4.0.52/templates/attendee/purchased-events.php 2026-01-09 00:43:17.171292960 +0000@@ -34,8 +34,8 @@ </a> <?php elseif ( 'event' === $column_id ) : ?>- <?php - echo '<a href="'.get_permalink( $user_event->event_id ).'" target="_blank">' . esc_html( $user_event->event_name ) . '</a>';+ <?php+ echo '<a href="'.esc_url( get_permalink( $user_event->event_id ) ).'" target="_blank">' . esc_html( $user_event->event_name ) . '</a>'; ?> <?php elseif ( 'event_start_date' === $column_id ) : ?>
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - templates/attendee/purchased-events.php lines 37-38
Old Code:
```php
echo '<a href="'.get_permalink( $user_event->event_id ).'" target="_blank">' . esc_html( $user_event->event_name ) . '</a>';
```
Fixed Code:
```php
echo '<a href="'.esc_url( get_permalink( $user_event->event_id ) ).'" target="_blank">' . esc_html( $user_event->event_name ) . '</a>';
```
Explanation:
The original code failed to properly sanitize the URL returned by `get_permalink()` before inserting it into an HTML href attribute. While `esc_html()` was correctly applied to the event name, the URL itself was not escaped. This creates a Stored XSS vulnerability - an attacker could craft a malicious event ID that causes `get_permalink()` to return a URL containing JavaScript (e.g., `javascript:alert('xss')` or `data:text/html,...`). The fix applies `esc_url()` to the permalink, which properly encodes the URL to prevent injection of malicious protocols or JavaScript execution. This is a critical security fix following WordPress security best practices for href attributes.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/attendee/ticket-markup.php 2026-01-09 00:38:09.976544534 +0000+++ cache/wp-event-solution_4.0.52/templates/attendee/ticket-markup.php 2026-01-09 00:43:17.179293449 +0000@@ -83,8 +83,8 @@ <li class="etn-ticket-body-top-li"> <?php echo esc_html__( "PRICE :", "eventin" ); ?> <p>- <?php - printf( '%s %s', etn_currency_symbol(), $ticket_price );+ <?php+ printf( '%s %s', esc_html( etn_currency_symbol() ), esc_html( $ticket_price ) ); ?> </p> </li>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/attendee/ticket-markup.php [86-87] Old Code: ```php printf( '%s %s', etn_currency_symbol(), $ticket_price ); ``` Fixed Code: ```php printf( '%s %s', esc_html( etn_currency_symbol() ), esc_html( $ticket_price ) ); ``` Explanation: The original code directly output the results of `etn_currency_symbol()` and `$ticket_price` without any sanitization or escaping. If either of these values contained user-controlled or untrusted data (such as HTML or JavaScript code), it would be rendered directly in the browser, enabling a Stored or Reflected XSS attack. The fix applies `esc_html()` to both values before output, which properly escapes HTML special characters and prevents any injected scripts from executing. This is the correct WordPress escaping function for displaying data in HTML context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/emails/admin-event-reminder-eamil-template.php 2026-01-09 00:38:09.980544777 +0000+++ cache/wp-event-solution_4.0.52/templates/emails/admin-event-reminder-eamil-template.php 2026-01-09 00:43:17.219295896 +0000@@ -52,9 +52,9 @@ <?php if ($event->etn_start_date == $event->etn_end_date) {- printf('%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone());+ printf('%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() )); } else {- printf('%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone());+ printf('%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() )); } ?> </p>@@ -86,7 +86,7 @@ echo esc_html($event->get_address()); } elseif ($event->event_type == 'hybrid') { echo esc_html($event->get_address());- echo printf('Online meeting link: %s', $event->meeting_link);+ printf('Online meeting link: %s', esc_html( $event->meeting_link )); } elseif ($event->event_type == 'online') { echo esc_html($event->meeting_link); }
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/emails/admin-event-reminder-eamil-template.php - Lines 55, 57, 89
Old Code (Line 55):
```php
printf('%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone());
```
Fixed Code (Line 55):
```php
printf('%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ));
```
Explanation:
The old code directly outputs event data (start date/time, end date/time, and timezone) without HTML escaping. If any of these values contain malicious HTML or JavaScript (e.g., through database injection or compromised data), they could execute in the admin email template context. The fix wraps all dynamic values with `esc_html()`, which is the WordPress standard function for escaping output to prevent XSS attacks. This is a proper remediation for reflected/stored XSS vulnerabilities in email templates.
---
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/emails/admin-event-reminder-eamil-template.php - Lines 57
Old Code (Line 57):
```php
printf('%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone());
```
Fixed Code (Line 57):
```php
printf('%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ));
```
Explanation:
Same XSS vulnerability as line 55 but for multi-day events. The old code outputs unescaped event datetime and timezone data. The fix applies `esc_html()` to all dynamic values to prevent potential script execution through malicious event data.
---
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/emails/admin-event-reminder-eamil-template.php - Line 89
Old Code (Line 89):
```php
echo printf('Online meeting link: %s', $event->meeting_link);
```
Fixed Code (Line 89):
```php
printf('Online meeting link: %s', esc_html( $event->meeting_link ));
```
Explanation:
The old code has a dual vulnerability: (1) it outputs `$event->meeting_link` without HTML escaping, allowing XSS if the meeting link contains malicious HTML/JavaScript, and (2) it uses `echo printf()` which is inefficient (printf already outputs, echo is unnecessary). The fix removes the `echo` and wraps the meeting_link with `esc_html()` to properly escape the output and prevent XSS attacks through malicious meeting link values.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/emails/admin-order-email-template.php 2026-01-09 00:38:09.980544777 +0000+++ cache/wp-event-solution_4.0.52/templates/emails/admin-order-email-template.php 2026-01-09 00:43:17.223296141 +0000@@ -64,7 +64,7 @@ " > <?php- $price_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($ticket['etn_ticket_price'] * $ticket['etn_ticket_qty'],2) ); + $price_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($ticket['etn_ticket_price'] * $ticket['etn_ticket_qty'],2), $order ); printf( '%s', esc_html( $price_with_currency) ); ?> </td>@@ -92,9 +92,9 @@ color: #334155; " >- <?php - $total_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($order->total_price,2) );- printf( '%s', esc_html( $total_with_currency) ); + <?php+ $total_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($order->total_price,2), $order );+ printf( '%s', esc_html( $total_with_currency) ); ?> </td>@@ -115,9 +115,9 @@ color: #334155; " >- <?php - $discount_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($order->discount_total,2) );- printf( '%s', esc_html( $discount_with_currency) ); + <?php+ $discount_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($order->discount_total,2), $order );+ printf( '%s', esc_html( $discount_with_currency) ); ?> </td>@@ -140,8 +140,8 @@ color: #334155; " >- <?php - $tax_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($order->tax_total,2) );+ <?php+ $tax_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($order->tax_total,2), $order ); printf( '%s', esc_html( $tax_with_currency) ); ?> @@ -184,15 +184,15 @@ if ( $tax_display_mode === 'incl' && class_exists('WooCommerce') && $order->payment_method == 'wc' ) { // Inclusive tax: total already includes tax, so don't add it again $final_total = floatval($order->total_price ) - floatval($discount_price);- $price_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($final_total,2) );- $tax_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($tax_total,2) );+ $price_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($final_total,2), $order );+ $tax_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($tax_total,2), $order ); $tax_note = sprintf( __( '(includes %s Tax)', 'eventin' ), esc_html( $tax_with_currency ) );- + } else { // Exclusive tax: add tax to the total $final_total = floatval($order->total_price ) - floatval($discount_price) + floatval($tax_total);- $price_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($final_total,2) );+ $price_with_currency = \Etn\Core\Event\Helper::instance()->currency_with_position( number_format($final_total,2), $order ); $tax_note = ''; } @@ -353,9 +353,9 @@ $time_format = etn_time_format(); if ( $event->etn_start_date == $event->etn_end_date ) {- printf( '%s from %s - %s %s', $event->get_start_datetime( $date_format ), $event->get_start_datetime( $time_format ), $event->get_end_datetime( $time_format ), $event->get_timezone() );+ printf( '%s from %s - %s %s', esc_html( $event->get_start_datetime( $date_format ) ), esc_html( $event->get_start_datetime( $time_format ) ), esc_html( $event->get_end_datetime( $time_format ) ), esc_html( $event->get_timezone() ) ); } else {- printf( '%s at %s - %s at %s %s', $event->get_start_datetime( $date_format ), $event->get_start_datetime( $time_format ), $event->get_end_datetime( $date_format ), $event->get_end_datetime( $time_format ), $event->get_timezone() );+ printf( '%s at %s - %s at %s %s', esc_html( $event->get_start_datetime( $date_format ) ), esc_html( $event->get_start_datetime( $time_format ) ), esc_html( $event->get_end_datetime( $date_format ) ), esc_html( $event->get_end_datetime( $time_format ) ), esc_html( $event->get_timezone() ) ); } ?> </p>@@ -389,7 +389,7 @@ echo '<br>'; printf( 'Online meeting link: %s', esc_url( $event->meeting_link ) ); } elseif ( $event->event_type == 'online' ) {- printf( 'Online meeting link: %s', $event->meeting_link );+ printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) ); } ?> </p>
I'll analyze this code diff for security vulnerabilities. **Vulnerability 1:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/emails/admin-order-email-template.php Lines 356, 357 Old Code: ```php printf( '%s from %s - %s %s', $event->get_start_datetime( $date_format ), $event->get_start_datetime( $time_format ), $event->get_end_datetime( $time_format ), $event->get_timezone() ); ``` Fixed Code: ```php printf( '%s from %s - %s %s', esc_html( $event->get_start_datetime( $date_format ) ), esc_html( $event->get_start_datetime( $time_format ) ), esc_html( $event->get_end_datetime( $time_format ) ), esc_html( $event->get_timezone() ) ); ``` Explanation: The old code outputs values from event object methods directly into printf without escaping. If any of these methods return untrusted or user-controlled data, it could contain malicious HTML/JavaScript that would execute in the email client. The fix wraps each output with esc_html() to prevent XSS attacks. **Vulnerability 2:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/emails/admin-order-email-template.php Lines 358 Old Code: ```php printf( '%s at %s - %s at %s %s', $event->get_start_datetime( $date_format ), $event->get_start_datetime( $time_format ), $event->get_end_datetime( $date_format ), $event->get_end_datetime( $time_format ), $event->get_timezone() ); ``` Fixed Code: ```php printf( '%s at %s - %s at %s %s', esc_html( $event->get_start_datetime( $date_format ) ), esc_html( $event->get_start_datetime( $time_format ) ), esc_html( $event->get_end_datetime( $date_format ) ), esc_html( $event->get_end_datetime( $time_format ) ), esc_html( $event->get_timezone() ) ); ``` Explanation: Same XSS vulnerability as #1. Multiple event properties are output without escaping, creating potential injection vectors if the data source is compromised or allows user input. **Vulnerability 3:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/emails/admin-order-email-template.php Line 392 Old Code: ```php printf( 'Online meeting link: %s', $event->meeting_link ); ``` Fixed Code: ```php printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) ); ``` Explanation: The meeting_link property is output directly without escaping. While it's typically a URL, if an attacker can control this field, they could inject malicious HTML or JavaScript. The fix applies esc_html() to sanitize the output. **Non-Vulnerability Changes:** The additional changes passing `$order` parameter to `currency_with_position()` method calls (lines 67, 95, 118, 143, 187, 188, 195) and whitespace cleanup are not security vulnerabilities. These appear to be API signature changes to provide additional context to the currency formatting function.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/emails/admin-rsvp-email-template.php 2026-01-09 00:38:09.992545507 +0000+++ cache/wp-event-solution_4.0.52/templates/emails/admin-rsvp-email-template.php 2026-01-09 00:43:17.223296141 +0000@@ -88,11 +88,11 @@ > <?php- + if ( $event->etn_start_date == $event->etn_end_date ) {- printf( '%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone() );+ printf( '%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) ); } else {- printf( '%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone() );+ printf( '%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) ); } ?> </p>@@ -122,14 +122,14 @@ flex: 1 1 50%; " >- <?php + <?php if ( $event->event_type == 'offline' ) { echo esc_html( $event->get_address() ); } elseif ( $event->event_type == 'hybrid' ) { echo esc_html( $event->get_address() );- echo printf( 'Online meeting link: %s', $event->meeting_link );+ printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) ); } elseif ( $event->event_type == 'online' ) {- printf( 'Online meeting link: %s', $event->meeting_link );+ printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) ); } ?> </p>
Vulnerability Existed: yes
FALSE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [templates/emails/admin-rsvp-email-template.php] [Lines 93, 95]
Old Code:
```php
printf( '%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone() );
```
Fixed Code:
```php
printf( '%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) );
```
Explanation:
The original code directly outputs event data (start datetime, end datetime, timezone) without escaping. While these are formatted date/time strings that are less likely to contain malicious content, WordPress security best practices require proper output escaping for all user-controlled or dynamic data. If any of these methods return data influenced by user input or plugin modifications, unescaped output could allow stored XSS attacks. The fix wraps each value with `esc_html()` to properly escape the output.
---
Vulnerability Existed: yes
TRUE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [templates/emails/admin-rsvp-email-template.php] [Lines 97]
Old Code:
```php
printf( '%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone() );
```
Fixed Code:
```php
printf( '%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) );
```
Explanation:
Same vulnerability as above. Multiple event properties are output without escaping in an email template context. The fix properly escapes all dynamic values with `esc_html()`.
---
Vulnerability Existed: yes
TRUE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [templates/emails/admin-rsvp-email-template.php] [Lines 130]
Old Code:
```php
echo printf( 'Online meeting link: %s', $event->meeting_link );
```
Fixed Code:
```php
printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) );
```
Explanation:
The original code outputs `$event->meeting_link` without escaping, directly creating an XSS vulnerability. Meeting links or URLs from event data could be manipulated to contain malicious content. The fix escapes the output with `esc_html()`. Additionally, the fix removes the unnecessary `echo` wrapper around `printf()` (since `printf()` already outputs).
---
Vulnerability Existed: yes
TRUE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [templates/emails/admin-rsvp-email-template.php] [Lines 133]
Old Code:
```php
printf( 'Online meeting link: %s', $event->meeting_link );
```
Fixed Code:
```php
printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) );
```
Explanation:
Same as above. The `$event->meeting_link` is output without escaping. An attacker with control over event data could inject malicious HTML or JavaScript. The fix properly escapes the output with `esc_html()`.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/emails/attendee-certificate-email-template.php 2026-01-09 00:38:09.992545507 +0000+++ cache/wp-event-solution_4.0.52/templates/emails/attendee-certificate-email-template.php 2026-01-09 00:43:17.227296385 +0000@@ -7,8 +7,8 @@ color: #020617; " >- <?php - printf( __( '<p>Event Certificate for %s</p>', 'eventin' ), '<span>' . $event->get_title() . '</span>' );+ <?php+ printf( esc_html__( 'Event Certificate for %s', 'eventin' ), '<span>' . esc_html( $event->get_title() ) . '</span>' ); ?> </h1> @@ -118,9 +118,9 @@ <?php if ( $event->etn_start_date == $event->etn_end_date ) {- printf( '%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_start_datetime('h:i A'), $event->get_timezone() );+ printf( '%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_timezone() ) ); } else {- printf( '%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone() );+ printf( '%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) ); } ?> </p>@@ -155,9 +155,9 @@ echo esc_html( $event->get_address() ); } elseif ( $event->event_type == 'hybrid' ) { echo esc_html( $event->get_address() );- printf( 'Online meeting link: %s', $event->meeting_link );+ printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) ); } elseif ( $event->event_type == 'online' ) {- printf( 'Online meeting link: %s', $event->meeting_link );+ printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) ); } ?> </p>
I'll analyze this code diff for security vulnerabilities following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-site Scripting (XSS) - CWE-79 - templates/emails/attendee-certificate-email-template.php Lines 10-11
Old Code:
```php
printf( __( '<p>Event Certificate for %s</p>', 'eventin' ), '<span>' . $event->get_title() . '</span>' );
```
Fixed Code:
```php
printf( esc_html__( 'Event Certificate for %s', 'eventin' ), '<span>' . esc_html( $event->get_title() ) . '</span>' );
```
Explanation:
The original code used `__()` for translation without escaping the output, allowing `$event->get_title()` to be output unescaped. This creates an XSS vulnerability if the event title contains malicious HTML/JavaScript. The fix applies `esc_html()` to sanitize the title before output and uses `esc_html__()` to properly handle the translated string without allowing HTML tags in the format string itself.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-site Scripting (XSS) - CWE-79 - templates/emails/attendee-certificate-email-template.php Lines 121-122
Old Code:
```php
printf( '%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_start_datetime('h:i A'), $event->get_timezone() );
```
Fixed Code:
```php
printf( '%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_timezone() ) );
```
Explanation:
The original code output datetime and timezone information without HTML escaping. If any of these methods return untrusted data, it could be exploited for XSS attacks. The fix wraps all dynamic output with `esc_html()` to prevent any HTML/JavaScript injection.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-site Scripting (XSS) - CWE-79 - templates/emails/attendee-certificate-email-template.php Lines 124-125
Old Code:
```php
printf( '%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone() );
```
Fixed Code:
```php
printf( '%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) );
```
Explanation:
Same XSS vulnerability as Vulnerability 2, but for the multi-day event scenario. All datetime and timezone output must be escaped before display to prevent injection attacks.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-site Scripting (XSS) - CWE-79 - templates/emails/attendee-certificate-email-template.php Lines 158, 161
Old Code:
```php
printf( 'Online meeting link: %s', $event->meeting_link );
printf( 'Online meeting link: %s', $event->meeting_link );
```
Fixed Code:
```php
printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) );
printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) );
```
Explanation:
The meeting link is output without HTML escaping. This is a critical XSS vulnerability since meeting links are user-controlled data that could contain malicious HTML/JavaScript. The fix applies `esc_html()` to sanitize the meeting link before output.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/emails/attendee-event-reminder-email-template.php 2026-01-09 00:38:09.992545507 +0000+++ cache/wp-event-solution_4.0.52/templates/emails/attendee-event-reminder-email-template.php 2026-01-09 00:43:17.231296629 +0000@@ -52,9 +52,9 @@ <?php if ($event->etn_start_date == $event->etn_end_date) {- printf('%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone());+ printf('%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() )); } else {- printf('%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone());+ printf('%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() )); } ?> </p>@@ -86,9 +86,9 @@ echo esc_html($event->get_address()); } elseif ($event->event_type == 'hybrid') { echo esc_html($event->get_address());- printf('Online meeting link: %s', $event->meeting_link);+ printf('Online meeting link: %s', esc_html( $event->meeting_link )); } elseif ($event->event_type == 'online') {- printf('Online meeting link: %s', $event->meeting_link);+ printf('Online meeting link: %s', esc_html( $event->meeting_link )); } ?> </p>
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/emails/attendee-event-reminder-email-template.php Lines 55, 57, 89, 91
Old Code:
```php
printf('%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone());
printf('%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone());
printf('Online meeting link: %s', $event->meeting_link);
printf('Online meeting link: %s', $event->meeting_link);
```
Fixed Code:
```php
printf('%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ));
printf('%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ));
printf('Online meeting link: %s', esc_html( $event->meeting_link ));
printf('Online meeting link: %s', esc_html( $event->meeting_link ));
```
Explanation:
The vulnerability existed because user-controlled or potentially untrusted data (event properties like start/end datetimes, timezone, and meeting_link) were being output directly into an email template via `printf()` without HTML escaping. If any of these values contained malicious HTML or JavaScript, it could be rendered in the email client. The fix applies `esc_html()` to all dynamic values before output, which properly escapes HTML special characters and prevents XSS attacks. This is particularly critical in email templates where arbitrary input could be injected through event data.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/emails/attendee-order-email-template.php 2026-01-09 00:38:09.996545751 +0000+++ cache/wp-event-solution_4.0.52/templates/emails/attendee-order-email-template.php 2026-01-09 00:43:17.235296875 +0000@@ -151,9 +151,9 @@ <?php if ( $event->etn_start_date == $event->etn_end_date ) {- printf( '%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone() );+ printf( '%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) ); } else {- printf( '%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone() );+ printf( '%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) ); } ?> </p>@@ -191,7 +191,7 @@ echo '<br>'; printf( 'Online meeting link: %s', esc_url( $event->meeting_link ) ); } elseif ( $event->event_type == 'online' ) {- printf( 'Online meeting link: %s', $event->meeting_link );+ printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) ); } ?> </p>
Vulnerability Existed: yes
FALSE POSITIVE
[Cross-site Scripting (XSS)] - [CWE-79] - [templates/emails/attendee-order-email-template.php] [Lines 154, 156, 194]
Old Code:
```php
printf( '%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone() );
printf( '%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone() );
printf( 'Online meeting link: %s', $event->meeting_link );
```
Fixed Code:
```php
printf( '%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) );
printf( '%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ) );
printf( 'Online meeting link: %s', esc_html( $event->meeting_link ) );
```
Explanation:
The old code outputs dynamic data from event objects directly into email templates without proper HTML escaping. If any of the event properties (start_datetime, end_datetime, timezone, or meeting_link) contain untrusted user input or malicious data, it could be rendered as HTML/JavaScript in email clients that parse HTML content. While email clients have varying levels of HTML support and security, escaping these values prevents potential XSS vulnerabilities. The fix applies WordPress's `esc_html()` function to sanitize all dynamic output before rendering, ensuring special characters are properly encoded and cannot be interpreted as code.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/emails/header.php 2026-01-09 00:38:09.996545751 +0000+++ cache/wp-event-solution_4.0.52/templates/emails/header.php 2026-01-09 00:43:17.247297609 +0000@@ -31,76 +31,7 @@ <div style="border-top: 4px solid #6c2bd9"> <div style="padding: 30px"> <!-- Logo Area -->- <div style="font-size: 24px; font-weight: bold; color: #6c2bd9">- <svg- width="135"- height="36"- viewBox="0 0 135 36"- fill="none"- xmlns="http://www.w3.org/2000/svg"- >- <path- d="M44.7912 21.9175H31.9042C32.1256 25.3672 33.4202 26.6017 36.7999 26.6017C39.4216 26.6017 40.8742 25.8103 41.159 24.2281H44.5388C44.2546 27.7732 41.5067 29.6408 36.7371 29.6408C30.9571 29.6408 28.3672 26.8871 28.3672 20.8102C28.3672 14.828 30.9254 12.1055 36.6109 12.1055C42.3281 12.1055 44.7919 14.6062 44.7919 20.936V21.9175H44.7912ZM31.9676 18.9102H41.1273C40.9694 16.2512 39.6741 15.1439 36.642 15.1439C33.6416 15.1439 32.3463 16.1565 31.9676 18.9102Z"- fill="#0D165E"- />- <path- d="M57.5207 12.5781H61.1845L56.7309 29.1637H50.4771L46.0234 12.5781H49.6873L53.3512 26.1571H53.8878L57.5207 12.5781Z"- fill="#0D165E"- />- <path- d="M78.842 21.9175H65.955C66.1764 25.3672 67.471 26.6017 70.8507 26.6017C73.4724 26.6017 74.9257 25.8103 75.2098 24.2281H78.5895C78.3054 27.7732 75.5575 29.6408 70.7879 29.6408C65.0079 29.6408 62.418 26.8871 62.418 20.8102C62.418 14.828 64.9762 12.1055 70.6617 12.1055C76.3789 12.1055 78.8427 14.6062 78.8427 20.936V21.9175H78.842ZM66.0184 18.9102H75.1781C75.0202 16.2512 73.7255 15.1439 70.6928 15.1439C67.6924 15.1439 66.3971 16.1565 66.0184 18.9102Z"- fill="#0D165E"- />- <path- d="M96.4997 18.7208V29.1659H92.8986V18.7844C92.8986 16.2208 91.7612 15.0492 89.4554 15.0492C86.8337 15.0492 85.5074 16.9486 85.5074 20.7784V29.1659H81.9062V12.5803H85.5074V15.1757C86.613 13.1181 88.3815 12.1055 90.8135 12.1055C94.8257 12.1055 96.4997 14.0359 96.4997 18.7208Z"- fill="#0D165E"- />- <path- d="M109.923 15.5848H104.932V23.6246C104.932 24.669 105.121 25.4286 105.532 25.9034C105.942 26.3783 106.574 26.5995 107.427 26.5995C108.28 26.5995 109.133 26.3776 109.923 25.9346V28.9101C109.133 29.3849 108.185 29.6379 107.017 29.6379C103.131 29.6379 101.331 27.7074 101.331 23.6239V15.5848H98.8047V12.5781H101.331V8.27344H104.932V12.5781H109.923V15.5848H109.923Z"- fill="#0D165E"- />- <path- d="M112.48 8.27788C112.48 6.60038 112.986 6.09375 114.66 6.09375C116.397 6.09375 116.902 6.60038 116.902 8.27788C116.902 9.8918 116.397 10.3666 114.66 10.3666C112.985 10.3666 112.48 9.8918 112.48 8.27788ZM112.891 29.1655V12.5799H116.491V29.1655H112.891Z"- fill="#0D165E"- />- <path- d="M135 18.7208V29.1659H131.399V18.7844C131.399 16.2208 130.261 15.0492 127.955 15.0492C125.334 15.0492 124.007 16.9486 124.007 20.7784V29.1659H120.406V12.5803H124.007V15.1757C125.113 13.1181 126.881 12.1055 129.314 12.1055C133.326 12.1055 135 14.0359 135 18.7208Z"- fill="#0D165E"- />- <path- d="M22.5537 17.3328L15.7794 24.1199L11.4122 28.4963L9.27242 26.352L7.08273 24.1578C6.53598 23.6099 6.11343 22.9822 5.81779 22.3112C4.81947 20.0594 5.24134 17.3233 7.08273 15.4801C8.23832 14.3207 9.77664 13.6822 11.4115 13.6822C12.2849 13.6822 13.1287 13.8635 13.9022 14.2098L11.3879 16.7294C9.32102 18.8006 9.32102 22.1583 11.3879 24.2295L17.3359 18.2689L21.3724 14.224C20.8743 13.3298 20.2445 12.4883 19.4858 11.728C18.9579 11.1991 18.3876 10.729 17.7828 10.3211C17.0025 9.79281 16.1641 9.3687 15.2846 9.05146C14.233 9.92741 12.883 10.455 11.4122 10.455C9.94066 10.455 8.59 9.92673 7.53835 9.05078C5.97776 9.61356 4.54677 10.5186 3.33852 11.7287C-0.581858 15.6573 -1.04963 21.7545 1.93588 26.2005C2.3402 26.8032 2.80798 27.3761 3.33852 27.9085L5.52821 30.1028L11.4115 35.9997L19.4858 27.9085C22.3444 25.0439 23.3684 21.0239 22.5537 17.3328Z"- fill="url(#paint0_linear_6728_2933)"- />- <path- d="M11.4134 8.75142C13.825 8.75142 15.78 6.79235 15.78 4.37571C15.78 1.95907 13.825 0 11.4134 0C9.00185 0 7.04688 1.95907 7.04688 4.37571C7.04688 6.79235 9.00185 8.75142 11.4134 8.75142Z"- fill="url(#paint1_linear_6728_2933)"- />- <defs>- <linearGradient- id="paint0_linear_6728_2933"- x1="3.14646"- y1="33.7696"- x2="18.9724"- y2="7.17121"- gradientUnits="userSpaceOnUse"- >- <stop offset="0.1788" stop-color="#702CE7" />- <stop offset="0.8196" stop-color="#FF4A97" />- </linearGradient>- <linearGradient- id="paint1_linear_6728_2933"- x1="6.7354"- y1="10.3456"- x2="16.1636"- y2="-1.6357"- gradientUnits="userSpaceOnUse"- >- <stop offset="0.326" stop-color="#702CE7" />- <stop offset="0.8707" stop-color="#FF4A97" />- </linearGradient>- </defs>- </svg>- </div>+ <!-- Separator --> <div
Vulnerability Existed: no
No Vulnerabilities Detected - [N/A] - templates/emails/header.php [34-101]
Old Code:
```
<div style="font-size: 24px; font-weight: bold; color: #6c2bd9">
<svg
width="135"
height="36"
viewBox="0 0 135 36"
fill="none"
xmlns="http://www.w3.org/2000/svg"
>
<!-- SVG paths and gradients for logo -->
</svg>
</div>
```
Fixed Code:
```
<!-- Logo removed - now empty -->
```
Explanation:
This diff shows the removal of an inline SVG logo element from an email template. The change is purely presentational—removing HTML markup and not introducing or fixing any code that handles user input, authentication, file operations, or other security-sensitive operations. The SVG contained static vector graphics with hardcoded values and gradient definitions with no dynamic content or user-controlled data. Removing static markup from an email template does not constitute a security fix nor does it introduce new vulnerabilities. This is a design/layout change with no security implications.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event-one.php 2026-01-09 00:38:10.004546238 +0000+++ cache/wp-event-solution_4.0.52/templates/event-one.php 2026-01-09 00:43:17.287300056 +0000@@ -48,7 +48,7 @@ <?php do_action("etn_before_single_event_content_body", $single_event_id); ?> <div class="etn-event-content-body">- <?php echo apply_filters( 'etn_single_event_content_body', the_content() ); ?>+ <?php echo wp_kses_post( apply_filters( 'etn_single_event_content_body', get_the_content() ) ); ?> </div> <?php do_action("etn_after_single_event_content_body", $single_event_id); ?>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/event-one.php Line 51 Old Code: ```php <?php echo apply_filters( 'etn_single_event_content_body', the_content() ); ?> ``` Fixed Code: ```php <?php echo wp_kses_post( apply_filters( 'etn_single_event_content_body', get_the_content() ) ); ?> ``` Explanation: The original code was vulnerable to Stored XSS because it echoed the output of `apply_filters()` without proper sanitization. The `the_content()` function outputs formatted post content that may contain user-controlled data and HTML. While `apply_filters()` allows plugins to modify the content, there was no guarantee that the filtered output was safe for display. The fix addresses this vulnerability in two ways: 1. **Replaced `the_content()` with `get_the_content()`**: The original `the_content()` function applies its own filters and formatting. Using `get_the_content()` instead provides the raw content without automatic formatting, giving more explicit control over the output processing. 2. **Added `wp_kses_post()` sanitization**: This WordPress function sanitizes the output by removing any HTML tags and attributes that are not in the whitelist of allowed post content tags. This prevents arbitrary scripts and dangerous HTML from being displayed, effectively mitigating the XSS vulnerability while preserving safe formatting like paragraphs, links, and other standard post content markup. The combination of these changes ensures that only safe, whitelisted HTML is rendered to the user, preventing malicious scripts from being executed.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/archive/excerpt-content.php 2026-01-09 00:38:10.000545994 +0000+++ cache/wp-event-solution_4.0.52/templates/event/archive/excerpt-content.php 2026-01-09 00:43:17.255298098 +0000@@ -2,4 +2,4 @@ defined( 'ABSPATH' ) || die(); ?>-<p><?php echo apply_filters('etn_event_archive_content', wp_trim_words( get_the_excerpt(), 15 , '' )); ?></p>\ No newline at end of file+<p><?php echo wp_kses_post( apply_filters('etn_event_archive_content', wp_trim_words( get_the_excerpt(), 15 , '' )) ); ?></p>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event/archive/excerpt-content.php line 5
Old Code:
```php
<p><?php echo apply_filters('etn_event_archive_content', wp_trim_words( get_the_excerpt(), 15 , '' )); ?></p>
```
Fixed Code:
```php
<p><?php echo wp_kses_post( apply_filters('etn_event_archive_content', wp_trim_words( get_the_excerpt(), 15 , '' )) ); ?></p>
```
Explanation:
The original code directly echoed the output of `apply_filters()` without sanitization. While `wp_trim_words()` and `get_the_excerpt()` are safe functions, the `apply_filters()` call allows arbitrary plugins to modify the content. A malicious or compromised plugin could inject unescaped HTML or JavaScript through this filter hook. The fix wraps the entire output in `wp_kses_post()`, which sanitizes the content by allowing only safe HTML tags (those permitted in post content) and removing any script tags or event handlers. This prevents XSS attacks from malicious filter callbacks while preserving legitimate HTML formatting in the excerpt content.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/archive/thumbnail-content.php 2026-01-09 00:38:10.000545994 +0000+++ cache/wp-event-solution_4.0.52/templates/event/archive/thumbnail-content.php 2026-01-09 00:43:17.267298832 +0000@@ -9,7 +9,7 @@ <?php do_action( 'etn_before_event_archive_thumbnail' ); ?> - <a href="<?php the_permalink(); ?>" aria-label="<?php the_title(); ?>">+ <a href="<?php the_permalink(); ?>" aria-label="<?php echo esc_attr( get_the_title() ); ?>"> <?php the_post_thumbnail(); ?> </a>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/event/archive/thumbnail-content.php - Line 12 Old Code: ```php <a href="<?php the_permalink(); ?>" aria-label="<?php the_title(); ?>"> ``` Fixed Code: ```php <a href="<?php the_permalink(); ?>" aria-label="<?php echo esc_attr( get_the_title() ); ?>"> ``` Explanation: The original code used `the_title()` directly in the `aria-label` attribute without proper escaping. The `the_title()` function outputs the post title directly to the page without any sanitization, which could allow stored XSS attacks if the post title contains malicious HTML or JavaScript. An attacker could craft a post title containing malicious script tags or event handlers that would execute in the browser when the page is rendered. The fix uses `esc_attr( get_the_title() )`, which properly escapes the title for use as an HTML attribute. The `get_the_title()` function retrieves the title without outputting it, and `esc_attr()` applies proper HTML attribute escaping to neutralize any potentially malicious content. This prevents XSS attacks by ensuring that special characters are converted to HTML entities.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/buy-ticket.php 2026-01-09 00:38:10.008546481 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/buy-ticket.php 2026-01-09 00:43:17.287300056 +0000@@ -1,7 +1,7 @@ <?php //echo do_shortcode("[etn_pro_ticket_form id='" . $event_id . "' show_title='no']"); ?>-<div class="etn-single-event-ticket-wrap" data-preview=<?php echo is_preview()?> >+<div class="etn-single-event-ticket-wrap" data-preview="<?php echo esc_attr( is_preview() ); ?>" > <?php if ( isset( $show_title ) && $show_title === "yes" ) : ?> <h3 class="etn-event-form-widget-title" ?>> <?php echo esc_html( get_the_title( $event_id ) ); ?>@@ -9,6 +9,6 @@ <?php endif; ?> <?php- \Etn\Utils\Helper::eventin_ticket_widget( $event_id, $styles ); + \Etn\Utils\Helper::eventin_ticket_widget( $event_id, $styles, null, $style_variant ); ?> </div>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/buy-ticket.php - Line 4 Old Code: ```php <div class="etn-single-event-ticket-wrap" data-preview=<?php echo is_preview()?> > ``` Fixed Code: ```php <div class="etn-single-event-ticket-wrap" data-preview="<?php echo esc_attr( is_preview() ); ?>" > ``` Explanation: The original code had an XSS vulnerability in the `data-preview` attribute. The output of `is_preview()` was not properly escaped and was not wrapped in quotes, making it vulnerable to attribute injection. An attacker could potentially inject malicious JavaScript through the attribute value. The fix properly escapes the output using `esc_attr()` (the WordPress escaping function for HTML attributes) and wraps the value in quotes to prevent attribute injection attacks. This follows WordPress security best practices for sanitizing user-controlled or dynamic content in HTML attributes. --- Vulnerability Existed: no Information Disclosure - N/A - templates/event/parts/buy-ticket.php - Line 12 Old Code: ```php \Etn\Utils\Helper::eventin_ticket_widget( $event_id, $styles ); ``` Fixed Code: ```php \Etn\Utils\Helper::eventin_ticket_widget( $event_id, $styles, null, $style_variant ); ``` Explanation: This change adds an additional parameter (`$style_variant`) to a function call. This is not a security fix but rather a functionality enhancement or parameter addition. There is no vulnerability present in either version—this is simply extending the function call with an additional argument, which does not represent a security issue.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/event-add-calender.php 2026-01-09 00:38:10.008546481 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-add-calender.php 2026-01-09 00:43:17.291300300 +0000@@ -90,7 +90,7 @@ </a> </li> <li>- <a href ="https://outlook.live.com/calendar/0/deeplink/compose?rru=addevent&enddt=<?php echo $outlook_event_end; ?>&startdt=<?php echo $outlook_event_start; ?>&allday=false&subject=<?php echo esc_html( Helper::convert_to_calendar_title( $event->post_title ) ); ?>&body=<?php echo esc_html( substr( Helper::content_to_html( $event->post_content ), 0, 1000 ) ); ?>" rel="noopener noreferrer" target='_blank' class='etn-add-to-calender' rel="nofollow"> + <a href ="https://outlook.live.com/calendar/0/deeplink/compose?rru=addevent&enddt=<?php echo esc_html($outlook_event_end); ?>&startdt=<?php echo esc_html($outlook_event_start); ?>&allday=false&subject=<?php echo esc_html( Helper::convert_to_calendar_title( $event->post_title ) ); ?>&body=<?php echo esc_html( substr( Helper::content_to_html( $event->post_content ), 0, 1000 ) ); ?>" rel="noopener noreferrer" target='_blank' class='etn-add-to-calender' rel="nofollow"> <div class="calender-icon"> <svg width="20" height="20" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M19.265 4.5H12v2.48h7v7.77h-7v.75h7.265c.405 0 .735-.33.735-.735v-9.53a.736.736 0 0 0-.735-.735zM0 17.75 11.5 20V0L0 2.25v15.5z" fill="#1976D2"/><path d="M13.375 12.87h-1.35v1.45h1.35v-1.45zM15.075 12.87h-1.35v1.45h1.35v-1.45zM16.775 12.87h-1.35v1.45h1.35v-1.45zM13.375 11.08h-1.35v1.45h1.35v-1.45zM15.075 11.08h-1.35v1.45h1.35v-1.45zM16.775 11.08h-1.35v1.45h1.35v-1.45zM18.475 11.08h-1.35v1.45h1.35v-1.45zM13.375 9.355h-1.35v1.45h1.35v-1.45zM15.075 9.355h-1.35v1.45h1.35v-1.45zM16.775 9.355h-1.35v1.45h1.35v-1.45zM18.475 9.355h-1.35v1.45h1.35v-1.45zM15.075 7.555h-1.35v1.45h1.35v-1.45zM16.775 7.555h-1.35v1.45h1.35v-1.45zM18.475 7.555h-1.35v1.45h1.35v-1.45z" fill="#1976D2"/><path d="M5.625 6.25C4.035 6.25 2.75 7.93 2.75 10c0 2.07 1.285 3.75 2.875 3.75S8.5 12.07 8.5 10c0-2.07-1.285-3.75-2.875-3.75zm-.125 6C4.67 12.25 4 11.245 4 10s.67-2.25 1.5-2.25S7 8.755 7 10s-.67 2.25-1.5 2.25z" fill="#fff"/></svg> </div>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/event-add-calender.php - Line 93 Old Code: ```php <a href ="https://outlook.live.com/calendar/0/deeplink/compose?rru=addevent&enddt=<?php echo $outlook_event_end; ?>&startdt=<?php echo $outlook_event_start; ?>&allday=false&subject=<?php echo esc_html( Helper::convert_to_calendar_title( $event->post_title ) ); ?>&body=<?php echo esc_html( substr( Helper::content_to_html( $event->post_content ), 0, 1000 ) ); ?>" rel="noopener noreferrer" target='_blank' class='etn-add-to-calender' rel="nofollow"> ``` Fixed Code: ```php <a href ="https://outlook.live.com/calendar/0/deeplink/compose?rru=addevent&enddt=<?php echo esc_html($outlook_event_end); ?>&startdt=<?php echo esc_html($outlook_event_start); ?>&allday=false&subject=<?php echo esc_html( Helper::convert_to_calendar_title( $event->post_title ) ); ?>&body=<?php echo esc_html( substr( Helper::content_to_html( $event->post_content ), 0, 1000 ) ); ?>" rel="noopener noreferrer" target='_blank' class='etn-add-to-calender' rel="nofollow"> ``` Explanation: The vulnerability existed in the URL parameters `$outlook_event_end` and `$outlook_event_start`, which were output directly without escaping in the href attribute. These variables contain user-controlled data (event dates) that could potentially be manipulated. When placed in a URL context within an HTML attribute, unescaped output can allow XSS attacks if the variables contain special characters or malicious payloads. The fix applies `esc_html()` to both variables, which escapes HTML special characters and prevents XSS injection in the href attribute context. This is the appropriate escaping function for URL parameters in HTML attributes in WordPress.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-attendee.php@@ -0,0 +1,73 @@+<div class="<?php echo esc_attr($container_class); ?> etn-event-attendees">++ <div class="eventin-block-container">+ <h4 class="etn-title" id=attendee><?php esc_html_e('Event Attendee', 'eventin'); ?></h4>+ <?php if (! empty($event_attendees) && is_array($event_attendees)): ?>++ <div class="etn-attendee-wrap">+ <?php foreach (array_slice($event_attendees, 0, $items_per_row) as $attendee): ?>+ <?php+ $attendee_id = ! empty($attendee['id']) ? $attendee['id'] : 0;+ $attendee_name = ! empty($attendee['etn_name']) ? $attendee['etn_name'] : '';+ $attendee_email = ! empty($attendee['etn_email']) ? $attendee['etn_email'] : '';++ // Get attendee avatar+ $attendee_avatar = '';+ if (! empty($attendee_email)) {+ $attendee_avatar = get_avatar_url($attendee_email, ['size' => 150]);+ } else {+ $default_avatar_url = Wpeventin::assets_url() . 'images/avatar.jpg';+ $attendee_avatar = apply_filters('etn/attendee/default_avatar', $default_avatar_url);+ }++ // Get attendee title from extra fields or use default+ $attendee_title = '';+ if (! empty($attendee['extra_fields']) && is_array($attendee['extra_fields'])) {+ // Try to find title, position, or job title in extra fields+ foreach (['title', 'position', 'job_title', 'designation'] as $field_key) {+ if (! empty($attendee['extra_fields'][$field_key])) {+ $attendee_title = $attendee['extra_fields'][$field_key];+ break;+ }+ }+ }++ // Fallback to default title if not found+ if (empty($attendee_title)) {+ $attendee_title = __('CEO at addis', 'eventin');+ }+ ?>+ <div class="etn-attendee-item">+ <div class="etn-attendee-avatar">+ <img src="<?php echo esc_url($attendee_avatar); ?>"+ alt="<?php echo esc_attr($attendee_name); ?>"+ width=""+ height="">+ </div>+ <div class="etn-attendee-content">+ <h4 class="etn-attendee-name"><?php echo esc_html($attendee_name); ?></h4>+ <p class="etn-attendee-title"><?php echo esc_html($attendee_title); ?></p>+ </div>+ </div>+ <?php endforeach; ?>+ </div>+ <?php if (count($event_attendees) > $items_per_row): ?>+ <div class="etn-attendee-more">+ <a href="<?php echo esc_url($attendee_page_url); ?>" class="etn-attendee-more-link" target="_blank">+ <?php esc_html_e('See All Attendee', 'eventin'); ?>+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="13" viewBox="0 0 16 13" fill="none">+ <path d="M5.0071e-07 5.97206L15 5.97206" stroke="#5D5DFF" stroke-width="2"/>+ <path d="M9.96338 0.323146C10.4242 1.67272 12.0371 4.70761 14.8021 6.0506" stroke="#5D5DFF" stroke-width="2"/>+ <path d="M9.96338 11.778C10.4242 10.4285 12.0371 7.39359 14.8021 6.0506" stroke="#5D5DFF" stroke-width="2"/>+ </svg>+ </a>+ </div>+ <?php endif; ?>+ <?php else: ?>+ <p><?php esc_html_e('No attendee found', 'eventin'); ?></p>+ <?php endif; ?>+ </div>+</div>+++
I'll analyze this code diff for security vulnerabilities.
**Vulnerability Existed: no**
**Proper Output Escaping - No CWE Violation - templates/event/parts/event-attendee.php [Lines 1-73]**
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
<div class="<?php echo esc_attr($container_class); ?> etn-event-attendees">
...
<img src="<?php echo esc_url($attendee_avatar); ?>"
alt="<?php echo esc_attr($attendee_name); ?>"
...
<h4 class="etn-attendee-name"><?php echo esc_html($attendee_name); ?></h4>
<p class="etn-attendee-title"><?php echo esc_html($attendee_title); ?></p>
<a href="<?php echo esc_url($attendee_page_url); ?>" ...>
...
<?php esc_html_e('Event Attendee', 'eventin'); ?>
```
**Explanation:**
This is a new PHP template file that properly implements WordPress security best practices throughout. All user-controlled data is correctly escaped based on context:
- `esc_attr()` for HTML attributes (container_class, attendee_name in alt)
- `esc_url()` for URLs (attendee_avatar image src, attendee_page_url href)
- `esc_html()` for text content (attendee_name, attendee_title)
- `esc_html_e()` for translatable text strings
The code includes proper input validation (checking for empty values with `! empty()` and type checking with `is_array()`), and uses WordPress APIs like `get_avatar_url()` and `apply_filters()` appropriately. No vulnerabilities such as XSS, SQL injection, or path traversal exist in this code.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/event-banner.php 2026-01-09 00:38:10.008546481 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-banner.php 2026-01-09 00:43:17.299300790 +0000@@ -1,11 +1,9 @@-<div class="<?php echo esc_attr( $container_class ); ?>">- <div class="eventin-block-container">- <div class="event-banner">- <?php if ( $event_banner ): ?>- <img class="event-banner-image" src="<?php echo esc_url( $event_banner ) ?>" alt="event-banner">- <?php else: ?>- <p><?php esc_html_e( 'No event banner image found.', 'eventin' ); ?></p>- <?php endif; ?>- </div>+<div class="eventin-block-container">+ <div class="event-banner">+ <?php if ($event_banner): ?>+ <img class="event-banner-image" src="<?php echo esc_url($event_banner) ?>" alt="event-banner">+ <?php else: ?>+ <p><?php esc_html_e('No event banner image found.', 'eventin'); ?></p>+ <?php endif; ?> </div> </div>\ No newline at end of file
Vulnerability Existed: no
No Security Vulnerabilities Detected - templates/event/parts/event-banner.php (Lines 1-11)
Old Code:
```php
<div class="<?php echo esc_attr( $container_class ); ?>">
<div class="eventin-block-container">
<div class="event-banner">
<?php if ( $event_banner ): ?>
<img class="event-banner-image" src="<?php echo esc_url( $event_banner ) ?>" alt="event-banner">
<?php else: ?>
<p><?php esc_html_e( 'No event banner image found.', 'eventin' ); ?></p>
<?php endif; ?>
</div>
</div>
</div>
```
Fixed Code:
```php
<div class="eventin-block-container">
<div class="event-banner">
<?php if ($event_banner): ?>
<img class="event-banner-image" src="<?php echo esc_url($event_banner) ?>" alt="event-banner">
<?php else: ?>
<p><?php esc_html_e('No event banner image found.', 'eventin'); ?></p>
<?php endif; ?>
</div>
</div>
```
Explanation:
This diff contains structural changes and code style formatting adjustments, not security fixes. The changes include: (1) removal of the outer `<div>` wrapper that echoed `$container_class`, (2) formatting changes (whitespace and spacing around PHP tags).
From a security perspective, the original code already employed proper output escaping using `esc_url()` for the image source and `esc_html_e()` for the text output. The removal of the `esc_attr( $container_class )` output eliminates a potential vector, but since no input validation is visible in this template, it's unclear if this was addressing an actual vulnerability or simply removing unused/problematic code. The primary escaping functions (`esc_url()` and `esc_html_e()`) remain intact and unchanged, maintaining the security posture of the template.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/event-datetime.php 2026-01-09 00:38:10.008546481 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-datetime.php 2026-01-09 00:43:17.307301279 +0000@@ -1,12 +1,12 @@-<div class="<?php echo esc_attr( $container_class ); ?>">+<div class="<?php echo esc_attr($container_class); ?>"> <div class="eventin-block-container"> <div class="etn-event-meta-info etn-widget"> <ul class="etn-ul"> <li class="etn-li">- <?php printf( __( '<span class="etn-span">Date:</span> %s - %s', 'eventin' ), $start_date, $end_date ) ?>+ <?php printf(__('<span class="etn-span">Date:</span> %s - %s', 'eventin'), $start_date, $end_date)?> </li> <li class="etn-li">- <?php printf( __( '<span class="etn-span">Time:</span> %s - %s (%s)', 'eventin' ), $start_time, $end_time, $timezone ) ?>+ <?php printf(__('<span class="etn-span">Time:</span> %s - %s (%s)', 'eventin'), $start_time, $end_time, $timezone)?> </li> </ul> </div>
Vulnerability Existed: no
No Vulnerabilities Identified - Code Style Changes Only
Old Code:
```php
<div class="<?php echo esc_attr( $container_class ); ?>">
...
<?php printf( __( '<span class="etn-span">Date:</span> %s - %s', 'eventin' ), $start_date, $end_date ) ?>
...
<?php printf( __( '<span class="etn-span">Time:</span> %s - %s (%s)', 'eventin' ), $start_time, $end_time, $timezone ) ?>
```
Fixed Code:
```php
<div class="<?php echo esc_attr($container_class); ?>">
...
<?php printf(__('<span class="etn-span">Date:</span> %s - %s', 'eventin'), $start_date, $end_date)?>
...
<?php printf(__('<span class="etn-span">Time:</span> %s - %s (%s)', 'eventin'), $start_time, $end_time, $timezone)?>
```
Explanation:
This diff contains no security fixes or vulnerability patches. The changes are purely cosmetic code style adjustments:
- Removal of spaces around parentheses in function calls (e.g., `esc_attr( $var )` → `esc_attr($var)`)
- Removal of spaces before closing PHP tags (e.g., `) ?>` → `)?>`)
These are coding standard/formatting changes with no impact on security. The security functions (`esc_attr()` for HTML attribute escaping and `__()` for localization) remain properly applied and continue to provide the same security protections as before. No vulnerabilities existed in the original code that would be fixed by these style changes.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/event-details-parts-pro.php 2026-01-09 00:38:10.012546725 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-details-parts-pro.php 2026-01-09 00:43:17.319302013 +0000@@ -179,7 +179,7 @@ if(!empty($etn_schedule_start_time) || !empty( $etn_schedule_end_time )){ ?> <span class='etn-schedule-time'>- <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+ <?php echo esc_html($etn_schedule_start_time) . esc_html($dash_sign) . esc_html($etn_schedule_end_time); ?> </span> <?php@@ -204,7 +204,7 @@ <i class="etn-icon etn-plus"></i> <?php endif; ?> </h4>- <?php echo Helper::render(trim( $etn_schedule_objective )); ?>+ <?php echo wp_kses_post( Helper::render(trim( $etn_schedule_objective )) ); ?> <?php if($etn_show_speaker_with_schedule === 'schedule_with_speaker') : ?> <div class="etn-acccordion-contents"> <div class='etn-schedule-content'>
I'll analyze this code diff for security vulnerabilities. --- **Vulnerability 1:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/event-details-parts-pro.php - Line 182 Old Code: ```php <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?> ``` Fixed Code: ```php <?php echo esc_html($etn_schedule_start_time) . esc_html($dash_sign) . esc_html($etn_schedule_end_time); ?> ``` Explanation: The `$dash_sign` variable was not being escaped before output. While it appears to be a literal dash character, the lack of escaping means any malicious content injected into this variable would be rendered unescaped in the HTML, allowing XSS attacks. The fix applies `esc_html()` to ensure the variable is properly escaped before output. --- **Vulnerability 2:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/event-details-parts-pro.php - Line 207 Old Code: ```php <?php echo Helper::render(trim( $etn_schedule_objective )); ?> ``` Fixed Code: ```php <?php echo wp_kses_post( Helper::render(trim( $etn_schedule_objective )) ); ?> ``` Explanation: The output from `Helper::render()` was being echoed directly without sanitization. The `Helper::render()` function likely processes HTML content (possibly Markdown or other markup), but the result was not being sanitized before output. The fix wraps the output with `wp_kses_post()`, which sanitizes HTML while allowing safe tags, preventing XSS attacks from malicious content within `$etn_schedule_objective`. This is the appropriate WordPress function for sanitizing HTML content that should preserve some markup.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/event-details-parts.php 2026-01-09 00:38:10.008546481 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-details-parts.php 2026-01-09 00:43:17.315301769 +0000@@ -239,7 +239,7 @@ <li> <?php if ( $data['event_start_date'] !== $data['event_end_date']): ?> <span> <?php echo esc_html__( 'Date :', "eventin" ); ?></span>- <?php echo $start_date . $separate . $end_date; ?>+ <?php echo esc_html( $start_date . $separate . $end_date ); ?> <?php else: ?>@@ -335,9 +335,9 @@ ?> </h4> <p class="etn-acccordion-contents <?php echo esc_attr( $acc_class ); ?>">- <?php + <?php if ( has_blocks( $faq["etn_faq_content"] ) ) {- echo do_blocks( $faq["etn_faq_content"] );+ echo wp_kses_post( do_blocks( $faq["etn_faq_content"] ) ); } else { echo esc_html( $faq["etn_faq_content"] ); }
I'll analyze the provided code diff for security vulnerabilities.
Vulnerability 1: Output Escaping
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Output During Web Page Generation ('Cross-site Scripting') - CWE-79 - templates/event/parts/event-details-parts.php - Line 242
Old Code:
<?php echo $start_date . $separate . $end_date; ?>
Fixed Code:
<?php echo esc_html( $start_date . $separate . $end_date ); ?>
Explanation:
The original code directly echoed concatenated variables ($start_date, $separate, $end_date) without any escaping. If any of these variables contain user-controlled data or untrusted content, this could lead to Stored or Reflected XSS attacks. The fix properly escapes the output using esc_html(), which is appropriate for plain text content, preventing malicious scripts from being injected into the HTML.
Vulnerability 2: Unsafe Block Rendering
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Output During Web Page Generation ('Cross-site Scripting') - CWE-79 - templates/event/parts/event-details-parts.php - Line 340
Old Code:
echo do_blocks( $faq["etn_faq_content"] );
Fixed Code:
echo wp_kses_post( do_blocks( $faq["etn_faq_content"] ) );
Explanation:
The original code used do_blocks() to render dynamic block content without proper sanitization of the output. While do_blocks() processes WordPress blocks, the resulting HTML output was not sanitized before being echoed. This could allow malicious content to be rendered as HTML/JavaScript if the FAQ content contains unsafe markup. The fix wraps the output with wp_kses_post(), which sanitizes HTML while allowing safe WordPress-approved tags and attributes, preventing XSS attacks while preserving intentional block formatting.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/event-schedule-one.php 2026-01-09 00:38:10.012546725 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-schedule-one.php 2026-01-09 00:43:17.323302258 +0000@@ -1,123 +1,123 @@ <?php-use \Etn\Utils\Helper as Helper;+ use \Etn\Utils\Helper as Helper; -$event_options = get_option("etn_event_options");-$data = Helper::single_template_options( $event_id );-$etn_event_schedule = isset( $data['etn_event_schedule']) ? $data['etn_event_schedule'] : [];--if ( ! isset( $event_options["etn_hide_schedule_from_details"] ) && !empty( $etn_event_schedule ) ) {- if ( is_array( $etn_event_schedule ) ) {- $args = array(- 'post__in' => $etn_event_schedule,- 'orderby' => 'post_date',- 'order' => 'asc',- 'post_type' => 'etn-schedule',- 'post_status' => 'publish',- 'suppress_filters' => false,- 'numberposts' => -1- );+ $event_options = get_option("etn_event_options");+ $data = Helper::single_template_options($event_id);+ $etn_event_schedule = isset($data['etn_event_schedule']) ? $data['etn_event_schedule'] : [];++ if (! isset($event_options["etn_hide_schedule_from_details"]) && ! empty($etn_event_schedule)) {+ if (is_array($etn_event_schedule)) {+ $args = [+ 'post__in' => $etn_event_schedule,+ 'orderby' => 'post_date',+ 'order' => 'asc',+ 'post_type' => 'etn-schedule',+ 'post_status' => 'publish',+ 'suppress_filters' => false,+ 'numberposts' => -1,+ ]; - $schedule_query = get_posts($args);+ $schedule_query = get_posts($args); - ?>+ ?> <!-- schedule tab start -->-<div class=" schedule-tab-wrapper etn-tab-wrapper schedule-style-1 no-shadow pt-0 <?php echo esc_attr( $container_class ); ?>">- <div class="eventin-block-container"> +<div class=" schedule-tab-wrapper etn-tab-wrapper schedule-style-1 no-shadow pt-0 <?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container"> <h3 class="etn-tags-title"><?php echo esc_html__('Schedule:', 'eventin'); ?></h3> <ul class='etn-nav'> <?php- $i = -1;- foreach ($schedule_query as $post) :- $single_schedule_id = $post->ID;- $i++;- $schedule_meta = get_post_meta($single_schedule_id);- $schedule_date = !empty( $schedule_meta['etn_schedule_date'][0] ) ? date_i18n(\Etn\Core\Event\Helper::instance()->etn_date_format(), strtotime($schedule_meta['etn_schedule_date'][0])) : "";- $active_class = (($i == 0) ? 'etn-active' : ' ');- ?>- <li>- <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>'- data-id='tab<?php echo esc_attr($i); ?>'>- <span class='etn-date'><?php echo esc_html($post->post_title); ?></span>- <span class='etn-day'><?php echo esc_html($schedule_date); ?></span>- </a>- </li>- <?php endforeach; ?>+ $i = -1;+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $i++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n(\Etn\Core\Event\Helper::instance()->etn_date_format(), strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($i == 0) ? 'etn-active' : ' ');+ ?>+ <li>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>'+ data-id='tab<?php echo esc_attr($i); ?>'>+ <span class='etn-date'><?php echo esc_html($post->post_title); ?></span>+ <span class='etn-day'><?php echo esc_html($schedule_date); ?></span>+ </a>+ </li>+ <?php endforeach; ?> </ul> <div class='etn-tab-content clearfix etn-schedule-wrap'> <?php- $j = -1;- foreach ($schedule_query as $post) :- $single_schedule_id = $post->ID;- $j++;- $schedule_meta = get_post_meta($single_schedule_id);- $schedule_date = strtotime($schedule_meta['etn_schedule_date'][0]);- $schedule_topics = !empty($schedule_meta['etn_schedule_topics'][0]) ? unserialize($schedule_meta['etn_schedule_topics'][0]) : [];- $schedule_date = date_i18n("d M", $schedule_date);- $active_class = (($j == 0) ? 'tab-active' : ' ');- $etn_show_speaker_with_schedule = get_post_meta( $event_id, 'etn_select_speaker_schedule_type', true );- $etn_show_speaker_with_schedule = !empty( $etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';- ?>- <!-- start repeatable item -->- <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>- <?php- $etn_tab_time_format = (!empty($event_options["time_format"]) && $event_options["time_format"] == '24') ? "H:i" : get_option( 'time_format' );- if( is_array( $schedule_topics ) && !empty( $schedule_topics ) ){- foreach($schedule_topics as $topic) {- $etn_schedule_topic = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');- $etn_schedule_start_time = !empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';- $etn_schedule_end_time = !empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';- $etn_schedule_room = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');- $etn_schedule_objective = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');- $etn_schedule_speaker = (isset($topic['speakers']) ? (array) $topic['speakers'] : []);- $dash_sign = ( !empty( $etn_schedule_start_time ) && !empty( $etn_schedule_end_time ) ) ? " - " : " ";-- ?>- <div class='etn-single-schedule-item etn-row'>- <div class='etn-schedule-info etn-col-sm-4'>- <?php- - if(!empty($etn_schedule_start_time) || !empty( $etn_schedule_end_time )){- ?>- <span class='etn-schedule-time'>- <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>- </span>-- <?php- }- - if( !empty( $etn_schedule_room ) ){- ?>- <span class='etn-schedule-location'>- <i class='etn-icon etn-location'></i>- <?php echo esc_html($etn_schedule_room); ?>- </span>- <?php- }- ?>- </div>- <div class='etn-col-sm-8'>- <div class="etn-accordion-wrap">- <div class="etn-content-item">- <h4 class='etn-accordion-heading'>- <?php echo esc_html($etn_schedule_topic); ?>- <?php if($etn_show_speaker_with_schedule === 'schedule_with_speaker') : ?>- <i class="etn-icon etn-plus"></i>- <?php endif; ?>+ $j = -1;+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $j++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_date = strtotime($schedule_meta['etn_schedule_date'][0]);+ $schedule_topics = ! empty($schedule_meta['etn_schedule_topics'][0]) ? unserialize($schedule_meta['etn_schedule_topics'][0]) : [];+ $schedule_date = date_i18n("d M", $schedule_date);+ $active_class = (($j == 0) ? 'tab-active' : ' ');+ $etn_show_speaker_with_schedule = get_post_meta($event_id, 'etn_select_speaker_schedule_type', true);+ $etn_show_speaker_with_schedule = ! empty($etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';+ ?>+ <!-- start repeatable item -->+ <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>+ <?php+ $etn_tab_time_format = (! empty($event_options["time_format"]) && $event_options["time_format"] == '24') ? "H:i" : get_option('time_format');+ if (is_array($schedule_topics) && ! empty($schedule_topics)) {+ foreach ($schedule_topics as $topic) {+ $etn_schedule_topic = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');+ $etn_schedule_start_time = ! empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';+ $etn_schedule_end_time = ! empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';+ $etn_schedule_room = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');+ $etn_schedule_objective = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');+ $etn_schedule_speaker = (isset($topic['speakers']) ? (array) $topic['speakers'] : []);+ $dash_sign = (! empty($etn_schedule_start_time) && ! empty($etn_schedule_end_time)) ? " - " : " ";++ ?>+ <div class='etn-single-schedule-item etn-row'>+ <div class='etn-schedule-info etn-col-sm-4'>+ <?php++ if (! empty($etn_schedule_start_time) || ! empty($etn_schedule_end_time)) {+ ?>+ <span class='etn-schedule-time'>+ <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+ </span>++ <?php+ }++ if (! empty($etn_schedule_room)) {+ ?>+ <span class='etn-schedule-location'>+ <i class='etn-icon etn-location'></i>+ <?php echo esc_html($etn_schedule_room); ?>+ </span>+ <?php+ }+ ?>+ </div>+ <div class='etn-col-sm-8'>+ <div class="etn-accordion-wrap">+ <div class="etn-content-item">+ <h4 class='etn-accordion-heading'>+ <?php echo esc_html($etn_schedule_topic); ?>+ <?php if ($etn_show_speaker_with_schedule === 'schedule_with_speaker'): ?>+ <i class="etn-icon etn-plus"></i>+ <?php endif; ?> </h4>- <?php echo Helper::render(trim( $etn_schedule_objective )); ?>+ <?php echo wp_kses_post( Helper::render(trim( $etn_schedule_objective )) ); ?> <?php if($etn_show_speaker_with_schedule === 'schedule_with_speaker') : ?> <div class="etn-acccordion-contents"> <div class='etn-schedule-content'> <div class='etn-schedule-speaker'> <?php $speaker_avatar = apply_filters("etn/speakers/avatar", \Wpeventin::assets_url() . "images/avatar.jpg");- if (count($etn_schedule_speaker) > 0) {- foreach ($etn_schedule_speaker as $key => $value) { - - $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);- $speaker_thumbnail = get_user_meta( $value, 'image', true);- $speaker_title = get_the_author_meta( 'display_name', $value );- ?>+ if (count($etn_schedule_speaker) > 0) {+ foreach ($etn_schedule_speaker as $key => $value) {++ $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);+ $speaker_thumbnail = get_user_meta($value, 'image', true);+ $speaker_title = get_the_author_meta('display_name', $value);+ ?> <div class='etn-schedule-single-speaker'> <a href='<?php echo esc_url($etn_speaker_permalink); ?>'> <img src='<?php echo esc_url($speaker_thumbnail); ?>' alt='<?php echo esc_attr($speaker_title); ?>' width="50" height="50">@@ -125,9 +125,9 @@ <span class='etn-schedule-speaker-title'><?php echo esc_html($speaker_title); ?></span> </div> <?php- }- }- ?>+ }+ }+ ?> </div> </div> </div>@@ -136,19 +136,19 @@ </div> </div> </div>- <?php + <?php }- } - ?>+ }+ ?> </div> <!-- end repeatable item --> <?php endforeach;- wp_reset_postdata(); ?>+ wp_reset_postdata(); ?> </div> </div> </div> </div> <!-- schedule tab end --> <?php-}+ } }
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: yes FALSE POSITIVE Unvalidated Serialized Data Deserialization - CWE-502 - templates/event/parts/event-schedule-one.php Line 59 Old Code: ```php $schedule_topics = !empty($schedule_meta['etn_schedule_topics'][0]) ? unserialize($schedule_meta['etn_schedule_topics'][0]) : []; ``` Fixed Code: ```php $schedule_topics = ! empty($schedule_meta['etn_schedule_topics'][0]) ? unserialize($schedule_meta['etn_schedule_topics'][0]) : []; ``` Explanation: The code uses PHP's `unserialize()` function on untrusted data without validation. This is a critical security vulnerability because `unserialize()` can execute arbitrary code if the serialized data contains malicious object payloads. The diff shows only formatting changes (spacing), not a fix for this vulnerability. The vulnerability still exists in the new version. --- Vulnerability Existed: yes TRUE POSITIVE Improper Output Encoding - CWE-79 (Cross-site Scripting) - templates/event/parts/event-schedule-one.php Line 143 Old Code: ```php <?php echo Helper::render(trim( $etn_schedule_objective )); ?> ``` Fixed Code: ```php <?php echo wp_kses_post( Helper::render(trim( $etn_schedule_objective )) ); ?> ``` Explanation: The original code outputs the result of `Helper::render()` without proper HTML sanitization. If this renders HTML content, it's vulnerable to XSS attacks. The fix wraps the output with `wp_kses_post()`, which safely strips dangerous HTML/JavaScript while preserving safe markup. This is a proper security fix for output encoding vulnerabilities.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/event-schedule.php 2026-01-09 00:38:10.012546725 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-schedule.php 2026-01-09 00:43:17.327302503 +0000@@ -1,149 +1,149 @@ <?php -use \Etn\Utils\Helper;+ use \Etn\Utils\Helper; -defined( 'ABSPATH' ) || exit;+ defined('ABSPATH') || exit; -$etn_event_schedule = $event->etn_event_schedule;-date_default_timezone_set('UTC');+ $etn_event_schedule = $event->etn_event_schedule;+ date_default_timezone_set('UTC'); -if ( is_array($etn_event_schedule) && !empty($etn_event_schedule) ) {- $args = array(- 'post__in' => $etn_event_schedule,- 'orderby' => 'post_date',- 'order' => 'asc',- 'post_type' => 'etn-schedule',- 'post_status' => 'publish',- 'suppress_filters' => false,- );+ if (is_array($etn_event_schedule) && ! empty($etn_event_schedule)) {+ $args = [+ 'post__in' => $etn_event_schedule,+ 'orderby' => 'post_date',+ 'order' => 'asc',+ 'post_type' => 'etn-schedule',+ 'post_status' => 'publish',+ 'suppress_filters' => false,+ ]; - $schedule_query = get_posts($args);+ $schedule_query = get_posts($args); ?> <!-- schedule tab start -->-<div class="schedule-tab-wrapper etn-tab-wrapper <?php echo esc_attr( $container_class ); ?>">+<div class="schedule-tab-wrapper etn-tab-wrapper <?php echo esc_attr($container_class); ?>"> <div class="eventin-block-container"> <ul class='etn-nav'> <?php $i = -1;- if( is_array( $schedule_query ) ){- foreach ($schedule_query as $post) :- $single_schedule_id = $post->ID;- $i++;- $schedule_meta = get_post_meta($single_schedule_id);- $schedule_date = !empty( $schedule_meta['etn_schedule_date'][0] ) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";- $active_class = (($i == 0) ? 'etn-active' : ' ');+ if (is_array($schedule_query)) {+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $i++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($i == 0) ? 'etn-active' : ' '); ?>- <li>- <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>'- data-id='tab<?php echo esc_attr($i); ?>'>- <span class='etn-date'><?php echo esc_html($schedule_date); ?></span>- <span class=etn-day><?php echo esc_html($post->post_title); ?></span>- </a>- </li>- <?php - endforeach; - }- ?>+ <li>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>'+ data-id='tab<?php echo esc_attr($i); ?>'>+ <span class='etn-date'><?php echo esc_html($schedule_date); ?></span>+ <span class=etn-day><?php echo esc_html($post->post_title); ?></span>+ </a>+ </li>+ <?php+ endforeach;+ }+ ?> </ul> <div class='etn-tab-content clearfix etn-schedule-wrap'> <?php $j = -1;- if( is_array( $schedule_query ) ){- foreach ($schedule_query as $post) :- $single_schedule_id = $post->ID;- $j++;- $schedule_meta = get_post_meta($single_schedule_id);- $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: [];- $schedule_date = !empty( $schedule_meta['etn_schedule_date'][0] ) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0]) ) : "";- $active_class = (($j == 0) ? 'tab-active' : ' ');+ if (is_array($schedule_query)) {+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $j++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: [];+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($j == 0) ? 'tab-active' : ' '); ?>- <!-- start repeatable item -->- <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>- <?php- $etn_tab_time_format = ( isset( $event_options["time_format"] ) && $event_options["time_format"] == '24' ) ? "H:i" : get_option( 'time_format' );- if( is_array( $schedule_topics ) && !empty($schedule_topics) ){- foreach ($schedule_topics as $topic) :- $etn_schedule_topic = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');- $etn_schedule_start_time = !empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';- $etn_schedule_end_time = !empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';- $etn_schedule_room = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');- $etn_schedule_objective = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');- $etn_schedule_speaker = (isset($topic['speakers']) ? $topic['speakers'] : []);- $dash_sign = ( !empty( $etn_schedule_start_time ) && !empty( $etn_schedule_end_time ) ) ? " - " : " ";- ?>- <div class='etn-single-schedule-item etn-row'>- <div class='etn-schedule-info etn-col-sm-4'>- <?php- if(!empty($etn_schedule_start_time) || !empty( $etn_schedule_end_time )){- ?>- <span class='etn-schedule-time'>- <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>- </span>- <?php+ <!-- start repeatable item -->+ <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>+ <?php+ $etn_tab_time_format = (isset($event_options["time_format"]) && $event_options["time_format"] == '24') ? "H:i" : get_option('time_format');+ if (is_array($schedule_topics) && ! empty($schedule_topics)) {+ foreach ($schedule_topics as $topic):+ $etn_schedule_topic = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');+ $etn_schedule_start_time = ! empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';+ $etn_schedule_end_time = ! empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';+ $etn_schedule_room = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');+ $etn_schedule_objective = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');+ $etn_schedule_speaker = (isset($topic['speakers']) ? $topic['speakers'] : []);+ $dash_sign = (! empty($etn_schedule_start_time) && ! empty($etn_schedule_end_time)) ? " - " : " ";+ ?>+ <div class='etn-single-schedule-item etn-row'>+ <div class='etn-schedule-info etn-col-sm-4'>+ <?php+ if (! empty($etn_schedule_start_time) || ! empty($etn_schedule_end_time)) {+ ?>+ <span class='etn-schedule-time'>+ <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+ </span>+ <?php }- if( !empty( $etn_schedule_room ) ){- ?>- <span class='etn-schedule-location'>- <i class='etn-icon etn-location'></i><?php echo esc_html($etn_schedule_room);?>- </span>- <?php+ if (! empty($etn_schedule_room)) {+ ?>+ <span class='etn-schedule-location'>+ <i class='etn-icon etn-location'></i><?php echo esc_html($etn_schedule_room); ?>+ </span>+ <?php }- ?>- </div>- <div class='etn-schedule-content etn-col-sm-8'>- <h4 class='etn-title'><?php echo esc_html($etn_schedule_topic); ?></h4>- <p><?php echo Helper::kses($etn_schedule_objective) ; ?></p>- <?php - $etn_show_speaker_with_schedule = get_post_meta( $event_id, 'etn_select_speaker_schedule_type', true );- $etn_show_speaker_with_schedule = !empty( $etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';- ; ?>- <?php if($etn_show_speaker_with_schedule === 'schedule_with_speaker') : ?>- <!-- Show speaker block if it's selected from event meta -->- <div class='etn-schedule-content'>- <div class='etn-schedule-speaker'>- <?php- $speaker_avatar = apply_filters("etn/speakers/avatar", \Wpeventin::assets_url() . "images/avatar.jpg");- if (is_array($etn_schedule_speaker) && !empty($etn_schedule_speaker)) {- foreach ($etn_schedule_speaker as $key => $value) {- $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);- $etn_speaker_image = get_user_meta( $value, 'image', true);- $speaker_title = get_the_author_meta( 'display_name', $value );- ?>- <div class='etn-schedule-single-speaker'>- <a href='<?php echo esc_url($etn_speaker_permalink); ?>'- aria-label="<?php echo esc_html($speaker_title); ?>">- <?php if($etn_speaker_image): ?>- <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="<?php echo esc_attr($speaker_title); ?>" height="50" width="50">- <?php echo get_the_post_thumbnail($value, 'thumbnail'); ?>- <?php else: ?>- <img src='<?php echo esc_url($speaker_avatar); ?>'- alt='<?php echo esc_attr($speaker_title); ?>'>- <?php endif; ?>+ ?>+ </div>+ <div class='etn-schedule-content etn-col-sm-8'>+ <h4 class='etn-title'><?php echo esc_html($etn_schedule_topic); ?></h4>+ <p><?php echo Helper::kses($etn_schedule_objective); ?></p>+ <?php+ $etn_show_speaker_with_schedule = get_post_meta($event_id, 'etn_select_speaker_schedule_type', true);+ $etn_show_speaker_with_schedule = ! empty($etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';+ ?>+ <?php if ($etn_show_speaker_with_schedule === 'schedule_with_speaker'): ?>+ <!-- Show speaker block if it's selected from event meta -->+ <div class='etn-schedule-content'>+ <div class='etn-schedule-speaker'>+ <?php+ $speaker_avatar = apply_filters("etn/speakers/avatar", \Wpeventin::assets_url() . "images/avatar.jpg");+ if (is_array($etn_schedule_speaker) && ! empty($etn_schedule_speaker)) {+ foreach ($etn_schedule_speaker as $key => $value) {+ $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);+ $etn_speaker_image = get_user_meta($value, 'image', true);+ $speaker_title = get_the_author_meta('display_name', $value);+ ?>+ <div class='etn-schedule-single-speaker'>+ <a href='<?php echo esc_url($etn_speaker_permalink); ?>'+ aria-label="<?php echo esc_html($speaker_title); ?>">+ <?php if ($etn_speaker_image): ?>+ <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="<?php echo esc_attr($speaker_title); ?>" height="50" width="50">+ <?php echo get_the_post_thumbnail($value, 'thumbnail'); ?>+ <?php else: ?>+ <img src='<?php echo esc_url($speaker_avatar); ?>'+ alt='<?php echo esc_attr($speaker_title); ?>'>+ <?php endif; ?> </a> <span class='etn-schedule-speaker-title'><?php echo esc_html($speaker_title); ?></span> </div> <?php- }- }- ?>+ }+ }+ ?> </div> </div> <?php endif; ?> </div> </div>- <?php - endforeach; + <?php+ endforeach; }- ?>+ ?> </div> <!-- end repeatable item -->- <?php - endforeach;- }+ <?php+ endforeach;+ } wp_reset_postdata(); ?> </div> </div> </div> <!-- schedule tab end -->-<?php +<?php }
``` Vulnerability Existed: no No Security Vulnerabilities Detected - Code Formatting/Style Changes Only Old Code: Multiple lines with inconsistent formatting, spacing, and indentation Fixed Code: Reformatted code with consistent indentation, spacing, and brace styles Explanation: This diff contains only code formatting and style changes. The modifications include: - Standardized indentation throughout the file - Converted array syntax from array() to [] (modern PHP style) - Consistent spacing around operators and function calls - Aligned assignment operators for readability - Normalized whitespace in HTML/PHP mixed markup All security-relevant aspects remain unchanged: - Output escaping functions (esc_html, esc_attr, esc_url) are still present - Helper::kses() sanitization is still in place - get_posts() with post_status validation remains unchanged - No new data sources or unsafe operations introduced - No removal of security checks or filters This is purely a code quality improvement with no security implications. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/event-venue.php 2026-01-09 00:38:10.012546725 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-venue.php 2026-01-09 00:43:17.339303237 +0000@@ -1,6 +1,11 @@-<div class="<?php echo esc_attr( $container_class ); ?>">+<div class="<?php echo esc_attr($container_class); ?>"> <div class="eventin-block-container">- <div class="eventin-venue-value"><?php echo esc_html( $event_location ); ?></div>+ <div class="eventin-venue-value">+ <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 14 16" fill="none">+ <path fill-rule="evenodd" clip-rule="evenodd" d="M6.99789 5.35125C6.20678 5.35125 5.56546 5.99369 5.56546 6.78618C5.56546 7.57867 6.20678 8.22111 6.99789 8.22111C7.78899 8.22111 8.43031 7.57867 8.43031 6.78618C8.43031 5.99369 7.78899 5.35125 6.99789 5.35125ZM3.94995 6.78618C3.94995 5.09991 5.31456 3.73291 6.99789 3.73291C8.68122 3.73291 10.0458 5.09991 10.0458 6.78618C10.0458 8.47246 8.68122 9.83945 6.99789 9.83945C5.31456 9.83945 3.94995 8.47246 3.94995 6.78618Z" fill="#4E7FFD"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M7.00215 1.61834C4.65012 1.61675 2.37917 2.97814 1.77083 5.65634C1.04534 8.86786 3.02722 11.6872 4.96797 13.5611C6.10654 14.6561 7.89457 14.654 9.02387 13.5621L9.02534 13.5607C10.9732 11.6868 12.9548 8.87437 12.2291 5.66304L12.2291 5.663C11.6239 2.98462 9.35438 1.61994 7.00215 1.61834ZM13.8047 5.30572C13.0025 1.75531 9.96246 0.0020054 7.00325 1.71953e-06C4.04393 -0.00200209 1.00172 1.7473 0.19548 5.2977L0.195292 5.29853C-0.730257 9.3942 1.82511 12.7744 3.84747 14.7269L3.84849 14.7279C5.61019 16.4228 8.38729 16.4252 10.1443 14.7279C12.1742 12.7753 14.7304 9.4021 13.8047 5.30572Z" fill="#4E7FFD"/>+ </svg>+ <?php echo esc_html($event_location); ?>+ </div> </div>- </div>\ No newline at end of file
Vulnerability Existed: no
No CWE - N/A - templates/event/parts/event-venue.php - All lines
Old Code:
```
<div class="<?php echo esc_attr( $container_class ); ?>">
<div class="eventin-block-container">
<div class="eventin-venue-value"><?php echo esc_html( $event_location ); ?></div>
</div>
</div>
```
Fixed Code:
```
<div class="<?php echo esc_attr($container_class); ?>">
<div class="eventin-block-container">
<div class="eventin-venue-value">
<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 14 16" fill="none">
<path fill-rule="evenodd" clip-rule="evenodd" d="M6.99789 5.35125C6.20678 5.35125 5.56546 5.99369 5.56546 6.78618C5.56546 7.57867 6.20678 8.22111 6.99789 8.22111C7.78899 8.22111 8.43031 7.57867 8.43031 6.78618C8.43031 5.99369 7.78899 5.35125 6.99789 5.35125ZM3.94995 6.78618C3.94995 5.09991 5.31456 3.73291 6.99789 3.73291C8.68122 3.73291 10.0458 5.09991 10.0458 6.78618C10.0458 8.47246 8.68122 9.83945 6.99789 9.83945C5.31456 9.83945 3.94995 8.47246 3.94995 6.78618Z" fill="#4E7FFD"/>
<path fill-rule="evenodd" clip-rule="evenodd" d="M7.00215 1.61834C4.65012 1.61675 2.37917 2.97814 1.77083 5.65634C1.04534 8.86786 3.02722 11.6872 4.96797 13.5611C6.10654 14.6561 7.89457 14.654 9.02387 13.5621L9.02534 13.5607C10.9732 11.6868 12.9548 8.87437 12.2291 5.66304L12.2291 5.663C11.6239 2.98462 9.35438 1.61994 7.00215 1.61834ZM13.8047 5.30572C13.0025 1.75531 9.96246 0.0020054 7.00325 1.71953e-06C4.04393 -0.00200209 1.00172 1.7473 0.19548 5.2977L0.195292 5.29853C-0.730257 9.3942 1.82511 12.7744 3.84747 14.7269L3.84849 14.7279C5.61019 16.4228 8.38729 16.4252 10.1443 14.7279C12.1742 12.7753 14.7304 9.4021 13.8047 5.30572Z" fill="#4E7FFD"/>
</svg>
<?php echo esc_html($event_location); ?>
</div>
</div>
</div>
```
Explanation:
This diff contains no security fixes—it is purely a UI enhancement and code formatting change. The modifications include:
1. Formatting adjustment: spaces removed around function parameters (`esc_attr( $container_class )` → `esc_attr($container_class)`)
2. SVG icon added for visual enhancement
3. Layout restructured with the SVG icon and text placed side-by-side
The original code already employed proper output escaping with `esc_html()` and `esc_attr()`, which are WordPress security functions that prevent XSS vulnerabilities. The fixed code maintains these same security practices. The SVG is hardcoded and does not contain user-controlled content, so there are no new XSS vectors introduced. No security vulnerabilities were addressed in this diff.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/faq.php 2026-01-09 00:38:10.016546968 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/faq.php 2026-01-09 00:43:17.339303237 +0000@@ -19,9 +19,9 @@ ?> </h4> <p class="etn-acccordion-contents <?php echo esc_attr( $acc_class ); ?>">- <?php + <?php if ( has_blocks( $faq["etn_faq_content"] ) ) {- echo do_blocks( $faq["etn_faq_content"] );+ echo wp_kses_post( do_blocks( $faq["etn_faq_content"] ) ); } else { echo esc_html( $faq["etn_faq_content"] ); }
Vulnerability Existed: yes
TRUE POSITIVE
[Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] - [CWE-79] - [templates/event/parts/faq.php] [Lines 23]
Old Code:
```php
echo do_blocks( $faq["etn_faq_content"] );
```
Fixed Code:
```php
echo wp_kses_post( do_blocks( $faq["etn_faq_content"] ) );
```
Explanation:
The original code directly echoes the output of `do_blocks()` without any sanitization. While `do_blocks()` processes WordPress block content, it does not sanitize the output for safe display in HTML context. This creates a Stored Cross-Site Scripting (XSS) vulnerability where malicious JavaScript or HTML could be injected through the FAQ content and executed in users' browsers. The fix wraps the output with `wp_kses_post()`, which sanitizes the content to allow only safe HTML tags and attributes while removing any potentially malicious scripts or event handlers. This is the proper WordPress way to safely output user-generated or dynamic content.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/recurring-event.php 2026-01-09 00:38:10.016546968 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/recurring-event.php 2026-01-09 00:43:17.347303726 +0000@@ -1,39 +1,39 @@ <?php-use Etn\Utils\Helper;+ use Etn\Utils\Helper; -$single_event_id = $event_id;-$event_options = get_option( "etn_event_options" );-$has_child_events = Helper::get_child_events( $single_event_id );--if ( $has_child_events ) {- $child_event_ids = [];-- if ( is_array( $has_child_events ) && ! empty( $has_child_events ) ) {-- foreach ( $has_child_events as $single_child ) {- $end_date = date_i18n( "Y-m-d", strtotime( get_post_meta( $single_child->ID, 'etn_end_date', true ) ) );- $current_date = date( "Y-m-d" );- $settings = etn_get_option();- $hide_reccurance = ! empty( $settings['hide_past_recurring_event_from_details'] ) ? $settings['hide_past_recurring_event_from_details'] : '';-- if ( $hide_reccurance == 'on' ) {- if ( $end_date >= $current_date ) {- array_push( $child_event_ids, $single_child->ID );- }- } else {- array_push( $child_event_ids, $single_child->ID );- }+ $single_event_id = $event_id;+ $event_options = get_option("etn_event_options");+ $has_child_events = Helper::get_child_events($single_event_id);++ if ($has_child_events) {+ $child_event_ids = [];++ if (is_array($has_child_events) && ! empty($has_child_events)) {++ foreach ($has_child_events as $single_child) {+ $end_date = date_i18n("Y-m-d", strtotime(get_post_meta($single_child->ID, 'etn_end_date', true)));+ $current_date = date("Y-m-d");+ $settings = etn_get_option();+ $hide_reccurance = ! empty($settings['hide_past_recurring_event_from_details']) ? $settings['hide_past_recurring_event_from_details'] : '';++ if ($hide_reccurance == 'on') {+ if ($end_date >= $current_date) {+ array_push($child_event_ids, $single_child->ID);+ }+ } else {+ array_push($child_event_ids, $single_child->ID);+ } - }- ?>+ }+ ?> <div class="etn-single-event-ticket-wrap">- <?php Helper::woocommerce_recurring_events_ticket_widget( $single_event_id, $child_event_ids ); ?>+ <?php Helper::woocommerce_recurring_events_ticket_widget($single_event_id, $child_event_ids); ?> - <button id="seeMore">- <?php echo esc_html__( 'Show More Event', 'eventin' ); ?> <i class="etn-icon etn-plus"></i>+ <button id="seeMore" class="etn-btn-primary">+ <?php echo esc_html__('Show More Event', 'eventin'); ?> <i class="etn-icon etn-plus"></i> </button> </div> <?php- }-}+ }+ }
Vulnerability Existed: no
No CWE - File: templates/event/parts/recurring-event.php
Old Code: Code formatting and spacing
Fixed Code: Reformatted code with consistent indentation and spacing
Explanation:
This diff contains only code formatting and style changes. The modifications include:
- Standardized indentation (4 spaces)
- Consistent spacing around parentheses in function calls
- Removal of spaces before opening parentheses in `get_option( "etn_event_options" )` → `get_option("etn_event_options")`
- Added CSS class `etn-btn-primary` to the button element
No security vulnerabilities are introduced or fixed. The code maintains the same logic, function calls, and WordPress security practices (use of `esc_html__()` for output escaping, `get_option()` for retrieving options, `get_post_meta()` for metadata retrieval). The changes are purely cosmetic and improve code readability through consistent formatting.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-banner/style-1.php@@ -0,0 +1,10 @@+<div class="eventin-block-container+<?php echo esc_attr($container_class); ?>">+ <div class="event-banner">+ <?php if ($event_banner): ?>+ <img class="event-banner-image" src="<?php echo esc_url($event_banner) ?>" alt="event-banner">+ <?php else: ?>+ <p><?php esc_html_e('No event banner image found.', 'eventin'); ?></p>+ <?php endif; ?>+ </div>+</div>
Vulnerability Existed: no
Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/styles/event-banner/style-1.php - Lines 2, 5, 7
Old Code:
N/A (new file)
Fixed Code:
```php
<div class="eventin-block-container
<?php echo esc_attr($container_class); ?>">
<div class="event-banner">
<?php if ($event_banner): ?>
<img class="event-banner-image" src="<?php echo esc_url($event_banner) ?>" alt="event-banner">
<?php else: ?>
<p><?php esc_html_e('No event banner image found.', 'eventin'); ?></p>
<?php endif; ?>
</div>
</div>
```
Explanation:
This is a new file with no previous vulnerable code to fix. However, the code properly implements security best practices by using appropriate WordPress escaping functions:
- Line 2: `esc_attr()` is correctly used to escape HTML attributes in the class string
- Line 5: `esc_url()` is correctly used to escape the image URL to prevent XSS through the src attribute
- Line 7: `esc_html_e()` is correctly used to escape and localize the output text
No XSS vulnerabilities exist in this code as all user-controlled data and variables are properly escaped before output.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-banner/style-2.php@@ -0,0 +1,1 @@+<h2>Style 2</h2>
I've analyzed the provided code diff as requested. Here's my security analysis: --- **Vulnerability Existed: no** **No Security Vulnerabilities Identified - CWE-0 - templates/event/parts/styles/event-banner/style-2.php [Line 1]** **Old Code:** ``` (File did not exist) ``` **Fixed Code:** ``` <h2>Style 2</h2> ``` **Explanation:** This diff represents the addition of a new template file containing a simple HTML heading. There are no security vulnerabilities in this code: 1. **No dynamic content**: The code contains only static HTML markup with no user input, variable interpolation, or dynamic content that could introduce XSS, injection, or similar vulnerabilities. 2. **No sensitive operations**: The file performs no file operations, database queries, API calls, or other operations that could introduce vulnerabilities. 3. **No authentication/authorization issues**: There is no access control logic that could be bypassed. 4. **Safe HTML structure**: The HTML is well-formed and contains no dangerous attributes or event handlers. This appears to be a straightforward addition of a template file for styling purposes with no security risk.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/styles/event-datetime/style-1.php 2026-01-09 00:38:10.016546968 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-datetime/style-1.php 2026-01-09 00:43:17.367304950 +0000@@ -1,14 +1,22 @@-<div class="<?php echo esc_attr( $container_class ); ?>">+<div class="<?php echo esc_attr($container_class); ?>"> <div class="eventin-block-container">- <div class="etn-event-meta-info etn-widget <?php echo esc_attr( $style_variant ); ?>">- <ul class="etn-ul">- <li class="etn-li">- <?php printf( __( '<span class="etn-span">Date:</span> %s - %s', 'eventin' ), $start_date, $end_date ) ?>- </li>- <li class="etn-li">- <?php printf( __( '<span class="etn-span">Time:</span> %s - %s (%s)', 'eventin' ), $start_time, $end_time, $timezone ) ?>- </li>- </ul>+ <div class="etn-event-meta-info etn-widget etn-datetime-card">+ <div class="etn-datetime-card-wrapper">+ <div class="etn-datetime-card-content">+ <div class="etn-date-range">+ <span><?php echo esc_html($start_date); ?></span>+ <span style="text-align: center;">-</span>+ <span><?php echo esc_html($end_date); ?></span>+ </div>+ </div>+ <div class="etn-time-info">+ <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18" fill="none">+ <path d="M16.75 8.75C16.75 13.166 13.166 16.75 8.75 16.75C4.334 16.75 0.75 13.166 0.75 8.75C0.75 4.334 4.334 0.75 8.75 0.75C13.166 0.75 16.75 4.334 16.75 8.75Z" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M11.7171 11.294L9.23712 9.81396C8.80512 9.55796 8.45312 8.94196 8.45312 8.43796V5.15796" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ <span class="etn-time-range"><?php echo esc_html($start_time); ?> -<?php echo esc_html($end_time); ?></span>+ </div>+ </div> </div> </div> </div>
# Security Analysis: Event DateTime Template Update Vulnerability Existed: **no** **No CWE Vulnerability Detected** - `templates/event/parts/styles/event-datetime/style-1.php` (Lines 1-22) **Old Code:** ```php <?php printf( __( '<span class="etn-span">Date:</span> %s - %s', 'eventin' ), $start_date, $end_date ) ?> <?php printf( __( '<span class="etn-span">Time:</span> %s - %s (%s)', 'eventin' ), $start_time, $end_time, $timezone ) ?> ``` **Fixed Code:** ```php <span><?php echo esc_html($start_date); ?></span> <span style="text-align: center;">-</span> <span><?php echo esc_html($end_date); ?></span> <span class="etn-time-range"><?php echo esc_html($start_time); ?> -<?php echo esc_html($end_time); ?></span> ``` **Explanation:** This change actually represents an **improvement in security practices**, not a fix for a vulnerability. The original code used `printf()` with `__()` (WordPress i18n function) to output user-provided data (`$start_date`, `$end_date`, `$start_time`, `$end_time`, `$timezone`). While the hardcoded format strings were safe, the variable outputs were not explicitly escaped. The updated code properly escapes all dynamic output using `esc_html()`, which is the correct approach for: - Preventing XSS (Cross-Site Scripting) attacks if these variables contain user-controlled data - Following WordPress security best practices - Ensuring consistent output escaping across the template The change removes the `$style_variant` variable from the class attribute but properly escapes it with `esc_attr()` on line 1, and the overall refactoring improves code maintainability and security consistency. **No vulnerability existed in the old code** because the format strings were hardcoded and controlled by developers, but the new approach is more defensive and follows WordPress security conventions more explicitly.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/parts/styles/event-datetime/style-2.php 2026-01-09 00:38:10.016546968 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-datetime/style-2.php 2026-01-09 00:43:17.371305194 +0000@@ -1,14 +1,44 @@-<div class="<?php echo esc_attr( $container_class ); ?>">+<div class="<?php echo esc_attr($container_class); ?>"> <div class="eventin-block-container">- <div class="etn-event-meta-info etn-widget <?php echo esc_attr( $style_variant ); ?>">- <ul class="etn-ul">- <li class="etn-li">- <?php printf( __( '<span class="etn-span">Date:</span> %s - %s', 'eventin' ), $start_date, $end_date ) ?>- </li>- <li class="etn-li">- <?php printf( __( '<span class="etn-span">Time:</span> %s - %s (%s)', 'eventin' ), $start_time, $end_time, $timezone ) ?>- </li>- </ul>+ <div class="etn-event-meta-info etn-widget etn-datetime-style-2">+ <div class="etn-datetime-style-2-wrapper">+ <!-- Time Card -->+ <div class="etn-datetime-card etn-time-card">+ <div class="etn-datetime-icon-wrapper">+ <div class="etn-datetime-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18" fill="none">+ <path d="M16.75 8.75C16.75 13.166 13.166 16.75 8.75 16.75C4.334 16.75 0.75 13.166 0.75 8.75C0.75 4.334 4.334 0.75 8.75 0.75C13.166 0.75 16.75 4.334 16.75 8.75Z" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M11.7171 11.294L9.23712 9.81396C8.80512 9.55796 8.45312 8.94196 8.45312 8.43796V5.15796" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ </div>+ <div class="etn-datetime-content">+ <span class="etn-time-range"><?php echo esc_html($start_time); ?> -<?php echo esc_html($end_time); ?> <?php if (! empty($timezone)): ?>(<?php echo esc_html($timezone); ?>)<?php endif; ?></span>+ </div>+ </div>+ <!-- Date Card -->+ <div class="etn-datetime-card etn-date-card">+ <div class="etn-datetime-icon-wrapper">+ <div class="etn-datetime-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M4.6001 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.9985 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M0.998535 6.27197H14.5985" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M15.0001 5.79993V12.5999C15.0001 14.9999 13.8001 16.5999 11.0001 16.5999H4.6001C1.8001 16.5999 0.600098 14.9999 0.600098 12.5999V5.79993C0.600098 3.39993 1.8001 1.79993 4.6001 1.79993H11.0001C13.8001 1.79993 15.0001 3.39993 15.0001 5.79993Z" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 9.95994H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 12.36H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 9.95994H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 12.36H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 9.95994H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 12.36H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ </div>+ <div class="etn-datetime-content">+ <span class="etn-date-range"><?php echo esc_html($start_date); ?> -<?php echo esc_html($end_date); ?></span>+ </div>+ </div>+ </div> </div> </div> </div>
Vulnerability Existed: no Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/styles/event-datetime/style-2.php (Lines 1-14 to Lines 1-44) Old Code: ```php <?php printf( __( '<span class="etn-span">Date:</span> %s - %s', 'eventin' ), $start_date, $end_date ) ?> <?php printf( __( '<span class="etn-span">Time:</span> %s - %s (%s)', 'eventin' ), $start_time, $end_time, $timezone ) ?> ``` Fixed Code: ```php <span class="etn-time-range"><?php echo esc_html($start_time); ?> -<?php echo esc_html($end_time); ?> <?php if (! empty($timezone)): ?>(<?php echo esc_html($timezone); ?>)<?php endif; ?></span> <span class="etn-date-range"><?php echo esc_html($start_date); ?> -<?php echo esc_html($end_date); ?></span> ``` Explanation: The old code used `printf()` with `__()` (translation function) to output user-provided variables (`$start_date`, `$end_date`, `$start_time`, `$end_time`, `$timezone`) directly into the HTML without proper escaping. While the variables are wrapped in translatable strings, the function does not apply escaping, creating an XSS vulnerability if these variables contain untrusted or user-controlled content. The fixed code properly escapes all output using `esc_html()`, which is the appropriate escaping function for HTML content. This prevents any potentially malicious content in these variables from being executed as code. The fix correctly identifies the need to escape each variable individually before output, and uses conditional logic (`if (! empty($timezone))`) to safely handle optional values.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-datetime/style-3.php@@ -0,0 +1,23 @@+<div class="<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container">+ <div class="etn-event-meta-info etn-datetime-style-3">+ <div class="etn-datetime-style-3-wrapper">+ <!-- Time Card -->+ <div class="etn-datetime-card">+ <div class="etn-datetime-content">+ <p class="etn-date-range"><?php echo esc_html($start_date); ?> -+ <?php echo esc_html($end_date); ?></p>+ <p class="etn-time-range">+ <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18" fill="none">+ <path d="M16.75 8.75C16.75 13.166 13.166 16.75 8.75 16.75C4.334 16.75 0.75 13.166 0.75 8.75C0.75 4.334 4.334 0.75 8.75 0.75C13.166 0.75 16.75 4.334 16.75 8.75Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M11.7171 11.2923L9.23712 9.81225C8.80512 9.55625 8.45312 8.94025 8.45312 8.43625V5.15625" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ <?php echo esc_html($start_time); ?> -+ <?php echo esc_html($end_time); ?> <?php if (! empty($timezone)): ?>(<?php echo esc_html($timezone); ?>)<?php endif; ?>+ </p>+ </div>+ </div>+ </div>+ </div>+ </div>+</div>
```
Vulnerability Existed: no
Proper Output Escaping - CWE-79 - templates/event/parts/styles/event-datetime/style-3.php (Lines 1-23)
Old Code:
N/A (New file - no previous version to compare)
Fixed Code:
<div class="<?php echo esc_attr($container_class); ?>">
<div class="eventin-block-container">
<div class="etn-event-meta-info etn-datetime-style-3">
<div class="etn-datetime-style-3-wrapper">
<!-- Time Card -->
<div class="etn-datetime-card">
<div class="etn-datetime-content">
<p class="etn-date-range"><?php echo esc_html($start_date); ?> -
<?php echo esc_html($end_date); ?></p>
<p class="etn-time-range">
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18" fill="none">
<path d="M16.75 8.75C16.75 13.166 13.166 16.75 8.75 16.75C4.334 16.75 0.75 13.166 0.75 8.75C0.75 4.334 4.334 0.75 8.75 0.75C13.166 0.75 16.75 4.334 16.75 8.75Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
<path d="M11.7171 11.2923L9.23712 9.81225C8.80512 9.55625 8.45312 8.94025 8.45312 8.43625V5.15625" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
</svg>
<?php echo esc_html($start_time); ?> -
<?php echo esc_html($end_time); ?> <?php if (! empty($timezone)): ?>(<?php echo esc_html($timezone); ?>)<?php endif; ?>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
Explanation:
This is a new file with no vulnerabilities. The code properly implements WordPress security best practices:
- Uses `esc_attr()` for HTML attributes (line 1: `$container_class`)
- Uses `esc_html()` for text content (lines 8-9: `$start_date`, `$end_date`)
- Uses `esc_html()` for time values (lines 15-16: `$start_time`, `$end_time`)
- Uses `esc_html()` for timezone information (line 16: `$timezone`)
- All dynamic variables are properly escaped before output, preventing XSS (Cross-Site Scripting) vulnerabilities
- The SVG is hardcoded and contains no dynamic content
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-faq/style-1.php@@ -0,0 +1,132 @@+<?php+ $etn_faqs = get_post_meta($event_id, 'etn_event_faq', true);+ if (! empty($etn_faqs)):+?>+<div class="etn-accordion-wrap etn-event-single-content-wrap etn-faq-style-1+<?php echo esc_attr($container_class); ?>">+ <h2 class="faq-title"><?php echo esc_html__("Frequently Asked Questions", "eventin"); ?></h2>+ <?php+ if (is_array($etn_faqs) && ! empty($etn_faqs)) {+ foreach ($etn_faqs as $key => $faq) {+ // 2nd item (index 1) should be expanded by default+ $is_expanded = ($key === 1);+ $acc_class = $is_expanded ? 'active' : '';+ ?>+ <div class="etn-faq-item+ <?php echo esc_attr($acc_class); ?>">+ <div class="etn-faq-header">+ <h4 class="etn-faq-title"><?php echo esc_html($faq["etn_faq_title"]); ?></h4>+ <div class="etn-faq-icon">+ <i class="etn-icon etn-angle-down"></i>+ </div>+ </div>+ <div class="etn-faq-content">+ <p class="etn-faq-content-text">+ <?php+ if (has_blocks($faq["etn_faq_content"])) {+ echo do_blocks($faq["etn_faq_content"]);+ } else {+ echo esc_html($faq["etn_faq_content"]);+ }+ ?>+ </p>+ </div>+ </div>+ <?php+ }+ } else {+ ?>+ <div class="etn-event-faq-body">+ <?php echo esc_html__("No FAQ found!", "eventin"); ?>+ </div>+ <?php+ }+ ?>+</div>+<script>+(function() {+ document.addEventListener('DOMContentLoaded', function() {+ const faqItems = document.querySelectorAll('.etn-faq-style-1 .etn-faq-item');++ // Initialize expanded items on page load with smooth animation+ faqItems.forEach(function(item) {+ const content = item.querySelector('.etn-faq-content');+ const isInitiallyExpanded = item.classList.contains('active');++ if (content) {+ if (isInitiallyExpanded) {+ // Set initial state+ content.style.maxHeight = '0px';+ content.style.paddingTop = '0px';+ content.style.opacity = '0';++ // Use requestAnimationFrame for smooth animation+ requestAnimationFrame(function() {+ const height = content.scrollHeight;+ content.style.maxHeight = height + 'px';+ content.style.paddingTop = '15px';+ content.style.opacity = '1';+ });+ } else {+ content.style.maxHeight = '0px';+ content.style.paddingTop = '0px';+ content.style.opacity = '0';+ }+ }+ });++ // Handle click events+ const faqHeaders = document.querySelectorAll('.etn-faq-style-1 .etn-faq-header');+ faqHeaders.forEach(function(header) {+ header.addEventListener('click', function() {+ const item = this.closest('.etn-faq-item');+ const content = item.querySelector('.etn-faq-content');+ const isActive = item.classList.contains('active');++ // Close all items with smooth animation+ document.querySelectorAll('.etn-faq-style-1 .etn-faq-item').forEach(function(el) {+ const otherContent = el.querySelector('.etn-faq-content');+ if (otherContent && el !== item) {+ el.classList.remove('active');+ // Smooth collapse+ requestAnimationFrame(function() {+ otherContent.style.maxHeight = '0px';+ otherContent.style.paddingTop = '0px';+ otherContent.style.opacity = '0';+ });+ }+ });++ // Open clicked item if it wasn't active with smooth animation+ if (!isActive && content) {+ item.classList.add('active');++ // Get actual height first+ content.style.maxHeight = 'none';+ const height = content.scrollHeight;+ content.style.maxHeight = '0px';+ content.style.opacity = '0';++ // Smooth expand+ requestAnimationFrame(function() {+ requestAnimationFrame(function() {+ content.style.maxHeight = height + 'px';+ content.style.paddingTop = '15px';+ content.style.opacity = '1';+ });+ });+ } else if (isActive && content) {+ // Close if clicking on active item+ item.classList.remove('active');+ requestAnimationFrame(function() {+ content.style.maxHeight = '0px';+ content.style.paddingTop = '0px';+ content.style.opacity = '0';+ });+ }+ });+ });+ });+})();+</script>+<?php endif;
Analyzing the code diff for security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - templates/event/parts/styles/event-faq/style-1.php - Lines 24-29
Old Code:
```php
<?php
if (has_blocks($faq["etn_faq_content"])) {
echo do_blocks($faq["etn_faq_content"]);
} else {
echo esc_html($faq["etn_faq_content"]);
}
?>
```
Fixed Code:
No fix present in this diff (this is a new file).
Explanation:
The `do_blocks()` function outputs HTML content without proper sanitization. While the else branch uses `esc_html()` for plain text content, the if branch directly echoes the result of `do_blocks()` which processes WordPress blocks and outputs raw HTML. If `etn_faq_content` contains user-controlled data with malicious scripts in block format, this could lead to Stored XSS vulnerabilities. The content should be validated and sanitized before being processed by `do_blocks()`, or the output should be properly escaped if it contains user input.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
**Improper Input Validation - CWE-20** - templates/event/parts/styles/event-faq/style-1.php - Lines 10-11
Old Code:
```php
$etn_faqs = get_post_meta($event_id, 'etn_event_faq', true);
if (! empty($etn_faqs)):
```
Fixed Code:
No validation changes in this diff (this is a new file).
Explanation:
The code retrieves `$etn_faqs` from post metadata and iterates through it as an array. However, there is no validation that `$event_id` is a valid/safe integer before being used with `get_post_meta()`. If `$event_id` is user-controlled and not properly validated upstream, this could potentially lead to information disclosure or other vulnerabilities. Without seeing where `$event_id` originates, the severity is uncertain.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-faq/style-2.php@@ -0,0 +1,1 @@+<h2>Style 2</h2>
I need to see the actual diff content to analyze it for security vulnerabilities. The diff you've provided shows: - **File:** `templates/event/parts/styles/event-faq/style-2.php` - **Change:** A new file being created with a single line: `<h2>Style 2</h2>` **Analysis:** Vulnerability Existed: no Explanation: The diff shows a new file being added with minimal HTML content (`<h2>Style 2</h2>`). This is a simple HTML header element with no dynamic content, user input, database queries, file operations, or other operations that could introduce security vulnerabilities. The content is static and hardcoded, posing no apparent security risks such as: - No injection vulnerabilities (SQL, XSS, command injection) - No sensitive data exposure - No authentication/authorization issues - No unsafe file handling - No use of dangerous functions This appears to be a template file addition with no security implications.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-organizer/style-1.php@@ -0,0 +1,48 @@+<div class="etn-event-organizers etn-organizer-style-1+<?php echo esc_attr($container_class); ?>">+ <?php if ($event_organizers): ?>+ <div class="etn-organizer-wrap etn-organizer-grid">+ <?php foreach ($event_organizers as $organizer): ?>+ <div class="etn-organaizer-item">+ <div class="etn-organizer-logo">+ <?php+ // Try to get company logo first, fallback to profile image+ $company_logo = $organizer->get_speaker_company_logo();+ $image = $company_logo ? $company_logo : $organizer->get_image();++ if (! $image) {+ $image = Wpeventin::assets_url() . 'images/avatar.jpg';+ }++ $organizer_email = $organizer->get_speaker_email();+ if ($organizer_email):+ ?>+ <img src="<?php echo esc_url($image); ?>"+ alt="<?php echo esc_attr($organizer->get_speaker_title()); ?>">+ </div>+ <?php endif; ?>+ <div class="etn-organizer-content">+ <h4 class="etn-organizer-name"><?php echo esc_html($organizer->get_speaker_title()); ?></h4>+ <p class="etn-organizer-email"><?php echo esc_html($organizer_email); ?></p>+ <?php if ($organizer->get_speaker_socials()): ?>+ <div class="etn-social etn-social-style-1">+ <?php foreach ($organizer->get_speaker_socials() as $social): ?>+ <?php+ $icon = ! empty($social['icon']) ? $social['icon'] : '';+ $url = ! empty($social['etn_social_url']) ? $social['etn_social_url'] : '';+ $title = ! empty($social['etn_social_title']) ? $social['etn_social_title'] : '';+ ?>+ <a href="<?php echo esc_url($url); ?>" target="_blank" title="<?php echo esc_attr($title); ?>" aria-label="<?php echo esc_attr($title); ?>">+ <i class="etn-icon <?php echo esc_attr($icon); ?>"></i>+ </a>+ <?php endforeach; ?>+ </div>+ <?php endif; ?>+ </div>+ </div>+ <?php endforeach; ?>+ </div>+ <?php else: ?>+ <p><?php esc_html_e('No organizer found', 'eventin'); ?></p>+ <?php endif; ?>+</div>
Vulnerability Existed: no Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/styles/event-organizer/style-1.php (lines 1-48) Old Code: N/A (new file) Fixed Code: All dynamic content properly escaped Explanation: This is a newly created template file with proper security practices implemented throughout. All user-controlled data is correctly escaped using appropriate WordPress escaping functions: - `esc_url()` is used for URLs (lines 20, 35) - `esc_attr()` is used for HTML attributes (lines 2, 21, 35, 36, 37) - `esc_html()` is used for text content (lines 24, 26) No XSS vulnerabilities exist in this code. The developer has followed WordPress security best practices for output escaping, preventing malicious script injection through all data sources including speaker titles, emails, URLs, and social media information.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-organizer/style-2.php@@ -0,0 +1,48 @@+<div class="etn-event-organizers etn-organizer-style-1 etn-organizer-style-2+<?php echo esc_attr($container_class); ?>">+ <?php if ($event_organizers): ?>+ <div class="etn-organizer-wrap etn-organizer-grid">+ <?php foreach ($event_organizers as $organizer): ?>+ <div class="etn-organaizer-item">+ <div class="etn-organizer-logo">+ <?php+ // Try to get company logo first, fallback to profile image+ $company_logo = $organizer->get_speaker_company_logo();+ $image = $company_logo ? $company_logo : $organizer->get_image();++ if (! $image) {+ $image = Wpeventin::assets_url() . 'images/avatar.jpg';+ }++ $organizer_email = $organizer->get_speaker_email();+ if ($organizer_email):+ ?>+ <img src="<?php echo esc_url($image); ?>"+ alt="<?php echo esc_attr($organizer->get_speaker_title()); ?>">+ </div>+ <?php endif; ?>+ <div class="etn-organizer-content">+ <h4 class="etn-organizer-name"><?php echo esc_html($organizer->get_speaker_title()); ?></h4>+ <p class="etn-organizer-email"><?php echo esc_html($organizer_email); ?></p>+ <?php if ($organizer->get_speaker_socials()): ?>+ <div class="etn-social etn-social-style-1">+ <?php foreach ($organizer->get_speaker_socials() as $social): ?>+ <?php+ $icon = ! empty($social['icon']) ? $social['icon'] : '';+ $url = ! empty($social['etn_social_url']) ? $social['etn_social_url'] : '';+ $title = ! empty($social['etn_social_title']) ? $social['etn_social_title'] : '';+ ?>+ <a href="<?php echo esc_url($url); ?>" target="_blank" title="<?php echo esc_attr($title); ?>" aria-label="<?php echo esc_attr($title); ?>">+ <i class="etn-icon <?php echo esc_attr($icon); ?>"></i>+ </a>+ <?php endforeach; ?>+ </div>+ <?php endif; ?>+ </div>+ </div>+ <?php endforeach; ?>+ </div>+ <?php else: ?>+ <p><?php esc_html_e('No organizer found', 'eventin'); ?></p>+ <?php endif; ?>+</div>
Analyzing the provided code diff for security vulnerabilities... Vulnerability Existed: no No vulnerabilities identified - File: templates/event/parts/styles/event-organizer/style-2.php Explanation: This is a new template file (indicated by `/dev/null` in the diff) that implements proper output escaping throughout: 1. **esc_url()** is correctly applied to all URL outputs (lines 19, 35) - prevents XSS via malicious URLs 2. **esc_html()** is correctly applied to text content outputs (lines 24, 25) - prevents XSS via HTML injection 3. **esc_attr()** is correctly applied to HTML attributes (lines 2, 20, 35, 36, 37) - prevents attribute-based XSS The code follows WordPress security best practices for output sanitization. All user-controlled data from organizer objects (`get_speaker_title()`, `get_speaker_email()`, `get_image()`, etc.) and social data arrays are properly escaped before display. The template does not introduce any new security vulnerabilities.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-schedule/style-1.php@@ -0,0 +1,250 @@+<?php++ use \Etn\Utils\Helper;++ defined('ABSPATH') || exit;++ $etn_event_schedule = $event->etn_event_schedule;+ date_default_timezone_set('UTC');++ if (is_array($etn_event_schedule) && ! empty($etn_event_schedule)) {+ $args = [+ 'post__in' => $etn_event_schedule,+ 'orderby' => 'post_date',+ 'order' => 'asc',+ 'post_type' => 'etn-schedule',+ 'post_status' => 'publish',+ 'suppress_filters' => false,+ ];++ $schedule_query = get_posts($args);+ ?>+<!-- schedule tab start -->+<div class="schedule-tab-wrapper etn-tab-wrapper schedule-style-1+<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container">+ <h3 class="etn-tags-title"><?php echo esc_html__('Event Schedule', 'eventin'); ?></h3>+ <div class="schedule-block-wrapper">+ <ul class='etn-nav'>+ <?php+ $i = -1;+ if (is_array($schedule_query)) {+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $i++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($i == 0) ? 'etn-active' : ' ');+ ?>+ <li>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>'+ data-id='tab<?php echo esc_attr($i); ?>'>+ <span class=etn-day><?php echo esc_html($post->post_title); ?></span>+ <span class='etn-date'><?php echo esc_html($schedule_date); ?></span>+ </a>+ </li>+ <?php+ endforeach;+ }+ ?>+ </ul>+ <div class='etn-tab-content clearfix etn-schedule-wrap'>+ <?php+ $j = -1;+ if (is_array($schedule_query)) {+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $j++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: [];+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($j == 0) ? 'tab-active' : ' ');+ ?>+ <!-- start repeatable item -->+ <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>+ <?php $etn_tab_time_format = (isset($event_options["time_format"]) && $event_options["time_format"] == '24') ? "H:i" : get_option('time_format');+ if (is_array($schedule_topics) && ! empty($schedule_topics)) {+ $topic_index = -1;+ foreach ($schedule_topics as $topic):+ $topic_index++;+ $etn_schedule_topic = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');+ $etn_schedule_start_time = ! empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';+ $etn_schedule_end_time = ! empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';+ $etn_schedule_room = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');+ $etn_schedule_objective = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');+ $etn_schedule_speaker = (isset($topic['speakers']) ? $topic['speakers'] : []);+ $dash_sign = (! empty($etn_schedule_start_time) && ! empty($etn_schedule_end_time)) ? " - " : " ";+ // 2nd item (index 1) should be expanded by default+ $is_expanded = ($topic_index === 1);+ $aria_expanded = $is_expanded ? 'true' : 'false';+ ?>+ <div class='etn-single-schedule-item etn-row'>+ <div class='etn-schedule-info etn-col-sm-3'>+ <?php+ if (! empty($etn_schedule_start_time) || ! empty($etn_schedule_end_time)) {+ ?>+ <span class='etn-schedule-time'>+ <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+ </span>+ <?php+ }+ ?>+ </div>+ <div class='etn-schedule-content etn-col-sm-9'>+ <div class='etn-schedule-item-header'>+ <h4 class='etn-title' style='margin: 0; flex: 1;'><?php echo esc_html($etn_schedule_topic); ?></h4>+ <button class='etn-schedule-toggle' type='button' aria-expanded='<?php echo esc_attr($aria_expanded); ?>' aria-label='<?php echo esc_attr__('Toggle schedule details', 'eventin'); ?>'>+ <svg width='20' height='20' viewBox='0 0 20 20' fill='none' xmlns='http://www.w3.org/2000/svg'>+ <path d='M5 7.5L10 12.5L15 7.5' stroke='currentColor' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'/>+ </svg>+ </button>+ </div>+ <div class='etn-schedule-item-content<?php echo $is_expanded ? ' expanded' : ''; ?>'>+ <p><?php echo Helper::kses($etn_schedule_objective); ?></p>+ <?php+ $etn_show_speaker_with_schedule = get_post_meta($event_id, 'etn_select_speaker_schedule_type', true);+ $etn_show_speaker_with_schedule = ! empty($etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';+ ?>+ <?php if ($etn_show_speaker_with_schedule === 'schedule_with_speaker'): ?>+ <!-- Show speaker block if it's selected from event meta -->+ <div class='etn-schedule-content'>+ <div class='etn-schedule-speaker'>+ <?php+ $speaker_avatar = apply_filters("etn/speakers/avatar", \Wpeventin::assets_url() . "images/avatar.jpg");+ if (is_array($etn_schedule_speaker) && ! empty($etn_schedule_speaker)) {+ foreach ($etn_schedule_speaker as $key => $value) {+ $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);+ $etn_speaker_image = get_user_meta($value, 'image', true);+ $speaker_title = get_the_author_meta('display_name', $value);+ $speaker_designation = get_user_meta($value, 'etn_speaker_designation', true);+ ?>+ <div class='etn-schedule-single-speaker'>+ <a href='<?php echo esc_url($etn_speaker_permalink); ?>'+ aria-label="<?php echo esc_html($speaker_title); ?>">+ <?php if ($etn_speaker_image): ?>+ <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="<?php echo esc_attr($speaker_title); ?>" height="50" width="50">+ <?php endif; ?>+ </a>+ <div class='schedule-speaker-info'>+ <p class='schedule-speaker-title'><?php echo esc_html($speaker_title); ?></p>+ <p class='schedule-speaker-designation'><?php echo esc_html($speaker_designation); ?></p>+ </div>+ </div>+ <?php+ }+ }+ ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>+ </div>+ <?php+ endforeach;+ }+ ?>+ </div>+ <!-- end repeatable item -->+ <?php+ endforeach;+ }+ wp_reset_postdata(); ?>+ </div>+ </div>+ </div>+</div>+<!-- schedule tab end -->+<script>+(function() {+ document.addEventListener('DOMContentLoaded', function() {+ // Get all schedule items within each tab+ const scheduleTabs = document.querySelectorAll('.schedule-style-1 .etn-tab');++ scheduleTabs.forEach(function(tab) {+ const scheduleItems = tab.querySelectorAll('.etn-single-schedule-item');++ scheduleItems.forEach(function(item) {+ const toggleBtn = item.querySelector('.etn-schedule-toggle');+ const content = item.querySelector('.etn-schedule-item-content');++ if (toggleBtn && content) {+ // Initialize expanded items on page load+ const isInitiallyExpanded = toggleBtn.getAttribute('aria-expanded') === 'true';+ if (isInitiallyExpanded) {+ content.style.height = 'auto';+ const height = content.scrollHeight;+ content.style.height = height + 'px';+ content.style.opacity = '1';+ content.style.paddingTop = '16px';+ } else {+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';+ }+ toggleBtn.addEventListener('click', function() {+ const isExpanded = this.getAttribute('aria-expanded') === 'true';+ const newExpanded = !isExpanded;++ // If clicking to expand, collapse all other items in the same tab+ if (newExpanded) {+ scheduleItems.forEach(function(otherItem) {+ if (otherItem !== item) {+ const otherToggleBtn = otherItem.querySelector('.etn-schedule-toggle');+ const otherContent = otherItem.querySelector('.etn-schedule-item-content');++ if (otherToggleBtn && otherContent) {+ otherToggleBtn.setAttribute('aria-expanded', 'false');+ // Collapse other items smoothly+ otherContent.style.height = '0px';+ otherContent.style.opacity = '0';+ otherContent.style.paddingTop = '0px';+ }+ }+ });+ }++ // Toggle current item with smooth animation+ this.setAttribute('aria-expanded', newExpanded);++ if (newExpanded) {+ // Expand: Set to auto to get actual height, then set specific height+ content.style.height = 'auto';+ const height = content.scrollHeight;+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';++ // Force reflow+ content.offsetHeight;++ // Animate to full height+ requestAnimationFrame(function() {+ content.style.height = height + 'px';+ content.style.opacity = '1';+ content.style.paddingTop = '16px';+ });+ } else {+ // Collapse: Get current height and animate to 0+ const height = content.scrollHeight;+ content.style.height = height + 'px';++ // Force reflow+ content.offsetHeight;++ // Animate to 0+ requestAnimationFrame(function() {+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';+ });+ }+ });+ }+ });+ });+ });+})();+</script>+<?php+}
Analyzing the provided diff for security vulnerabilities: --- **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE **Unsafe Deserialization - CWE-502** - CWE-502 - templates/event/parts/styles/event-schedule/style-1.php - Line 56 Old Code: ```php $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: []; ``` Fixed Code: ```php $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: []; ``` Explanation: The code uses PHP's `unserialize()` function on data retrieved from post metadata without validation. This is a critical security vulnerability (CWE-502: Deserialization of Untrusted Data). If an attacker can control the serialized data in `etn_schedule_topics`, they can execute arbitrary code through object injection. The fix would be to use `json_decode()` instead if the data is JSON, or validate/sanitize the data before unserializing, or use a safer alternative like limiting object deserialization with the `allowed_classes` parameter (PHP 7.0+). --- **Vulnerability 2:** Vulnerability Existed: not sure **Potential DOM-based XSS - CWE-79** - CWE-79 - templates/event/parts/styles/event-schedule/style-1.php - Line 167-173 Old Code: ```javascript content.style.height = 'auto'; const height = content.scrollHeight; content.style.height = height + 'px'; ``` Fixed Code: ```javascript content.style.height = 'auto'; const height = content.scrollHeight; content.style.height = height + 'px'; ``` Explanation: The JavaScript code dynamically manipulates CSS height values using `scrollHeight`. While the code appears safe here (using numeric values), there's uncertainty because if `content.scrollHeight` could be manipulated or if additional dynamic content is injected, this could potentially be exploited. However, `scrollHeight` is a read-only property that returns a numeric value, so direct XSS through this pattern is unlikely unless the DOM itself is compromised beforehand.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-schedule/style-2.php@@ -0,0 +1,248 @@+<?php++ use \Etn\Utils\Helper;++ defined('ABSPATH') || exit;++ $etn_event_schedule = $event->etn_event_schedule;+ date_default_timezone_set('UTC');++ if (is_array($etn_event_schedule) && ! empty($etn_event_schedule)) {+ $args = [+ 'post__in' => $etn_event_schedule,+ 'orderby' => 'post_date',+ 'order' => 'asc',+ 'post_type' => 'etn-schedule',+ 'post_status' => 'publish',+ 'suppress_filters' => false,+ ];++ $schedule_query = get_posts($args);+ ?>+<!-- schedule tab start -->+<div class="schedule-tab-wrapper etn-tab-wrapper schedule-style-1+<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container schedule-style-two">+ <h3 class="etn-tags-title"><?php echo esc_html__('Event Schedule', 'eventin'); ?></h3>+ <div class="schedule-block-wrapper">+ <ul class='etn-nav'>+ <?php+ $i = -1;+ if (is_array($schedule_query)) {+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $i++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($i == 0) ? 'etn-active' : ' ');+ ?>+ <li>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($i); ?>'>+ <span class=etn-day><?php echo esc_html($post->post_title); ?></span>+ <span class='etn-date'><?php echo esc_html($schedule_date); ?></span>+ </a>+ </li>+ <?php+ endforeach;+ }+ ?>+ </ul>+ <div class='etn-tab-content clearfix etn-schedule-wrap'>+ <?php+ $j = -1;+ if (is_array($schedule_query)) {+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $j++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: [];+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($j == 0) ? 'tab-active' : ' ');+ ?>+ <!-- start repeatable item -->+ <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>+ <?php $etn_tab_time_format = (isset($event_options["time_format"]) && $event_options["time_format"] == '24') ? "H:i" : get_option('time_format');+ if (is_array($schedule_topics) && ! empty($schedule_topics)) {+ $topic_index = -1;+ foreach ($schedule_topics as $topic):+ $topic_index++;+ $etn_schedule_topic = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');+ $etn_schedule_start_time = ! empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';+ $etn_schedule_end_time = ! empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';+ $etn_schedule_room = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');+ $etn_schedule_objective = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');+ $etn_schedule_speaker = (isset($topic['speakers']) ? $topic['speakers'] : []);+ $dash_sign = (! empty($etn_schedule_start_time) && ! empty($etn_schedule_end_time)) ? " - " : " ";+ // 2nd item (index 1) should be expanded by default+ $is_expanded = ($topic_index === 1);+ $aria_expanded = $is_expanded ? 'true' : 'false';+ ?>+ <div class='etn-single-schedule-item etn-row'>+ <div class='etn-schedule-info etn-col-sm-3'>+ <?php+ if (! empty($etn_schedule_start_time) || ! empty($etn_schedule_end_time)) {?>+ <span class='etn-schedule-time'>+ <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+ </span>+ <?php+ }+ ?>+ </div>+ <div class='etn-schedule-content etn-col-sm-9'>+ <div class='etn-schedule-item-header'>+ <h4 class='etn-title' style='margin: 0; flex: 1;'><?php echo esc_html($etn_schedule_topic); ?></h4>+ <button class='etn-schedule-toggle' type='button' aria-expanded='<?php echo esc_attr($aria_expanded); ?>' aria-label='<?php echo esc_attr__('Toggle schedule details', 'eventin'); ?>'>+ <svg width='20' height='20' viewBox='0 0 20 20' fill='none' xmlns='http://www.w3.org/2000/svg'>+ <path d='M5 7.5L10 12.5L15 7.5' stroke='currentColor' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'/>+ </svg>+ </button>+ </div>+ <div class='etn-schedule-item-content<?php echo $is_expanded ? ' expanded' : ''; ?>'>+ <p><?php echo Helper::kses($etn_schedule_objective); ?></p>+ <?php+ $etn_show_speaker_with_schedule = get_post_meta($event_id, 'etn_select_speaker_schedule_type', true);+ $etn_show_speaker_with_schedule = ! empty($etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';+ ?>+ <?php if ($etn_show_speaker_with_schedule === 'schedule_with_speaker'): ?>+ <!-- Show speaker block if it's selected from event meta -->+ <div class='etn-schedule-content'>+ <div class='etn-schedule-speaker'>+ <?php+ $speaker_avatar = apply_filters("etn/speakers/avatar", \Wpeventin::assets_url() . "images/avatar.jpg");+ if (is_array($etn_schedule_speaker) && ! empty($etn_schedule_speaker)) {+ foreach ($etn_schedule_speaker as $key => $value) {+ $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);+ $etn_speaker_image = get_user_meta($value, 'image', true);+ $speaker_title = get_the_author_meta('display_name', $value);+ $speaker_designation = get_user_meta($value, 'etn_speaker_designation', true);+ ?>+ <div class='etn-schedule-single-speaker'>+ <a href='<?php echo esc_url($etn_speaker_permalink); ?>'+ aria-label="<?php echo esc_html($speaker_title); ?>">+ <?php if ($etn_speaker_image): ?>+ <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="<?php echo esc_attr($speaker_title); ?>" height="50" width="50">+ <?php endif; ?>+ </a>+ <div class='schedule-speaker-info'>+ <p class='schedule-speaker-title'><?php echo esc_html($speaker_title); ?></p>+ <p class='schedule-speaker-designation'><?php echo esc_html($speaker_designation); ?></p>+ </div>+ </div>+ <?php+ }+ }+ ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>+ </div>+ <?php+ endforeach;+ }+ ?>+ </div>+ <!-- end repeatable item -->+ <?php+ endforeach;+ }+ wp_reset_postdata(); ?>+ </div>+ </div>+ </div>+</div>+<!-- schedule tab end -->+<script>+(function() {+ document.addEventListener('DOMContentLoaded', function() {+ // Get all schedule items within each tab+ const scheduleTabs = document.querySelectorAll('.schedule-style-1 .etn-tab');++ scheduleTabs.forEach(function(tab) {+ const scheduleItems = tab.querySelectorAll('.etn-single-schedule-item');++ scheduleItems.forEach(function(item) {+ const toggleBtn = item.querySelector('.etn-schedule-toggle');+ const content = item.querySelector('.etn-schedule-item-content');++ if (toggleBtn && content) {+ // Initialize expanded items on page load+ const isInitiallyExpanded = toggleBtn.getAttribute('aria-expanded') === 'true';+ if (isInitiallyExpanded) {+ content.style.height = 'auto';+ const height = content.scrollHeight;+ content.style.height = height + 'px';+ content.style.opacity = '1';+ content.style.paddingTop = '16px';+ } else {+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';+ }+ toggleBtn.addEventListener('click', function() {+ const isExpanded = this.getAttribute('aria-expanded') === 'true';+ const newExpanded = !isExpanded;++ // If clicking to expand, collapse all other items in the same tab+ if (newExpanded) {+ scheduleItems.forEach(function(otherItem) {+ if (otherItem !== item) {+ const otherToggleBtn = otherItem.querySelector('.etn-schedule-toggle');+ const otherContent = otherItem.querySelector('.etn-schedule-item-content');++ if (otherToggleBtn && otherContent) {+ otherToggleBtn.setAttribute('aria-expanded', 'false');+ // Collapse other items smoothly+ otherContent.style.height = '0px';+ otherContent.style.opacity = '0';+ otherContent.style.paddingTop = '0px';+ }+ }+ });+ }++ // Toggle current item with smooth animation+ this.setAttribute('aria-expanded', newExpanded);++ if (newExpanded) {+ // Expand: Set to auto to get actual height, then set specific height+ content.style.height = 'auto';+ const height = content.scrollHeight;+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';++ // Force reflow+ content.offsetHeight;++ // Animate to full height+ requestAnimationFrame(function() {+ content.style.height = height + 'px';+ content.style.opacity = '1';+ content.style.paddingTop = '16px';+ });+ } else {+ // Collapse: Get current height and animate to 0+ const height = content.scrollHeight;+ content.style.height = height + 'px';++ // Force reflow+ content.offsetHeight;++ // Animate to 0+ requestAnimationFrame(function() {+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';+ });+ }+ });+ }+ });+ });+ });+})();+</script>+<?php+}
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: yes FALSE POSITIVE Insecure Deserialization - CWE-502 - templates/event/parts/styles/event-schedule/style-2.php - Line 59 Old Code: ```php $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: []; ``` Fixed Code: ```php $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: []; ``` Explanation: This code uses PHP's `unserialize()` function on data stored in post meta without validation. The `unserialize()` function is vulnerable to PHP Object Injection attacks (CWE-502). If an attacker can control the serialized data stored in `etn_schedule_topics`, they could inject malicious PHP objects that execute arbitrary code when unserialized. While the code attempts to provide a default empty string via the null coalescing operator, this does not prevent the vulnerability if data exists in the meta field. The proper fix would be to use `json_decode()` instead of `unserialize()`, or to validate/sanitize the data before unserialization. --- Vulnerability Existed: not sure Use of Potentially Unsafe Function - CWE-95 (Code Evaluation) - templates/event/parts/styles/event-schedule/style-2.php - Line 107 Old Code: ```php <p><?php echo Helper::kses($etn_schedule_objective); ?></p> ``` Fixed Code: ```php <p><?php echo Helper::kses($etn_schedule_objective); ?></p> ``` Explanation: The code uses `Helper::kses()` to sanitize the output. While this appears to be a custom sanitization function (likely a wrapper around WordPress's `wp_kses()`), without seeing the actual implementation of `Helper::kses()`, it's unclear if it properly sanitizes HTML content. If this function doesn't properly escape HTML or allows dangerous tags/attributes, it could lead to stored XSS vulnerabilities (CWE-79). The sanitization approach appears reasonable for WordPress context, but the actual vulnerability depends on the `Helper::kses()` implementation.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-schedule/style-3.php@@ -0,0 +1,247 @@+<?php++ use \Etn\Utils\Helper;++ defined('ABSPATH') || exit;++ $etn_event_schedule = $event->etn_event_schedule;+ date_default_timezone_set('UTC');++ if (is_array($etn_event_schedule) && ! empty($etn_event_schedule)) {+ $args = [+ 'post__in' => $etn_event_schedule,+ 'orderby' => 'post_date',+ 'order' => 'asc',+ 'post_type' => 'etn-schedule',+ 'post_status' => 'publish',+ 'suppress_filters' => false,+ ];++ $schedule_query = get_posts($args);+ ?>+<!-- schedule tab start -->+<div class="schedule-tab-wrapper etn-tab-wrapper schedule-style-1 schedule-style-three+<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container schedule-style-two">+ <div class="schedule-block-wrapper">+ <ul class='etn-nav'>+ <?php+ $i = -1;+ if (is_array($schedule_query)) {+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $i++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($i == 0) ? 'etn-active' : ' ');+ ?>+ <li>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($i); ?>'>+ <span class=etn-day><?php echo esc_html($post->post_title); ?></span>+ <span class='etn-date'><?php echo esc_html($schedule_date); ?></span>+ </a>+ </li>+ <?php+ endforeach;+ }+ ?>+ </ul>+ <div class='etn-tab-content clearfix etn-schedule-wrap'>+ <?php+ $j = -1;+ if (is_array($schedule_query)) {+ foreach ($schedule_query as $post):+ $single_schedule_id = $post->ID;+ $j++;+ $schedule_meta = get_post_meta($single_schedule_id);+ $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: [];+ $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n("d M", strtotime($schedule_meta['etn_schedule_date'][0])) : "";+ $active_class = (($j == 0) ? 'tab-active' : ' ');+ ?>+ <!-- start repeatable item -->+ <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>+ <?php $etn_tab_time_format = (isset($event_options["time_format"]) && $event_options["time_format"] == '24') ? "H:i" : get_option('time_format');+ if (is_array($schedule_topics) && ! empty($schedule_topics)) {+ $topic_index = -1;+ foreach ($schedule_topics as $topic):+ $topic_index++;+ $etn_schedule_topic = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');+ $etn_schedule_start_time = ! empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';+ $etn_schedule_end_time = ! empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';+ $etn_schedule_room = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');+ $etn_schedule_objective = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');+ $etn_schedule_speaker = (isset($topic['speakers']) ? $topic['speakers'] : []);+ $dash_sign = (! empty($etn_schedule_start_time) && ! empty($etn_schedule_end_time)) ? " - " : " ";+ // 2nd item (index 1) should be expanded by default+ $is_expanded = ($topic_index === 1);+ $aria_expanded = $is_expanded ? 'true' : 'false';+ ?>+ <div class='etn-single-schedule-item etn-row'>+ <div class='etn-schedule-info etn-col-sm-3'>+ <?php+ if (! empty($etn_schedule_start_time) || ! empty($etn_schedule_end_time)) {?>+ <span class='etn-schedule-time'>+ <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+ </span>+ <?php+ }+ ?>+ </div>+ <div class='etn-schedule-content etn-col-sm-9'>+ <div class='etn-schedule-item-header'>+ <h4 class='etn-title' style='margin: 0; flex: 1;'><?php echo esc_html($etn_schedule_topic); ?></h4>+ <button class='etn-schedule-toggle' type='button' aria-expanded='<?php echo esc_attr($aria_expanded); ?>' aria-label='<?php echo esc_attr__('Toggle schedule details', 'eventin'); ?>'>+ <svg width='20' height='20' viewBox='0 0 20 20' fill='none' xmlns='http://www.w3.org/2000/svg'>+ <path d='M5 7.5L10 12.5L15 7.5' stroke='currentColor' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'/>+ </svg>+ </button>+ </div>+ <div class='etn-schedule-item-content<?php echo $is_expanded ? ' expanded' : ''; ?>'>+ <p><?php echo Helper::kses($etn_schedule_objective); ?></p>+ <?php+ $etn_show_speaker_with_schedule = get_post_meta($event_id, 'etn_select_speaker_schedule_type', true);+ $etn_show_speaker_with_schedule = ! empty($etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';+ ?>+ <?php if ($etn_show_speaker_with_schedule === 'schedule_with_speaker'): ?>+ <!-- Show speaker block if it's selected from event meta -->+ <div class='etn-schedule-content'>+ <div class='etn-schedule-speaker'>+ <?php+ $speaker_avatar = apply_filters("etn/speakers/avatar", \Wpeventin::assets_url() . "images/avatar.jpg");+ if (is_array($etn_schedule_speaker) && ! empty($etn_schedule_speaker)) {+ foreach ($etn_schedule_speaker as $key => $value) {+ $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);+ $etn_speaker_image = get_user_meta($value, 'image', true);+ $speaker_title = get_the_author_meta('display_name', $value);+ $speaker_designation = get_user_meta($value, 'etn_speaker_designation', true);+ ?>+ <div class='etn-schedule-single-speaker'>+ <a href='<?php echo esc_url($etn_speaker_permalink); ?>'+ aria-label="<?php echo esc_html($speaker_title); ?>">+ <?php if ($etn_speaker_image): ?>+ <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="<?php echo esc_attr($speaker_title); ?>" height="50" width="50">+ <?php endif; ?>+ </a>+ <div class='schedule-speaker-info'>+ <p class='schedule-speaker-title'><?php echo esc_html($speaker_title); ?></p>+ <p class='schedule-speaker-designation'><?php echo esc_html($speaker_designation); ?></p>+ </div>+ </div>+ <?php+ }+ }+ ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>+ </div>+ <?php+ endforeach;+ }+ ?>+ </div>+ <!-- end repeatable item -->+ <?php+ endforeach;+ }+ wp_reset_postdata(); ?>+ </div>+ </div>+ </div>+</div>+<!-- schedule tab end -->+<script>+(function() {+ document.addEventListener('DOMContentLoaded', function() {+ // Get all schedule items within each tab+ const scheduleTabs = document.querySelectorAll('.schedule-style-1 .etn-tab');++ scheduleTabs.forEach(function(tab) {+ const scheduleItems = tab.querySelectorAll('.etn-single-schedule-item');++ scheduleItems.forEach(function(item) {+ const toggleBtn = item.querySelector('.etn-schedule-toggle');+ const content = item.querySelector('.etn-schedule-item-content');++ if (toggleBtn && content) {+ // Initialize expanded items on page load+ const isInitiallyExpanded = toggleBtn.getAttribute('aria-expanded') === 'true';+ if (isInitiallyExpanded) {+ content.style.height = 'auto';+ const height = content.scrollHeight;+ content.style.height = height + 'px';+ content.style.opacity = '1';+ content.style.paddingTop = '16px';+ } else {+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';+ }+ toggleBtn.addEventListener('click', function() {+ const isExpanded = this.getAttribute('aria-expanded') === 'true';+ const newExpanded = !isExpanded;++ // If clicking to expand, collapse all other items in the same tab+ if (newExpanded) {+ scheduleItems.forEach(function(otherItem) {+ if (otherItem !== item) {+ const otherToggleBtn = otherItem.querySelector('.etn-schedule-toggle');+ const otherContent = otherItem.querySelector('.etn-schedule-item-content');++ if (otherToggleBtn && otherContent) {+ otherToggleBtn.setAttribute('aria-expanded', 'false');+ // Collapse other items smoothly+ otherContent.style.height = '0px';+ otherContent.style.opacity = '0';+ otherContent.style.paddingTop = '0px';+ }+ }+ });+ }++ // Toggle current item with smooth animation+ this.setAttribute('aria-expanded', newExpanded);++ if (newExpanded) {+ // Expand: Set to auto to get actual height, then set specific height+ content.style.height = 'auto';+ const height = content.scrollHeight;+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';++ // Force reflow+ content.offsetHeight;++ // Animate to full height+ requestAnimationFrame(function() {+ content.style.height = height + 'px';+ content.style.opacity = '1';+ content.style.paddingTop = '16px';+ });+ } else {+ // Collapse: Get current height and animate to 0+ const height = content.scrollHeight;+ content.style.height = height + 'px';++ // Force reflow+ content.offsetHeight;++ // Animate to 0+ requestAnimationFrame(function() {+ content.style.height = '0px';+ content.style.opacity = '0';+ content.style.paddingTop = '0px';+ });+ }+ });+ }+ });+ });+ });+})();+</script>+<?php+}
Analyzing the provided code diff for security vulnerabilities: --- **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE **Unsafe Deserialization - CWE-502** - CWE-502 - templates/event/parts/styles/event-schedule/style-3.php - Line 57 Old Code: ```php $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: []; ``` Fixed Code: ```php $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0] ?? '') ?: []; ``` Explanation: The code uses PHP's `unserialize()` function on data retrieved from post metadata (`$schedule_meta['etn_schedule_topics'][0]`). This is a critical vulnerability because `unserialize()` can execute arbitrary code if the serialized data is manipulated by an attacker. While the data comes from post metadata (which requires database access), if an attacker can inject malicious serialized objects into the database, they can achieve remote code execution. The diff does not show any fix for this vulnerability - the vulnerable `unserialize()` call remains unchanged. This should be replaced with `json_decode()` or similar safer alternatives if the data format allows it. --- **Vulnerability 2:** Vulnerability Existed: not sure **DOM-based Information Disclosure - CWE-200** - CWE-200 - templates/event/parts/styles/event-schedule/style-3.php - Lines 35, 45 Old Code: ```php <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($i); ?>'> ``` Fixed Code: (Same - no change in the diff) Explanation: The code uses `data-id='tab<?php echo esc_attr($i); ?>'` where `$i` is a loop counter. While `esc_attr()` is properly used, the use of `href='#'` and storing the tab index in a data attribute could potentially expose information about the number of schedules or their ordering. However, this is typically not considered a significant security vulnerability unless combined with other weaknesses. The vulnerability status is uncertain without knowing the full context of how this data is used elsewhere in the application. --- **Summary:** The primary security concern is the **unsafe `unserialize()` call on line 57**. This vulnerability was not fixed in this diff and represents a critical risk that should be addressed immediately by replacing it with a safer serialization format like JSON.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-social/style-1.php@@ -0,0 +1,42 @@+<div class="<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container">+ <div class="etn-social etn-event-social-style-1">+ <h2 class="etn-social-title">+ <?php echo esc_html__('Share:', 'eventin'); ?>+ </h2>+ <?php if (is_array($event_socials) && ! empty($event_socials)): ?>+ <?php foreach ($event_socials as $social): ?>+ <?php+ $icon = ! empty($social['icon']) ? $social['icon'] : '';+ $title = ! empty($social["etn_social_title"]) ? $social["etn_social_title"] : '';+ $url = ! empty($social['etn_social_url']) ? $social['etn_social_url'] : '';+ $etn_social_class = 'etn-' . str_replace('etn-icon fa-', '', $icon);++ ?>+ <a+ href="<?php echo esc_url($url); ?>"+ target="_blank"+ rel="noopener"+ aria-label="<?php echo esc_attr($title); ?>"+ class="etn-social-link"+ >+ <i class="etn-icon <?php echo esc_attr($icon); ?>"></i>+ </a>+ <?php endforeach; ?>+ <?php endif; ?>+ </div>+ </div>+</div>+++<style>+ .etn-event-social-style-1 {+ display: flex;+ align-items: center;+ gap: 10px;+ }++ .etn-social a {+ border-style: solid;+ }+</style>
Vulnerability Existed: no
No vulnerabilities detected in this code diff.
Explanation:
This is a new WordPress template file that properly implements security best practices for output escaping:
1. **esc_attr()** - Used correctly for HTML attributes (`$container_class`, `$title`, `$icon`)
2. **esc_html__()** - Used for translatable text output ('Share:')
3. **esc_url()** - Used for URL sanitization in the href attribute
4. **rel="noopener"** - Included for security when using target="_blank"
The code safely handles dynamic values from the `$event_socials` array with proper escaping functions appropriate to their context (HTML, URL, and attribute contexts). No direct echoing of unescaped variables occurs. The inline CSS contains only static styles with no dynamic output injection points.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-speaker/style-1.php@@ -0,0 +1,50 @@+<div class="etn-event-speakers etn-single-event-speaker-block eventin-block-container etn-speaker-style-1+<?php echo esc_attr($container_class); ?>">+ <?php if ($event_speakers): ?>+ <div class="etn-single-event-speaker-grid-wrapper">+ <?php foreach ($event_speakers as $speaker): ?>+ <div class="etn-se-speaker-item">+ <div class="etn-speaker-image">+ <a href="<?php echo esc_url($speaker->get_author_url()); ?>"+ aria-label="<?php echo esc_attr($speaker->get_speaker_title()); ?>">+ <?php+ $image = $speaker->get_image();++ if (! $image) {+ $image = Wpeventin::assets_url() . 'images/avatar.jpg';+ }+ ?>+ <img src="<?php echo esc_url($image); ?>"+ alt="<?php echo esc_attr($speaker->get_speaker_title()); ?>" width="150" height="150"+ style="object-fit: cover;">+ </a>+ </div>+ <h4 class="etn-speaker-name">+ <a href="<?php echo esc_url($speaker->get_author_url()); ?>">+ <?php echo esc_html($speaker->get_speaker_title()); ?> </a>+ </h4>+ <div class="etn-speaker-designation">+ <p class="eventin-speaker-designation"><?php echo esc_html($speaker->get_speaker_designation()); ?></p>+ </div>+ <?php if ($speaker->get_speaker_socials()): ?> <div class="etn-social etn-social-style-1">+ <?php foreach ($speaker->get_speaker_socials() as $social): ?>+ <?php+ $icon = ! empty($social['icon']) ? $social['icon'] : '';+ $url = ! empty($social['etn_social_url']) ? $social['etn_social_url'] : '';+ $title = ! empty($social['etn_social_title']) ? $social['etn_social_title'] : '';+ ?>++ <a href="<?php echo esc_url($url); ?>" target="_blank" class="etn-etn-icon fa-facebook-f"+ title="<?php echo esc_attr($title) ?>" aria-label="<?php echo esc_attr($title) ?>">+ <i class="etn-icon <?php echo esc_attr($icon); ?>"></i>+ </a>+ <?php endforeach; ?>+ </div>+ <?php endif; ?>+ </div>+ <?php endforeach; ?>+ </div>+ <?php else: ?>+ <p><?php esc_html_e('No speakers found', 'eventin'); ?></p>+ <?php endif; ?>+</div>
Vulnerability Existed: no No Security Vulnerabilities Detected - File: templates/event/parts/styles/event-speaker/style-1.php [Lines 1-50] Old Code: N/A (New file) Fixed Code: N/A (New file) Explanation: This is a new template file for displaying event speakers. The code implements proper WordPress security best practices throughout: 1. **Output Escaping**: All dynamic data is properly escaped using appropriate functions: - `esc_url()` for URLs (lines 8, 22) - `esc_attr()` for HTML attributes (lines 2, 9, 18, 37) - `esc_html()` for text content (lines 23, 26, 48) 2. **Data Validation**: The code safely checks for empty values before outputting (lines 13, 31-34) 3. **Input Safety**: All dynamic values are sourced from sanitized object methods (`$speaker->get_*()` methods), which are internal class methods that should return safe data 4. **No Direct User Input**: The template doesn't directly access `$_GET`, `$_POST`, or other superglobals without sanitization 5. **Translation Functions**: Uses `esc_html_e()` for translatable strings (line 48) The code follows WordPress security standards for template files and presents no exploitable vulnerabilities for XSS, SQL injection, or other common attack vectors.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-speaker/style-2.php@@ -0,0 +1,64 @@+<div class="etn-event-speakers etn-single-event-speaker-block eventin-block-container etn-speaker-style-1 etn-speaker-style-2+<?php echo esc_attr($container_class); ?>">+ <?php if ($event_speakers): ?>+ <div class="etn-single-event-speaker-grid-wrapper">+ <?php foreach ($event_speakers as $speaker): ?>+ <div class="etn-se-speaker-item">+ <div class="etn-speaker-image">+ <a href="<?php echo esc_url($speaker->get_author_url()); ?>"+ aria-label="<?php echo esc_attr($speaker->get_speaker_title()); ?>">+ <?php+ $image = $speaker->get_image();++ if (! $image) {+ $image = Wpeventin::assets_url() . 'images/avatar.jpg';+ }+ ?>+ <img src="<?php echo esc_url($image); ?>"+ alt="<?php echo esc_attr($speaker->get_speaker_title()); ?>"+ style="object-fit: cover;">+ </a>+ </div>+ <div class="etn-speaker-info-overlay">+ <div class="etn-speaker-info-header">+ <h4 class="etn-speaker-name">+ <a href="<?php echo esc_url($speaker->get_author_url()); ?>">+ <?php echo esc_html($speaker->get_speaker_title()); ?>+ </a>+ </h4>+ <div class="etn-speaker-designation">+ <p class="eventin-speaker-designation"><?php echo esc_html($speaker->get_speaker_designation()); ?></p>+ </div>+ </div>+ <div class="etn-speaker-social-wrapper">+ <?php+ $linkedin_social = null;+ if ($speaker->get_speaker_socials()):+ foreach ($speaker->get_speaker_socials() as $social):+ $icon = ! empty($social['icon']) ? $social['icon'] : '';+ if (strpos($icon, 'linkedin') !== false):+ $linkedin_social = $social;+ break;+ endif;+ endforeach;+ endif;+ ?>+ <?php if ($linkedin_social): ?>+ <div class="etn-social">+ <a href="<?php echo esc_url($linkedin_social['etn_social_url']); ?>" target="_blank"+ class="etn-linkedin-icon"+ title="<?php echo esc_attr($linkedin_social['etn_social_title'] ?? 'LinkedIn'); ?>"+ aria-label="<?php echo esc_attr($linkedin_social['etn_social_title'] ?? 'LinkedIn'); ?>">+ <i class="etn-icon <?php echo esc_attr($linkedin_social['icon']); ?>"></i>+ </a>+ </div>+ <?php endif; ?>+ </div>+ </div>+ </div>+ <?php endforeach; ?>+ </div>+ <?php else: ?>+ <p><?php esc_html_e('No speakers found', 'eventin'); ?></p>+ <?php endif; ?>+</div>
Vulnerability Existed: no Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/styles/event-speaker/style-2.php (Lines 1-64) [Old Code] N/A - This is a new file [Fixed Code] The entire file implements proper output escaping throughout: - `esc_url()` for URLs (lines 8, 25, 48) - `esc_attr()` for HTML attributes (lines 2, 9, 17, 50-51) - `esc_html()` for text content (lines 26, 30) - Safe null coalescing with escaping (line 50: `$linkedin_social['etn_social_title'] ?? 'LinkedIn'`) Explanation: This is a new template file with no prior vulnerable version. The code demonstrates secure output handling practices throughout. All dynamic data is properly escaped based on context (URL attributes use `esc_url()`, HTML attributes use `esc_attr()`, and text content uses `esc_html()`). The file contains no XSS vulnerabilities. The array access patterns are safe as they're within conditional blocks that verify data existence first (e.g., line 44-45 checks if social data exists before accessing it).
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/related-events/style-1.php@@ -0,0 +1,80 @@+<div class="<?php echo esc_attr($container_class); ?> etn-related-events-style-1">+ <div class="etn-event-related-post eventin-block-container">+ <?php if ($related_events): ?>+ <div class="etn-related-events-grid etn-row">+ <?php foreach ($related_events as $event_item): ?>+ <div class="etn-related-event-card etn-col-md-4">+ <div class="etn-event-item">+ <div class="etn-event-thumb">+ <a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>"+ aria-label="<?php echo esc_attr($event_item->get_title()); ?>">+ <?php+ $thumbnail_id = get_post_thumbnail_id($event_item->id);+ if ($thumbnail_id) {+ echo wp_get_attachment_image($thumbnail_id, 'medium', false, [+ 'class' => 'attachment-medium size-medium wp-post-image',+ 'alt' => esc_attr($event_item->get_title()),+ 'decoding' => 'async',+ ]);+ } else {+ $default_image = Wpeventin::assets_url() . 'images/event-placeholder.jpg';+ echo '<img src="' . esc_url($default_image) . '" alt="' . esc_attr($event_item->get_title()) . '" class="attachment-medium size-medium wp-post-image" decoding="async" />';+ }+ ?>+ </a>+ </div>+ <div class="etn-event-content">+ <div class="etn-event-date">+ <svg xmlns="http://www.w3.org/2000/svg" width="13" height="14" viewBox="0 0 13 14" fill="none">+ <path fill-rule="evenodd" clip-rule="evenodd" d="M3.93316 0C4.33203 0 4.65538 0.316922 4.65538 0.707865V2.59551C4.65538 2.98645 4.33203 3.30337 3.93316 3.30337C3.53429 3.30337 3.21094 2.98645 3.21094 2.59551V0.707865C3.21094 0.316922 3.53429 0 3.93316 0Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M9.06597 0C9.46484 0 9.78819 0.316922 9.78819 0.707865V2.59551C9.78819 2.98645 9.46484 3.30337 9.06597 3.30337C8.6671 3.30337 8.34375 2.98645 8.34375 2.59551V0.707865C8.34375 0.316922 8.6671 0 9.06597 0Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M0.320312 5.1688C0.320312 4.77786 0.643662 4.46094 1.04253 4.46094H11.9561C12.355 4.46094 12.6783 4.77786 12.6783 5.1688C12.6783 5.55975 12.355 5.87667 11.9561 5.87667H1.04253C0.643662 5.87667 0.320312 5.55975 0.320312 5.1688Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M2.01381 2.99855C1.65761 3.37452 1.44444 3.96247 1.44444 4.79778V10.1461C1.44444 10.9814 1.65761 11.5694 2.01381 11.9453C2.36101 12.3118 2.9463 12.5843 3.9321 12.5843H9.0679C10.0537 12.5843 10.639 12.3118 10.9862 11.9453C11.3424 11.5694 11.5556 10.9814 11.5556 10.1461V4.79778C11.5556 3.96247 11.3424 3.37452 10.9862 2.99855C10.639 2.63208 10.0537 2.35958 9.0679 2.35958H3.9321C2.9463 2.35958 2.36101 2.63208 2.01381 2.99855ZM0.955328 2.03521C1.65134 1.30056 2.67099 0.943848 3.9321 0.943848H9.0679C10.329 0.943848 11.3487 1.30056 12.0447 2.03521C12.7317 2.76037 13 3.74545 13 4.79778V10.1461C13 11.1984 12.7317 12.1835 12.0447 12.9087C11.3487 13.6433 10.329 14 9.0679 14H3.9321C2.67099 14 1.65134 13.6433 0.955328 12.9087C0.268314 12.1835 0 11.1984 0 10.1461V4.79778C0 3.74545 0.268314 2.76037 0.955328 2.03521Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M8.14844 8.06919C8.14844 7.67825 8.47179 7.36133 8.87066 7.36133H8.87643C9.2753 7.36133 9.59865 7.67825 9.59865 8.06919C9.59865 8.46014 9.2753 8.77706 8.87643 8.77706H8.87066C8.47179 8.77706 8.14844 8.46014 8.14844 8.06919Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M8.14844 9.95689C8.14844 9.56595 8.47179 9.24902 8.87066 9.24902H8.87643C9.2753 9.24902 9.59865 9.56595 9.59865 9.95689C9.59865 10.3478 9.2753 10.6648 8.87643 10.6648H8.87066C8.47179 10.6648 8.14844 10.3478 8.14844 9.95689Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M5.77344 8.06919C5.77344 7.67825 6.09679 7.36133 6.49566 7.36133H6.50143C6.9003 7.36133 7.22365 7.67825 7.22365 8.06919C7.22365 8.46014 6.9003 8.77706 6.50143 8.77706H6.49566C6.09679 8.77706 5.77344 8.46014 5.77344 8.06919Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M5.77344 9.95689C5.77344 9.56595 6.09679 9.24902 6.49566 9.24902H6.50143C6.9003 9.24902 7.22365 9.56595 7.22365 9.95689C7.22365 10.3478 6.9003 10.6648 6.50143 10.6648H6.49566C6.09679 10.6648 5.77344 10.3478 5.77344 9.95689Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M3.39844 8.06919C3.39844 7.67825 3.72179 7.36133 4.12066 7.36133H4.12643C4.5253 7.36133 4.84865 7.67825 4.84865 8.06919C4.84865 8.46014 4.5253 8.77706 4.12643 8.77706H4.12066C3.72179 8.77706 3.39844 8.46014 3.39844 8.06919Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M3.39844 9.95689C3.39844 9.56595 3.72179 9.24902 4.12066 9.24902H4.12643C4.5253 9.24902 4.84865 9.56595 4.84865 9.95689C4.84865 10.3478 4.5253 10.6648 4.12643 10.6648H4.12066C3.72179 10.6648 3.39844 10.3478 3.39844 9.95689Z" fill="#6D7D8C"/>+ </svg>+ <?php+ $start_date = $event_item->get_start_date('D, d');+ $end_date = $event_item->get_end_date('D, d M Y');+ if ($end_date && $start_date !== $end_date) {+ echo esc_html($start_date . ' - ' . $end_date);+ } else {+ echo esc_html($event_item->get_start_date('D, d M Y'));+ }+ ?>+ </div>+ <h3 class="etn-title etn-event-title">+ <a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>">+ <?php echo esc_html($event_item->get_title()); ?>+ </a>+ </h3>+ <div class="etn-event-footer">+ <div class="etn-event-location">+ <svg xmlns="http://www.w3.org/2000/svg" width="13" height="14" viewBox="0 0 13 14" fill="none">+ <path fill-rule="evenodd" clip-rule="evenodd" d="M6.49797 4.68216C5.76343 4.68216 5.16797 5.2443 5.16797 5.93772C5.16797 6.63115 5.76343 7.19329 6.49797 7.19329C7.23251 7.19329 7.82797 6.63115 7.82797 5.93772C7.82797 5.2443 7.23251 4.68216 6.49797 4.68216ZM3.66797 5.93772C3.66797 4.46223 4.935 3.26611 6.49797 3.26611C8.06094 3.26611 9.32797 4.46223 9.32797 5.93772C9.32797 7.41321 8.06093 8.60934 6.49797 8.60934C4.935 8.60934 3.66797 7.41321 3.66797 5.93772Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M6.50148 1.41605C4.31762 1.41466 2.20905 2.60587 1.64421 4.94929C0.9706 7.75938 2.81076 10.2263 4.61275 11.866C5.66991 12.8241 7.33009 12.8222 8.37864 11.8668L8.38001 11.8656C10.1886 10.226 12.0285 7.76507 11.3547 4.95516L11.3547 4.95512C10.7928 2.61155 8.68551 1.41744 6.50148 1.41605ZM12.8176 4.64251C12.0728 1.53589 9.25012 0.00175473 6.50249 1.50459e-06C3.75478 -0.00175183 0.930097 1.52889 0.181502 4.63549L0.181328 4.63621C-0.678041 8.21992 1.69461 11.1776 3.57236 12.8861L3.57331 12.8869C5.20905 14.37 7.78758 14.3721 9.41897 12.887C11.3037 11.1784 13.6772 8.22684 12.8176 4.64251Z" fill="#6D7D8C"/>+ </svg>+ <?php echo esc_html($event_item->get_address()); ?>+ </div>+ <div class="etn-atend-btn">+ <a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>"+ class="etn-btn etn-btn-primary"+ title="<?php echo esc_attr($event_item->get_title()); ?>">+ <?php esc_html_e('Attend', 'eventin'); ?>+ </a>+ </div>+ </div>+ </div>+ </div>+ </div>+ <?php endforeach; ?>+ </div>+ <?php else: ?>+ <p><?php esc_html_e('No events found', 'eventin'); ?></p>+ <?php endif; ?>+ </div>+</div>
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no Explanation: This is a new template file for displaying related events in WordPress. The code demonstrates proper security practices throughout: 1. **Output Escaping**: All user-controlled data is properly escaped: - `esc_attr()` for HTML attributes (e.g., class names, titles, aria-labels) - `esc_url()` for URLs (e.g., permalink, image src) - `esc_html()` for text content (e.g., event titles, addresses, dates) 2. **WordPress Functions**: The code uses WordPress security-aware functions: - `get_the_permalink()` and `get_post_thumbnail_id()` are safe WordPress functions - `wp_get_attachment_image()` handles image output securely - `Wpeventin::assets_url()` appears to be a custom function for asset URLs (properly escaped when output) 3. **No Direct User Input**: The data comes from `$event_item` objects (passed to the template), which are presumably validated/sanitized before reaching this template. 4. **Proper SVG Handling**: Inline SVG content uses hardcoded, safe markup with no user input injection. 5. **Text Domain**: Uses 'eventin' text domain for internationalization without security issues. **Conclusion**: No security vulnerabilities were introduced in this new template file. The code follows WordPress security best practices for output escaping and uses safe functions throughout.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/related-events/style-2.php@@ -0,0 +1,80 @@+<div class="<?php echo esc_attr($container_class); ?> etn-related-events-style-1">+ <div class="etn-event-related-post eventin-block-container">+ <?php if ($related_events): ?>+ <div class="etn-related-events-grid etn-row">+ <?php foreach ($related_events as $event_item): ?>+ <div class="etn-related-event-card-style-2">+ <div class="etn-event-item">+ <div class="etn-event-thumb">+ <a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>"+ aria-label="<?php echo esc_attr($event_item->get_title()); ?>">+ <?php+ $thumbnail_id = get_post_thumbnail_id($event_item->id);+ if ($thumbnail_id) {+ echo wp_get_attachment_image($thumbnail_id, 'medium', false, [+ 'class' => 'attachment-medium size-medium wp-post-image',+ 'alt' => esc_attr($event_item->get_title()),+ 'decoding' => 'async',+ ]);+ } else {+ $default_image = Wpeventin::assets_url() . 'images/event-placeholder.jpg';+ echo '<img src="' . esc_url($default_image) . '" alt="' . esc_attr($event_item->get_title()) . '" class="attachment-medium size-medium wp-post-image" decoding="async" />';+ }+ ?>+ </a>+ </div>+ <div class="etn-event-content">+ <h3 class="etn-title etn-event-title">+ <a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>">+ <?php echo esc_html($event_item->get_title()); ?>+ </a>+ </h3>+ <div class="etn-event-date">+ <svg xmlns="http://www.w3.org/2000/svg" width="13" height="14" viewBox="0 0 13 14" fill="none">+ <path fill-rule="evenodd" clip-rule="evenodd" d="M3.93316 0C4.33203 0 4.65538 0.316922 4.65538 0.707865V2.59551C4.65538 2.98645 4.33203 3.30337 3.93316 3.30337C3.53429 3.30337 3.21094 2.98645 3.21094 2.59551V0.707865C3.21094 0.316922 3.53429 0 3.93316 0Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M9.06597 0C9.46484 0 9.78819 0.316922 9.78819 0.707865V2.59551C9.78819 2.98645 9.46484 3.30337 9.06597 3.30337C8.6671 3.30337 8.34375 2.98645 8.34375 2.59551V0.707865C8.34375 0.316922 8.6671 0 9.06597 0Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M0.320312 5.1688C0.320312 4.77786 0.643662 4.46094 1.04253 4.46094H11.9561C12.355 4.46094 12.6783 4.77786 12.6783 5.1688C12.6783 5.55975 12.355 5.87667 11.9561 5.87667H1.04253C0.643662 5.87667 0.320312 5.55975 0.320312 5.1688Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M2.01381 2.99855C1.65761 3.37452 1.44444 3.96247 1.44444 4.79778V10.1461C1.44444 10.9814 1.65761 11.5694 2.01381 11.9453C2.36101 12.3118 2.9463 12.5843 3.9321 12.5843H9.0679C10.0537 12.5843 10.639 12.3118 10.9862 11.9453C11.3424 11.5694 11.5556 10.9814 11.5556 10.1461V4.79778C11.5556 3.96247 11.3424 3.37452 10.9862 2.99855C10.639 2.63208 10.0537 2.35958 9.0679 2.35958H3.9321C2.9463 2.35958 2.36101 2.63208 2.01381 2.99855ZM0.955328 2.03521C1.65134 1.30056 2.67099 0.943848 3.9321 0.943848H9.0679C10.329 0.943848 11.3487 1.30056 12.0447 2.03521C12.7317 2.76037 13 3.74545 13 4.79778V10.1461C13 11.1984 12.7317 12.1835 12.0447 12.9087C11.3487 13.6433 10.329 14 9.0679 14H3.9321C2.67099 14 1.65134 13.6433 0.955328 12.9087C0.268314 12.1835 0 11.1984 0 10.1461V4.79778C0 3.74545 0.268314 2.76037 0.955328 2.03521Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M8.14844 8.06919C8.14844 7.67825 8.47179 7.36133 8.87066 7.36133H8.87643C9.2753 7.36133 9.59865 7.67825 9.59865 8.06919C9.59865 8.46014 9.2753 8.77706 8.87643 8.77706H8.87066C8.47179 8.77706 8.14844 8.46014 8.14844 8.06919Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M8.14844 9.95689C8.14844 9.56595 8.47179 9.24902 8.87066 9.24902H8.87643C9.2753 9.24902 9.59865 9.56595 9.59865 9.95689C9.59865 10.3478 9.2753 10.6648 8.87643 10.6648H8.87066C8.47179 10.6648 8.14844 10.3478 8.14844 9.95689Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M5.77344 8.06919C5.77344 7.67825 6.09679 7.36133 6.49566 7.36133H6.50143C6.9003 7.36133 7.22365 7.67825 7.22365 8.06919C7.22365 8.46014 6.9003 8.77706 6.50143 8.77706H6.49566C6.09679 8.77706 5.77344 8.46014 5.77344 8.06919Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M5.77344 9.95689C5.77344 9.56595 6.09679 9.24902 6.49566 9.24902H6.50143C6.9003 9.24902 7.22365 9.56595 7.22365 9.95689C7.22365 10.3478 6.9003 10.6648 6.50143 10.6648H6.49566C6.09679 10.6648 5.77344 10.3478 5.77344 9.95689Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M3.39844 8.06919C3.39844 7.67825 3.72179 7.36133 4.12066 7.36133H4.12643C4.5253 7.36133 4.84865 7.67825 4.84865 8.06919C4.84865 8.46014 4.5253 8.77706 4.12643 8.77706H4.12066C3.72179 8.77706 3.39844 8.46014 3.39844 8.06919Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M3.39844 9.95689C3.39844 9.56595 3.72179 9.24902 4.12066 9.24902H4.12643C4.5253 9.24902 4.84865 9.56595 4.84865 9.95689C4.84865 10.3478 4.5253 10.6648 4.12643 10.6648H4.12066C3.72179 10.6648 3.39844 10.3478 3.39844 9.95689Z" fill="#6D7D8C"/>+ </svg>+ <?php+ $start_date = $event_item->get_start_date('D, d');+ $end_date = $event_item->get_end_date('D, d M Y');+ if ($end_date && $start_date !== $end_date) {+ echo esc_html($start_date . ' - ' . $end_date);+ } else {+ echo esc_html($event_item->get_start_date('D, d M Y'));+ }+ ?>+ </div>+ <div class="etn-event-footer">+ <div class="etn-event-location">+ <svg xmlns="http://www.w3.org/2000/svg" width="13" height="14" viewBox="0 0 13 14" fill="none">+ <path fill-rule="evenodd" clip-rule="evenodd" d="M6.49797 4.68216C5.76343 4.68216 5.16797 5.2443 5.16797 5.93772C5.16797 6.63115 5.76343 7.19329 6.49797 7.19329C7.23251 7.19329 7.82797 6.63115 7.82797 5.93772C7.82797 5.2443 7.23251 4.68216 6.49797 4.68216ZM3.66797 5.93772C3.66797 4.46223 4.935 3.26611 6.49797 3.26611C8.06094 3.26611 9.32797 4.46223 9.32797 5.93772C9.32797 7.41321 8.06093 8.60934 6.49797 8.60934C4.935 8.60934 3.66797 7.41321 3.66797 5.93772Z" fill="#6D7D8C"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M6.50148 1.41605C4.31762 1.41466 2.20905 2.60587 1.64421 4.94929C0.9706 7.75938 2.81076 10.2263 4.61275 11.866C5.66991 12.8241 7.33009 12.8222 8.37864 11.8668L8.38001 11.8656C10.1886 10.226 12.0285 7.76507 11.3547 4.95516L11.3547 4.95512C10.7928 2.61155 8.68551 1.41744 6.50148 1.41605ZM12.8176 4.64251C12.0728 1.53589 9.25012 0.00175473 6.50249 1.50459e-06C3.75478 -0.00175183 0.930097 1.52889 0.181502 4.63549L0.181328 4.63621C-0.678041 8.21992 1.69461 11.1776 3.57236 12.8861L3.57331 12.8869C5.20905 14.37 7.78758 14.3721 9.41897 12.887C11.3037 11.1784 13.6772 8.22684 12.8176 4.64251Z" fill="#6D7D8C"/>+ </svg>+ <?php echo esc_html($event_item->get_address()); ?>+ </div>+ <div class="etn-atend-btn">+ <a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>"+ class="etn-btn etn-btn-primary"+ title="<?php echo esc_attr($event_item->get_title()); ?>">+ <?php esc_html_e('Attend', 'eventin'); ?>+ </a>+ </div>+ </div>+ </div>+ </div>+ </div>+ <?php endforeach; ?>+ </div>+ <?php else: ?>+ <p><?php esc_html_e('No events found', 'eventin'); ?></p>+ <?php endif; ?>+ </div>+</div>
I'll analyze this code diff for security vulnerabilities.
---
**Vulnerability Existed: no**
**Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/styles/related-events/style-2.php - Lines 1-80**
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
<div class="<?php echo esc_attr($container_class); ?> etn-related-events-style-1">
<div class="etn-event-related-post eventin-block-container">
<?php if ($related_events): ?>
<div class="etn-related-events-grid etn-row">
<?php foreach ($related_events as $event_item): ?>
<div class="etn-related-event-card-style-2">
<div class="etn-event-item">
<div class="etn-event-thumb">
<a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>"
aria-label="<?php echo esc_attr($event_item->get_title()); ?>">
<?php
$thumbnail_id = get_post_thumbnail_id($event_item->id);
if ($thumbnail_id) {
echo wp_get_attachment_image($thumbnail_id, 'medium', false, [
'class' => 'attachment-medium size-medium wp-post-image',
'alt' => esc_attr($event_item->get_title()),
'decoding' => 'async',
]);
} else {
$default_image = Wpeventin::assets_url() . 'images/event-placeholder.jpg';
echo '<img src="' . esc_url($default_image) . '" alt="' . esc_attr($event_item->get_title()) . '" class="attachment-medium size-medium wp-post-image" decoding="async" />';
}
?>
</a>
</div>
<div class="etn-event-content">
<h3 class="etn-title etn-event-title">
<a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>">
<?php echo esc_html($event_item->get_title()); ?>
</a>
</h3>
<!-- SVG and date/location display with proper escaping -->
<div class="etn-event-date">
<!-- SVG content -->
<?php
$start_date = $event_item->get_start_date('D, d');
$end_date = $event_item->get_end_date('D, d M Y');
if ($end_date && $start_date !== $end_date) {
echo esc_html($start_date . ' - ' . $end_date);
} else {
echo esc_html($event_item->get_start_date('D, d M Y'));
}
?>
</div>
<div class="etn-event-footer">
<div class="etn-event-location">
<!-- SVG content -->
<?php echo esc_html($event_item->get_address()); ?>
</div>
<div class="etn-atend-btn">
<a href="<?php echo esc_url(get_the_permalink($event_item->id)); ?>"
class="etn-btn etn-btn-primary"
title="<?php echo esc_attr($event_item->get_title()); ?>">
<?php esc_html_e('Attend', 'eventin'); ?>
</a>
</div>
</div>
</div>
</div>
</div>
<?php endforeach; ?>
</div>
<?php else: ?>
<p><?php esc_html_e('No events found', 'eventin'); ?></p>
<?php endif; ?>
</div>
</div>
```
**Explanation:**
This is a new template file, not a fix to existing code. The code demonstrates proper WordPress security practices throughout:
1. **Output escaping is correctly applied:**
- `esc_attr()` for HTML attributes (lines 1, 10, 18, 27, 67)
- `esc_url()` for URLs (lines 9, 26, 66)
- `esc_html()` for text content (lines 28, 54, 55, 60, 61)
- `esc_html_e()` for translated text (lines 64, 69)
2. **No dynamic content is output without escaping** - all variables from `$event_item` object are properly escaped according to context
3. **SVG content is hardcoded** - not user-controlled
Since this is a new file being added with proper security controls already in place, there are no vulnerabilities to fix. The code follows WordPress security standards for output escaping.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/venue/style-1.php@@ -0,0 +1,111 @@+<div class="<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container">+ <div class="etn-venue-info-wrapper">+ <div class="etn-venue-info-content">+ <h3 class="etn-venue-info-title"><?php echo esc_html__('Venue Info', 'eventin'); ?></h3>++ <div class="etn-venue-info-list">+ <?php if (! empty($event_location)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M7.65043 9.89632C9.02928 9.89632 10.1471 8.77855 10.1471 7.3997C10.1471 6.02085 9.02928 4.90308 7.65043 4.90308C6.27158 4.90308 5.15381 6.02085 5.15381 7.3997C5.15381 8.77855 6.27158 9.89632 7.65043 9.89632Z" stroke="#5D5DFF" stroke-width="1.5"/>+ <path d="M0.94523 5.9433C2.52162 -0.986432 12.7882 -0.97843 14.3566 5.9513C15.2768 10.0163 12.7482 13.4572 10.5316 15.5857C8.92322 17.1381 6.37859 17.1381 4.76218 15.5857C2.55363 13.4572 0.0249999 10.0083 0.94523 5.9433Z" stroke="#5D5DFF" stroke-width="1.5"/>+ </svg>+ </div>+ <div class="etn-venue-info-text"><?php echo esc_html($event_location); ?></div>+ </div>+ <?php endif; ?>++ <?php if (! empty($start_date) || ! empty($end_date)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M4.6001 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.9985 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M0.998535 6.27197H14.5985" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M15.0001 5.79993V12.5999C15.0001 14.9999 13.8001 16.5999 11.0001 16.5999H4.6001C1.8001 16.5999 0.600098 14.9999 0.600098 12.5999V5.79993C0.600098 3.39993 1.8001 1.79993 4.6001 1.79993H11.0001C13.8001 1.79993 15.0001 3.39993 15.0001 5.79993Z" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 9.95994H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 12.36H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 9.95994H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 12.36H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 9.95994H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 12.36H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ <div class="etn-venue-info-text">+ <?php+ if (! empty($start_date) && ! empty($end_date)) {+ echo esc_html($start_date) . ' - ' . esc_html($end_date);+ } elseif (! empty($start_date)) {+ echo esc_html($start_date);+ } elseif (! empty($end_date)) {+ echo esc_html($end_date);+ }+ ?>+ </div>+ </div>+ <?php endif; ?>++ <?php if (! empty($start_time) || ! empty($end_time)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18" fill="none">+ <path d="M16.75 8.75C16.75 13.166 13.166 16.75 8.75 16.75C4.334 16.75 0.75 13.166 0.75 8.75C0.75 4.334 4.334 0.75 8.75 0.75C13.166 0.75 16.75 4.334 16.75 8.75Z" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M11.7171 11.294L9.23712 9.81396C8.80512 9.55796 8.45312 8.94196 8.45312 8.43796V5.15796" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ <div class="etn-venue-info-text">+ <?php+ if (! empty($start_time) && ! empty($end_time)) {+ echo esc_html($start_time) . ' - ' . esc_html($end_time);+ } elseif (! empty($start_time)) {+ echo esc_html($start_time);+ } elseif (! empty($end_time)) {+ echo esc_html($end_time);+ }+ ?>+ </div>+ </div>+ <?php endif; ?>+ </div>++ <?php if (! empty($venue_latitude) && ! empty($venue_longitude)): ?>+ <a href="https://www.google.com/maps?q=<?php echo esc_attr($venue_latitude); ?>,<?php echo esc_attr($venue_longitude); ?>" target="_blank" class="etn-venue-get-direction">+ <?php echo esc_html__('Get Direction', 'eventin'); ?>+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16" fill="none">+ <path d="M6 12L10 8L6 4" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </a>+ <?php endif; ?>+ </div>++ <?php if (! empty($venue_latitude) && ! empty($venue_longitude)):+ $google_api_key = function_exists('etn_get_option') ? etn_get_option('google_api_key') : '';+ $map_url = 'https://www.google.com/maps/embed/v1/place';+ if ($google_api_key) {+ $map_url .= '?key=' . esc_attr($google_api_key) . '&q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude);+ } else {+ // Fallback to static map or basic embed+ $map_url = 'https://www.google.com/maps?q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude) . '&output=embed';+ }+ ?>+ <div class="etn-venue-map-container">+ <iframe+ class="etn-venue-map"+ src="<?php echo esc_url($map_url); ?>"+ allowfullscreen+ loading="lazy"+ referrerpolicy="no-referrer-when-downgrade">+ </iframe>+ </div>+ <?php else: ?>+ <div class="etn-venue-map-container">+ <div style="display: flex; align-items: center; justify-content: center; height: 100%; color: #999; font-size: 14px;">+ <?php echo esc_html__('Map location not available', 'eventin'); ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>+</div>
I'll analyze this code diff for security vulnerabilities. **Vulnerability 1:** Vulnerability Existed: no Improper Neutralization of Input During Web Page Generation - CWE-79 - templates/event/parts/styles/venue/style-1.php Lines 1-111 Old Code: N/A (new file) Fixed Code: The file uses proper escaping functions throughout: - `esc_attr()` for HTML attributes (lines 1, 80, 84, 85) - `esc_html()` for text content (lines 5, 20, 42-50, 57-65, 109) - `esc_html__()` for translatable strings (lines 5, 83, 109) - `esc_url()` for the iframe src attribute (line 99) Explanation: This is a new file with no vulnerabilities. All user-controlled data (venue location, dates, times, coordinates) is properly escaped using WordPress escaping functions appropriate for their context. The latitude/longitude values are escaped when used in HTML attributes and URLs. The Google Maps iframe URL is properly escaped with `esc_url()`. **Vulnerability 2:** Vulnerability Existed: not sure Improper Resource Validation - CWE-99 - templates/event/parts/styles/venue/style-1.php Line 80 Old Code: N/A (new file) Fixed Code: ```php <a href="https://www.google.com/maps?q=<?php echo esc_attr($venue_latitude); ?>,<?php echo esc_attr($venue_longitude); ?>" target="_blank" class="etn-venue-get-direction"> ``` Explanation: While the latitude and longitude are properly escaped with `esc_attr()`, there is no validation to ensure these values are actually valid numeric coordinates. Malicious input could contain special characters that, while escaped, might still produce unexpected behavior. However, without seeing where `$venue_latitude` and `$venue_longitude` originate, it's unclear if this represents a real vulnerability. If these values are already validated at the source, this is not vulnerable. If they come directly from user input without validation, numeric validation should be added before use.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/venue/style-2.php@@ -0,0 +1,11 @@+<div class="<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container">+ <div class="eventin-venue-value">+ <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 14 16" fill="none">+ <path fill-rule="evenodd" clip-rule="evenodd" d="M6.99789 5.35125C6.20678 5.35125 5.56546 5.99369 5.56546 6.78618C5.56546 7.57867 6.20678 8.22111 6.99789 8.22111C7.78899 8.22111 8.43031 7.57867 8.43031 6.78618C8.43031 5.99369 7.78899 5.35125 6.99789 5.35125ZM3.94995 6.78618C3.94995 5.09991 5.31456 3.73291 6.99789 3.73291C8.68122 3.73291 10.0458 5.09991 10.0458 6.78618C10.0458 8.47246 8.68122 9.83945 6.99789 9.83945C5.31456 9.83945 3.94995 8.47246 3.94995 6.78618Z" fill="#4E7FFD"/>+ <path fill-rule="evenodd" clip-rule="evenodd" d="M7.00215 1.61834C4.65012 1.61675 2.37917 2.97814 1.77083 5.65634C1.04534 8.86786 3.02722 11.6872 4.96797 13.5611C6.10654 14.6561 7.89457 14.654 9.02387 13.5621L9.02534 13.5607C10.9732 11.6868 12.9548 8.87437 12.2291 5.66304L12.2291 5.663C11.6239 2.98462 9.35438 1.61994 7.00215 1.61834ZM13.8047 5.30572C13.0025 1.75531 9.96246 0.0020054 7.00325 1.71953e-06C4.04393 -0.00200209 1.00172 1.7473 0.19548 5.2977L0.195292 5.29853C-0.730257 9.3942 1.82511 12.7744 3.84747 14.7269L3.84849 14.7279C5.61019 16.4228 8.38729 16.4252 10.1443 14.7279C12.1742 12.7753 14.7304 9.4021 13.8047 5.30572Z" fill="#4E7FFD"/>+ </svg>+ <?php echo esc_html($event_location); ?>+ </div>+ </div>+</div>
``` Vulnerability Existed: no [No Vulnerability Identified] File: templates/event/parts/styles/venue/style-2.php Analysis: This is a new file addition containing a template partial for displaying event venue information. The code properly implements security best practices: 1. **Output Escaping**: - `esc_attr($container_class)` - correctly escapes HTML attributes - `esc_html($event_location)` - correctly escapes HTML content 2. **SVG Content**: The SVG is hardcoded with static content (no dynamic data embedded), making it safe from injection attacks. 3. **No User Input Directly Echoed**: All dynamic variables are properly escaped before output. Explanation: This code does not contain security vulnerabilities. It follows WordPress security standards by properly escaping all dynamic output: - Attribute values are escaped with `esc_attr()` - HTML content is escaped with `esc_html()` - Static SVG markup poses no security risk - No unescaped user input is present in the output The addition of this template file demonstrates proper security implementation rather than fixing a vulnerability. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/venue/style-3.php@@ -0,0 +1,115 @@+<div class="<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container">+ <div class="etn-venue-info-wrapper style-3">+ <div class="etn-venue-info-content">+ <div class="etn-venue-info-content-inner">+ <h3 class="etn-venue-info-title"><?php echo esc_html__('Venue Info', 'eventin'); ?></h3>+ <div class="etn-venue-info-list">+ <?php if (! empty($event_location)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M7.65043 9.89632C9.02928 9.89632 10.1471 8.77855 10.1471 7.3997C10.1471 6.02085 9.02928 4.90308 7.65043 4.90308C6.27158 4.90308 5.15381 6.02085 5.15381 7.3997C5.15381 8.77855 6.27158 9.89632 7.65043 9.89632Z" stroke="#5D5DFF" stroke-width="1.5"/>+ <path d="M0.94523 5.9433C2.52162 -0.986432 12.7882 -0.97843 14.3566 5.9513C15.2768 10.0163 12.7482 13.4572 10.5316 15.5857C8.92322 17.1381 6.37859 17.1381 4.76218 15.5857C2.55363 13.4572 0.0249999 10.0083 0.94523 5.9433Z" stroke="#5D5DFF" stroke-width="1.5"/>+ </svg>+ </div>+ <div class="etn-venue-info-text"><?php echo esc_html($event_location); ?></div>+ </div>+ <?php endif; ?>++ <?php if (! empty($start_date) || ! empty($end_date)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M4.6001 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.9985 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M0.998535 6.27197H14.5985" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M15.0001 5.79993V12.5999C15.0001 14.9999 13.8001 16.5999 11.0001 16.5999H4.6001C1.8001 16.5999 0.600098 14.9999 0.600098 12.5999V5.79993C0.600098 3.39993 1.8001 1.79993 4.6001 1.79993H11.0001C13.8001 1.79993 15.0001 3.39993 15.0001 5.79993Z" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 9.95994H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 12.36H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 9.95994H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 12.36H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 9.95994H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 12.36H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ <div class="etn-venue-info-text">+ <?php+ if (! empty($start_date) && ! empty($end_date)) {+ echo esc_html($start_date) . ' - ' . esc_html($end_date);+ } elseif (! empty($start_date)) {+ echo esc_html($start_date);+ } elseif (! empty($end_date)) {+ echo esc_html($end_date);+ }+ ?>+ </div>+ </div>+ <?php endif; ?>++ <?php if (! empty($start_time) || ! empty($end_time)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18" fill="none">+ <path d="M16.75 8.75C16.75 13.166 13.166 16.75 8.75 16.75C4.334 16.75 0.75 13.166 0.75 8.75C0.75 4.334 4.334 0.75 8.75 0.75C13.166 0.75 16.75 4.334 16.75 8.75Z" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M11.7171 11.294L9.23712 9.81396C8.80512 9.55796 8.45312 8.94196 8.45312 8.43796V5.15796" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ <div class="etn-venue-info-text">+ <?php+ if (! empty($start_time) && ! empty($end_time)) {+ echo esc_html($start_time) . ' - ' . esc_html($end_time);+ } elseif (! empty($start_time)) {+ echo esc_html($start_time);+ } elseif (! empty($end_time)) {+ echo esc_html($end_time);+ }+ ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>++ <div class="etn-venue-get-direction-container">+ <?php if (! empty($venue_latitude) && ! empty($venue_longitude)): ?>+ <a href="https://www.google.com/maps?q=<?php echo esc_attr($venue_latitude); ?>,<?php echo esc_attr($venue_longitude); ?>" target="_blank" class="etn-venue-get-direction">+ <?php echo esc_html__('Get Direction', 'eventin'); ?>+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="13" viewBox="0 0 16 13" fill="none">+ <path d="M5.24537e-07 6.22791L15 6.22791" stroke="#5D5DFF" stroke-width="2"/>+ <path d="M9.96338 0.309936C10.4242 1.72373 12.0371 4.90304 14.8021 6.30994" stroke="#5D5DFF" stroke-width="2"/>+ <path d="M9.96338 12.3099C10.4242 10.8961 12.0371 7.71683 14.8021 6.30994" stroke="#5D5DFF" stroke-width="2"/>+ </svg>+ </a>+ <?php endif; ?>+ </div>+ </div>++ <?php if (! empty($venue_latitude) && ! empty($venue_longitude)):+ $google_api_key = function_exists('etn_get_option') ? etn_get_option('google_api_key') : '';+ $map_url = 'https://www.google.com/maps/embed/v1/place';+ if ($google_api_key) {+ $map_url .= '?key=' . esc_attr($google_api_key) . '&q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude);+ } else {+ // Fallback to static map or basic embed+ $map_url = 'https://www.google.com/maps?q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude) . '&output=embed';+ }+ ?>+ <div class="etn-venue-map-container">+ <iframe+ class="etn-venue-map"+ src="<?php echo esc_url($map_url); ?>"+ allowfullscreen+ loading="lazy"+ referrerpolicy="no-referrer-when-downgrade">+ </iframe>+ </div> <?php else: ?>+ <div class="etn-venue-map-container">+ <div style="display: flex; align-items: center; justify-content: center; height: 100%; color: #999; font-size: 14px;">+ <?php echo esc_html__('Map location not available', 'eventin'); ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>+</div>
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no [Cross-Site Scripting (XSS)] - [CWE-79] - [templates/event/parts/styles/venue/style-3.php] [Lines 1-115] [Old Code] N/A (new file) [Fixed Code] The entire file uses proper output escaping functions throughout: - `esc_attr()` for HTML attributes (lines 1, 82, 87, 88, 103) - `esc_html()` for text content (lines 6, 22, 54, 57, 60, 63, 66, 106, 111) - `esc_url()` for URLs (line 102) - `esc_html__()` for translatable strings (lines 6, 83, 111) Explanation: This is a newly created template file that demonstrates secure coding practices. All dynamic user-controlled data is properly escaped before output: - Location, dates, and times use `esc_html()` for safe text rendering - Map coordinates and API key use `esc_attr()` when used in URL parameters - The Google Maps embed URL uses `esc_url()` for safe href/src attributes - All translatable strings use appropriate `esc_html__()` functions There are no instances of unescaped output of variables, concatenated user data, or unsafe HTML injection. The code follows WordPress security best practices and the OWASP principle of output encoding.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/venue/style-4.php@@ -0,0 +1,118 @@+<div class="<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container">+ <div class="etn-venue-info-wrapper style-4">++ <h3 class="etn-venue-info-title"><?php echo esc_html__('Venue Info', 'eventin'); ?></h3>++ <?php if (! empty($venue_latitude) && ! empty($venue_longitude)):+ $google_api_key = function_exists('etn_get_option') ? etn_get_option('google_api_key') : '';+ $map_url = 'https://www.google.com/maps/embed/v1/place';+ if ($google_api_key) {+ $map_url .= '?key=' . esc_attr($google_api_key) . '&q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude);+ } else {+ // Fallback to static map or basic embed+ $map_url = 'https://www.google.com/maps?q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude) . '&output=embed';+ }+ ?>+ <div class="etn-venue-map-container">+ <iframe+ class="etn-venue-map"+ src="<?php echo esc_url($map_url); ?>"+ allowfullscreen+ loading="lazy"+ referrerpolicy="no-referrer-when-downgrade">+ </iframe>+ </div> <?php else: ?>+ <div class="etn-venue-map-container">+ <div style="display: flex; align-items: center; justify-content: center; height: 100%; color: #999; font-size: 14px;">+ <?php echo esc_html__('Map location not available', 'eventin'); ?>+ </div>+ </div>+ <?php endif; ?>+++ <div class="etn-venue-info-content">+ <div class="etn-venue-info-content-inner">+ <div class="etn-venue-info-list">+ <?php if (! empty($event_location)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M7.65043 9.89632C9.02928 9.89632 10.1471 8.77855 10.1471 7.3997C10.1471 6.02085 9.02928 4.90308 7.65043 4.90308C6.27158 4.90308 5.15381 6.02085 5.15381 7.3997C5.15381 8.77855 6.27158 9.89632 7.65043 9.89632Z" stroke="#5D5DFF" stroke-width="1.5"/>+ <path d="M0.94523 5.9433C2.52162 -0.986432 12.7882 -0.97843 14.3566 5.9513C15.2768 10.0163 12.7482 13.4572 10.5316 15.5857C8.92322 17.1381 6.37859 17.1381 4.76218 15.5857C2.55363 13.4572 0.0249999 10.0083 0.94523 5.9433Z" stroke="#5D5DFF" stroke-width="1.5"/>+ </svg>+ </div>+ <div class="etn-venue-info-text"><?php echo esc_html($event_location); ?></div>+ </div>+ <?php endif; ?>++ <?php if (! empty($start_date) || ! empty($end_date)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M4.6001 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.9985 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M0.998535 6.27197H14.5985" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M15.0001 5.79993V12.5999C15.0001 14.9999 13.8001 16.5999 11.0001 16.5999H4.6001C1.8001 16.5999 0.600098 14.9999 0.600098 12.5999V5.79993C0.600098 3.39993 1.8001 1.79993 4.6001 1.79993H11.0001C13.8001 1.79993 15.0001 3.39993 15.0001 5.79993Z" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 9.95994H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 12.36H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 9.95994H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 12.36H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 9.95994H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 12.36H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ <div class="etn-venue-info-text">+ <?php+ if (! empty($start_date) && ! empty($end_date)) {+ echo esc_html($start_date) . ' - ' . esc_html($end_date);+ } elseif (! empty($start_date)) {+ echo esc_html($start_date);+ } elseif (! empty($end_date)) {+ echo esc_html($end_date);+ }+ ?>+ </div>+ </div>+ <?php endif; ?>++ <?php if (! empty($start_time) || ! empty($end_time)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18" fill="none">+ <path d="M16.75 8.75C16.75 13.166 13.166 16.75 8.75 16.75C4.334 16.75 0.75 13.166 0.75 8.75C0.75 4.334 4.334 0.75 8.75 0.75C13.166 0.75 16.75 4.334 16.75 8.75Z" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M11.7171 11.294L9.23712 9.81396C8.80512 9.55796 8.45312 8.94196 8.45312 8.43796V5.15796" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ <div class="etn-venue-info-text">+ <?php+ if (! empty($start_time) && ! empty($end_time)) {+ echo esc_html($start_time) . ' - ' . esc_html($end_time);+ } elseif (! empty($start_time)) {+ echo esc_html($start_time);+ } elseif (! empty($end_time)) {+ echo esc_html($end_time);+ }+ ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>++ <div class="etn-venue-get-direction-container">+ <?php if (! empty($venue_latitude) && ! empty($venue_longitude)): ?>+ <a href="https://www.google.com/maps?q=<?php echo esc_attr($venue_latitude); ?>,<?php echo esc_attr($venue_longitude); ?>" target="_blank" class="etn-venue-get-direction">+ <?php echo esc_html__('Get Direction', 'eventin'); ?>+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="13" viewBox="0 0 16 13" fill="none">+ <path d="M5.24537e-07 6.22791L15 6.22791" stroke="#5D5DFF" stroke-width="2"/>+ <path d="M9.96338 0.309936C10.4242 1.72373 12.0371 4.90304 14.8021 6.30994" stroke="#5D5DFF" stroke-width="2"/>+ <path d="M9.96338 12.3099C10.4242 10.8961 12.0371 7.71683 14.8021 6.30994" stroke="#5D5DFF" stroke-width="2"/>+ </svg>+ </a>+ <?php endif; ?>+ </div>+ </div>+ </div>+ </div>+</div>
```
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/styles/venue/style-4.php Lines 10-12
Old Code:
N/A (New file, but vulnerability in implementation)
Fixed Code:
Lines 10-12 show the vulnerable implementation:
$map_url .= '?key=' . esc_attr($google_api_key) . '&q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude);
Explanation:
The code uses esc_attr() on latitude and longitude values before inserting them into a URL query string. However, esc_attr() is designed for HTML attributes, not URL query parameters. esc_attr() converts quotes and ampersands but does NOT properly escape special characters needed for URL context (like &, =, +, spaces). This can allow XSS if an attacker controls the latitude/longitude values. The correct function should be urlencode() or rawurlencode() for URL query parameters.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - templates/event/parts/styles/venue/style-4.php Line 9
Old Code:
N/A (New file)
Fixed Code:
Line 9: $google_api_key = function_exists('etn_get_option') ? etn_get_option('google_api_key') : '';
Explanation:
The Google API key is retrieved from options without validation or sanitization before being used in a URL. While esc_attr() is applied to it on line 11, this is insufficient for API keys. Malicious API keys or injection attacks could compromise the embedded map functionality or expose sensitive information.
---
Vulnerability Existed: not sure
Open Redirect - CWE-601 - templates/event/parts/styles/venue/style-4.php Line 107
Old Code:
N/A (New file)
Fixed Code:
<a href="https://www.google.com/maps?q=<?php echo esc_attr($venue_latitude); ?>,<?php echo esc_attr($venue_longitude); ?>" target="_blank"
Explanation:
While the href is hardcoded to Google Maps (reducing risk), the latitude and longitude values are user-controlled and embedded in the URL. Even with esc_attr() escaping, if these values aren't properly validated as numeric coordinates, an attacker could potentially inject URL parameters or redirect the link. Validation should ensure latitude/longitude are numeric values within valid ranges (-90 to 90 for latitude, -180 to 180 for longitude).
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/purchase-form/recurring-event-ticket.php 2026-01-09 00:38:10.020547212 +0000+++ cache/wp-event-solution_4.0.52/templates/event/purchase-form/recurring-event-ticket.php 2026-01-09 00:43:17.459310578 +0000@@ -1,83 +1,83 @@ <?php-use Etn\Utils\Helper;+ use Etn\Utils\Helper; -$etn_left_tickets = !empty( $data['etn_left_tickets'] ) ? $data['etn_left_tickets'] : 0;-$etn_ticket_unlimited = ( isset( $data['etn_ticket_unlimited'] ) && $data['etn_ticket_unlimited'] == "no" ) ? true : false;-$etn_ticket_price = isset( $data['etn_ticket_price'] ) ? $data['etn_ticket_price'] : '';-$ticket_qty = get_post_meta( $single_event_id, "etn_sold_tickets", true );-$total_sold_ticket = isset( $ticket_qty ) ? intval( $ticket_qty ) : 0;-$is_zoom_event = get_post_meta( $single_event_id, 'etn_zoom_event', true );-$event_options = !empty( $data['event_options'] ) ? $data['event_options'] : [];-$event_title = get_the_title( $single_event_id );-$separate = (!empty($data['event_end_date'])) ? ' - ' : '';-$settings = Helper::get_settings();-$attendee_reg_enable = !empty( $settings["attendee_registration"] ) ? true : false;-$active_class = ($i===0) ? 'active' : '';-$active_item = ($i===0) ? 'style=display:block' : '';-$etn_min_ticket = !empty(get_post_meta( $single_event_id, 'etn_min_ticket', true )) ? get_post_meta( $single_event_id, 'etn_min_ticket', true ) : 1;-$etn_max_ticket = !empty(get_post_meta( $single_event_id, 'etn_max_ticket', true )) ? get_post_meta( $single_event_id, 'etn_max_ticket', true ) : $etn_left_tickets;-$etn_max_ticket = min($etn_left_tickets, $etn_max_ticket);-$disable_purchase_form = get_post_meta( $single_event_id, 'etn_disable_purchase_form', true );+ $etn_left_tickets = ! empty($data['etn_left_tickets']) ? $data['etn_left_tickets'] : 0;+ $etn_ticket_unlimited = (isset($data['etn_ticket_unlimited']) && $data['etn_ticket_unlimited'] == "no") ? true : false;+ $etn_ticket_price = isset($data['etn_ticket_price']) ? $data['etn_ticket_price'] : '';+ $ticket_qty = get_post_meta($single_event_id, "etn_sold_tickets", true);+ $total_sold_ticket = isset($ticket_qty) ? intval($ticket_qty) : 0;+ $is_zoom_event = get_post_meta($single_event_id, 'etn_zoom_event', true);+ $event_options = ! empty($data['event_options']) ? $data['event_options'] : [];+ $event_title = get_the_title($single_event_id);+ $separate = (! empty($data['event_end_date'])) ? ' - ' : '';+ $settings = Helper::get_settings();+ $attendee_reg_enable = ! empty($settings["attendee_registration"]) ? true : false;+ $active_class = ($i === 0) ? 'active' : '';+ $active_item = ($i === 0) ? 'style=display:block' : '';+ $etn_min_ticket = ! empty(get_post_meta($single_event_id, 'etn_min_ticket', true)) ? get_post_meta($single_event_id, 'etn_min_ticket', true) : 1;+ $etn_max_ticket = ! empty(get_post_meta($single_event_id, 'etn_max_ticket', true)) ? get_post_meta($single_event_id, 'etn_max_ticket', true) : $etn_left_tickets;+ $etn_max_ticket = min($etn_left_tickets, $etn_max_ticket);+ $disable_purchase_form = get_post_meta($single_event_id, 'etn_disable_purchase_form', true); ?> -<div class="etn-widget etn-recurring-widget <?php echo esc_attr($active_class); ?>">+<div class="etn-widget etn-recurring-widget <?php echo esc_attr($active_class); ?>"> <div class="etn-row"> <div class="etn-col-lg-3"> <div class="etn-left-datemeta"> <div class="etn-date-meta">- <?php echo date_i18n('d M', strtotime( str_replace('/', '-', $data['event_start_date'] ) )) ; ?>+ <?php echo esc_html(date_i18n('d M', strtotime(str_replace('/', '-', $data['event_start_date'])))); ?> <?php echo esc_attr($separate); ?>- <?php echo date_i18n('d M', strtotime( str_replace('/', '-', $data['event_end_date'] ) )) ; ?>+ <?php echo esc_html(date_i18n('d M', strtotime(str_replace('/', '-', $data['event_end_date'])))); ?> <span>- <?php echo date_i18n('j', strtotime( str_replace('/', '-', $data['event_start_date'] ) )); ?>+ <?php echo esc_html( date_i18n('j', strtotime( str_replace('/', '-', $data['event_start_date'] ) )) ); ?> <?php echo esc_attr($separate); ?>- <?php echo date_i18n('j', strtotime( str_replace('/', '-', $data['event_end_date'] ) )); ?>+ <?php echo esc_html( date_i18n('j', strtotime( str_replace('/', '-', $data['event_end_date'] ) )) ); ?> </span> </div> <?php- // show if this is a zoom event- if ( isset( $is_zoom_event ) && ("on" == $is_zoom_event || "yes" == $is_zoom_event ) ) {- ?>+ // show if this is a zoom event+ if (isset($is_zoom_event) && ("on" == $is_zoom_event || "yes" == $is_zoom_event)) {+ ?> <div class="etn-zoom-event-notice"> <img src="<?php echo esc_url(\Wpeventin::assets_url() . "images/zoom.svg"); ?>" alt="<?php echo esc_attr__('Zoom', 'eventin') ?>">- <?php echo esc_html__( "Zoom Event", "eventin" ); ?>+ <?php echo esc_html__("Zoom Event", "eventin"); ?> </div> <?php- }- ?>+ }+ ?> </div> </div> <div class="etn-col-lg-9">- <div class="recurring-content <?php echo esc_attr($active_class);?>">+ <div class="recurring-content <?php echo esc_attr($active_class); ?>"> <div class="etn-recurring-header"> <div class="etn-title-wrap"> <div class="etn-time-meta"> <?php- if ( !isset($event_options["etn_hide_time_from_details"]) ) {- $separate = (!empty($data['event_end_time'])) ? ' - ' : '';- ?>+ if (! isset($event_options["etn_hide_time_from_details"])) {+ $separate = (! empty($data['event_end_time'])) ? ' - ' : '';+ ?> <div> <i class="etn-icon etn-clock"></i> <?php echo esc_html($data['event_start_time'] . $separate . $data['event_end_time']); ?> <span class="etn-event-timezone"> <?php- if ( !empty( $data['event_timezone'] ) && !isset($event_options["etn_hide_timezone_from_details"]) ) {- ?>- (<?php echo esc_html( $data['event_timezone'] ); ?>)+ if (! empty($data['event_timezone']) && ! isset($event_options["etn_hide_timezone_from_details"])) {+ ?>+ (<?php echo esc_html($data['event_timezone']); ?>) <?php- }- ?>+ }+ ?> </span> </div> <?php- }- ?>+ }+ ?> </div> <h4 class="etn-title etn-post-title etn-accordion-heading">- <a href="<?php echo esc_url( get_permalink( $single_event_id ) ); ?>">- <?php echo esc_html( $event_title ); ?>+ <a href="<?php echo esc_url(get_permalink($single_event_id)); ?>">+ <?php echo esc_html($event_title); ?> </a> </h4> <p>@@ -89,29 +89,29 @@ </div> <i class="etn-icon etn-angle-down"></i> </div>- <div class="etn-form-wrap" <?php echo esc_attr($active_item ); ?>>+ <div class="etn-form-wrap" <?php echo esc_attr($active_item); ?>> <?php- if( $etn_left_tickets > 0 && $disable_purchase_form != 'yes' ) { ?>+ if ($etn_left_tickets > 0 && $disable_purchase_form != 'yes') {?> <form method="post" class="etn-event-form-parent">- <?php wp_nonce_field('ticket_purchase_next_step_two','ticket_purchase_next_step_two'); ?>+ <?php wp_nonce_field('ticket_purchase_next_step_two', 'ticket_purchase_next_step_two'); ?> <?php- if( $attendee_reg_enable ){- ?>+ if ($attendee_reg_enable) {+ ?> <input name="ticket_purchase_next_step" type="hidden" value="two" /> <input name="event_id" type="hidden" value="<?php echo intval($single_event_id); ?>" /> <input name="event_name" type="hidden" value="<?php echo esc_html($event_title); ?>" /> <?php- }else{- ?>+ } else {+ ?> <input name="add-to-cart" type="hidden" value="<?php echo intval($single_event_id); ?>" /> <input name="event_name" type="hidden" value="<?php echo esc_html($event_title); ?>" /> <?php- }- ?>+ }+ ?> <div class="etn-item-row"> <div class="etn-price-field"> <label for="etn_product_price">- <?php echo isset($event_options["etn_price_label"]) && ( "" != $event_options["etn_price_label"]) ? esc_html($event_options["etn_price_label"]) : esc_html__('Price', "eventin"); ?>+ <?php echo isset($event_options["etn_price_label"]) && ("" != $event_options["etn_price_label"]) ? esc_html($event_options["etn_price_label"]) : esc_html__('Price', "eventin"); ?> </label> <input id="etn_product_price" class="attr-form-control etn-event-form-price etn_product_price" readonly name="price" type="text" value="<?php echo esc_attr($etn_ticket_price); ?>" min="1" /> </div>@@ -120,7 +120,7 @@ <?php echo esc_html__('Quantity', "eventin"); ?> </label> <div class="etn-quantity">- <input id="etn_product_qty" class="attr-form-control etn-event-form-qty etn_product_qty" name="quantity" type="number" value="<?php echo esc_attr( $etn_min_ticket ); ?>" min="<?php echo esc_attr( $etn_min_ticket ); ?>" max="<?php echo esc_attr( $etn_max_ticket ); ?>" data-etn_min_ticket='<?php echo esc_attr( $etn_min_ticket ); ?>' data-etn_max_ticket='<?php echo esc_attr( $etn_max_ticket ); ?>' data-left_ticket="<?php echo esc_html($etn_left_tickets); ?>" data-invalid_qty_text="<?php echo esc_html__("Invalid Qty", "eventin");?>" />+ <input id="etn_product_qty" class="attr-form-control etn-event-form-qty etn_product_qty" name="quantity" type="number" value="<?php echo esc_attr($etn_min_ticket); ?>" min="<?php echo esc_attr($etn_min_ticket); ?>" max="<?php echo esc_attr($etn_max_ticket); ?>" data-etn_min_ticket='<?php echo esc_attr($etn_min_ticket); ?>' data-etn_max_ticket='<?php echo esc_attr($etn_max_ticket); ?>' data-left_ticket="<?php echo esc_html($etn_left_tickets); ?>" data-invalid_qty_text="<?php echo esc_html__("Invalid Qty", "eventin"); ?>" /> </div> </div> @@ -130,75 +130,76 @@ </label> <div class="etn-t-price"> <?php- if(function_exists("get_woocommerce_currency_symbol")){- echo esc_html(get_woocommerce_currency_symbol());- }- ?>+ if (function_exists("get_woocommerce_currency_symbol")) {+ echo esc_html(get_woocommerce_currency_symbol());+ }+ ?> <span id="etn_form_price" class="etn_form_price"> <?php echo esc_html($etn_ticket_price); ?> </span> </div> </div> <div class="etn-add-to-cart-btn">- <?php do_action( 'etn_before_add_to_cart_button'); ?>+ <?php do_action('etn_before_add_to_cart_button'); ?> <?php- $show_form_button = apply_filters("etn_form_submit_visibility", true, $single_event_id);+ $show_form_button = apply_filters("etn_form_submit_visibility", true, $single_event_id); - if ($show_form_button === false) {- ?>+ if ($show_form_button === false) {+ ?> <small><?php echo esc_html__('Event already expired!', "eventin"); ?></small> <?php- } else {- if (!isset($event_options["etn_purchase_login_required"]) || (isset($event_options["etn_purchase_login_required"]) && is_user_logged_in())) {- ?>- <input name="submit" class="etn-btn etn-primary etn-add-to-cart-block" type="submit" value="<?php $cart_button_text = apply_filters( 'etn_event_cart_button_text', esc_html__("Add to cart", "eventin") ); echo esc_html( $cart_button_text ); ?>" />+ } else {+ if (! isset($event_options["etn_purchase_login_required"]) || (isset($event_options["etn_purchase_login_required"]) && is_user_logged_in())) {+ ?>+ <input name="submit" class="etn-btn etn-primary etn-add-to-cart-block" type="submit" value="<?php $cart_button_text = apply_filters('etn_event_cart_button_text', esc_html__("Add to cart", "eventin"));+ echo esc_html($cart_button_text); ?>" /> <?php- } else {- ?>+ } else {+ ?> <small>- <?php echo esc_html__('Please', 'eventin'); ?> <a href="<?php echo wp_login_url( get_permalink( ) ); ?>"><?php echo esc_html__( "Login", "eventin" ); ?></a> <?php echo esc_html__(' to buy ticket!', "eventin"); ?>+ <?php echo esc_html__('Please', 'eventin'); ?> <a href="<?php echo esc_url(wp_login_url(get_permalink())); ?>"><?php echo esc_html__("Login", "eventin"); ?></a><?php echo esc_html__(' to buy ticket!', "eventin"); ?> </small> <?php- }- }- ?>- <?php do_action( 'etn_after_add_to_cart_button'); ?>+ }+ }+ ?>+ <?php do_action('etn_after_add_to_cart_button'); ?> </div> </div> </form> <!-- tikcet holder --> <div class="etn-single-page-ticket-count-text-holder"> <?php- if ( !isset($event_options["etn_hide_seats_from_details"]) ) {- ?>+ if (! isset($event_options["etn_hide_seats_from_details"])) {+ ?> <div class="etn-form-ticket-text"> <?php- if( $etn_ticket_unlimited ){- echo esc_html__( "This event offers unlimited tickets", "eventin" );- }else {- echo esc_html($etn_left_tickets) . esc_html__(' seats remaining', "eventin");- }- ?>+ if ($etn_ticket_unlimited) {+ echo esc_html__("This event offers unlimited tickets", "eventin");+ } else {+ echo esc_html($etn_left_tickets) . esc_html__(' seats remaining', "eventin");+ }+ ?> </div> <?php- } - if( !isset($event_options["etn_hide_attendee_count_from_details"]) ){- ?>+ }+ if (! isset($event_options["etn_hide_attendee_count_from_details"])) {+ ?> <div class="etn-form-ticket-text">- <?php echo esc_html( $total_sold_ticket ) . esc_html__(" attendees so far.", "eventin"); ?>+ <?php echo esc_html($total_sold_ticket) . esc_html__(" attendees so far.", "eventin"); ?> </div> <?php- }- ?>+ }+ ?> </div> <?php- } else {- ?>- <h6><?php echo esc_html__( 'No Tickets Available!!', "eventin" ); ?></h6>+ } else {+ ?>+ <h6><?php echo esc_html__('No Tickets Available!!', "eventin"); ?></h6> <?php- }- ?>+ }+ ?> </div> </div> </div>
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event/purchase-form/recurring-event-ticket.php - Lines 26-28, 30-32
Old Code:
```php
<?php echo date_i18n('d M', strtotime( str_replace('/', '-', $data['event_start_date'] ) )) ; ?>
<?php echo date_i18n('d M', strtotime( str_replace('/', '-', $data['event_end_date'] ) )) ; ?>
<?php echo date_i18n('j', strtotime( str_replace('/', '-', $data['event_start_date'] ) )); ?>
<?php echo date_i18n('j', strtotime( str_replace('/', '-', $data['event_end_date'] ) )); ?>
```
Fixed Code:
```php
<?php echo esc_html(date_i18n('d M', strtotime(str_replace('/', '-', $data['event_start_date'])))); ?>
<?php echo esc_html(date_i18n('d M', strtotime(str_replace('/', '-', $data['event_end_date'])))); ?>
<?php echo esc_html( date_i18n('j', strtotime( str_replace('/', '-', $data['event_start_date'] ) )) ); ?>
<?php echo esc_html( date_i18n('j', strtotime( str_replace('/', '-', $data['event_end_date'] ) )) ); ?>
```
Explanation:
The original code directly echoed the output of `date_i18n()` without proper escaping. Although `date_i18n()` is unlikely to produce XSS payloads itself, the data passed through `$data['event_start_date']` and `$data['event_end_date']` are user-controlled values that could potentially be manipulated. The fix wraps the output with `esc_html()` to ensure any HTML special characters are properly escaped before display, preventing XSS attacks.
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event/purchase-form/recurring-event-ticket.php - Line 155
Old Code:
```php
<?php echo wp_login_url( get_permalink( ) ); ?>
```
Fixed Code:
```php
<?php echo esc_url(wp_login_url(get_permalink())); ?>
```
Explanation:
The original code echoed the URL output of `wp_login_url()` without proper escaping. While `wp_login_url()` is a trusted WordPress function, the proper security practice is to escape URLs when outputting them to HTML attributes using `esc_url()`. This prevents potential XSS vulnerabilities if the URL is ever manipulated or contains malicious characters. The fix properly escapes the URL before output.
---
Vulnerability Existed: not sure
Improper Escaping - CWE-116 - templates/event/purchase-form/recurring-event-ticket.php - Lines 25, 51
Old Code:
```php
<?php echo esc_attr($separate); ?>
```
Fixed Code:
```php
<?php echo esc_attr($separate); ?>
```
Explanation:
The variable `$separate` is set to either `' - '` (a hardcoded string) or an empty string at lines 12 and 56. Since this is a hardcoded literal value with no user input, using `esc_attr()` is technically correct but potentially over-cautious. However, this is not a vulnerability—it's a defensive coding practice. The escaping function choice is appropriate.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/purchase-form/single-event-variable-ticket.php 2026-01-09 00:38:10.020547212 +0000+++ cache/wp-event-solution_4.0.52/templates/event/purchase-form/single-event-variable-ticket.php 2026-01-09 00:43:17.467311067 +0000@@ -4,7 +4,7 @@ use Etn\Utils\Helper; $tickets_variations = get_post_meta($single_event_id,'etn_ticket_variations', true); -$style = isset($style) ? $style : 'style-1';+$style = isset($style_variant) ? $style_variant : 'style-1'; if(!empty($tickets_variations)){ ?>
I'll analyze this security-related code diff for vulnerabilities. Vulnerability Existed: **no** **Variable Confusion / Logic Error - No CWE** - `templates/event/purchase-form/single-event-variable-ticket.php` Lines 7 **Old Code:** ```php $style = isset($style) ? $style : 'style-1'; ``` **Fixed Code:** ```php $style = isset($style_variant) ? $style_variant : 'style-1'; ``` **Explanation:** This is not a security vulnerability fix. The diff shows a variable name correction/refactoring: - **Old code** checks if `$style` is set, and if so, uses it; otherwise defaults to `'style-1'` - **Fixed code** checks if `$style_variant` is set, and if so, uses it; otherwise defaults to `'style-1'` This appears to be a **logic correction** rather than a security fix. The issue is that the old code was checking for the existence of a variable that it then immediately uses, which could lead to undefined variable warnings if `$style` was never set. The fix corrects this by checking for `$style_variant` instead, suggesting that the expected variable name in the calling context is `$style_variant`, not `$style`. There is **no security vulnerability** present in either version. Neither introduces nor removes any security issues like: - No injection vulnerabilities - No privilege escalation - No authentication bypass - No data exposure This is a straightforward variable naming fix to prevent potential undefined variable notices and ensure the correct variable is being checked.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/purchase-form/template/form-template.php 2026-01-09 00:38:10.020547212 +0000+++ cache/wp-event-solution_4.0.52/templates/event/purchase-form/template/form-template.php 2026-01-09 00:43:17.471311312 +0000@@ -100,7 +100,7 @@ } else { ?> <small>- <?php echo esc_html__('Please', 'eventin'); ?> <a href="<?php echo wp_login_url( get_permalink( ) ); ?>"><?php echo esc_html__( "Login", "eventin" ); ?></a> <?php echo esc_html__(' to buy ticket!', "eventin"); ?>+ <?php echo esc_html__('Please', 'eventin'); ?> <a href="<?php echo esc_url( wp_login_url( get_permalink( ) ) ); ?>"><?php echo esc_html__( "Login", "eventin" ); ?></a> <?php echo esc_html__(' to buy ticket!', "eventin"); ?> </small> <?php }
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/event/purchase-form/template/form-template.php - Line 103 Old Code: ```php <a href="<?php echo wp_login_url( get_permalink( ) ); ?>"> ``` Fixed Code: ```php <a href="<?php echo esc_url( wp_login_url( get_permalink( ) ) ); ?>"> ``` Explanation: The vulnerability existed because the URL returned by `wp_login_url( get_permalink( ) )` was output directly into an HTML attribute without proper escaping. While `wp_login_url()` generates a safe WordPress URL, the `get_permalink()` function includes user-controlled data (the current page URL). If the permalink contains special characters or is manipulated, it could break out of the href attribute context and inject malicious JavaScript (e.g., `javascript:` protocol or event handlers). The fix applies `esc_url()` to properly escape the URL for use in HTML attributes. This function ensures that only safe URL protocols are allowed and special characters are properly encoded, preventing XSS attacks through the href attribute.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/purchase-form/template/variable-ticket-form-template.php 2026-01-09 00:38:10.020547212 +0000+++ cache/wp-event-solution_4.0.52/templates/event/purchase-form/template/variable-ticket-form-template.php 2026-01-09 00:43:17.475311557 +0000@@ -148,7 +148,7 @@ if ( ! isset( $event_options["etn_hide_seats_from_details"] ) ) { if ( ! etn_is_ticket_sale_start( $start_date_time, $time_zone ) ) { ?>- <span class="seat-remaining-text"><?php echo esc_html__( '(Sale start on ', 'eventin' ); echo $start_date->format( 'Y-m-d' ) .' ' . $start_time ;?> )</span>+ <span class="seat-remaining-text"><?php echo esc_html__( '(Sale start on ', 'eventin' ); echo esc_html( $start_date->format( 'Y-m-d' ) .' ' . $start_time ) ;?> )</span> <?php } @@ -172,7 +172,7 @@ <strong> <?php $price = number_format( (float) $value['etn_ticket_price'], $price_decimal, $price_decimal_separator, $thousand_separator );- echo \Etn\Core\Event\Helper::instance()->currency_with_position( $price );+ echo wp_kses_post( \Etn\Core\Event\Helper::instance()->currency_with_position( $price ) ); ?> </strong> </div>@@ -182,7 +182,7 @@ <button type="button" class="qt-btn qt-sub" data-multi="-1" data-key="<?php echo intval( $key ) ?>">- </button>- <input name="ticket_quantity[<?php echo $value['etn_ticket_name']?>]" type="number"+ <input name="ticket_quantity[<?php echo esc_attr( $value['etn_ticket_name'] ); ?>]" type="number" class="etn_ticket_variation ticket_<?php echo intval( $key ); ?>" value="0" id="ticket-input_<?php echo intval( $key ); ?>" data-price="<?php echo number_format( (float) $value['etn_ticket_price'], $price_decimal, '.', '' ); ?>"@@ -192,7 +192,7 @@ data-stock_out="<?php echo esc_attr__( "All ticket has has been sold", "eventin" ) ?>" data-cart_ticket_limit="<?php echo esc_attr__( "You have already added 5 tickets. You can't purchase more than $etn_max_ticket tickets", "eventin" ) ?>" data-stock_limit="<?php echo esc_attr__( "Stock limit $etn_current_stock. You can purchase within $etn_current_stock.", "eventin" ) ?>"- data-qty_message="<?php echo esc_attr__( "Total ticket quantity should be atleast ", "eventin" ) . $etn_min_ticket . esc_attr__( " and can not be higher than ", "eventin" ) . $etn_max_ticket; ?>"+ data-qty_message="<?php echo esc_attr__( "Total ticket quantity should be atleast ", "eventin" ) . absint( $etn_min_ticket ) . esc_attr__( " and can not be higher than ", "eventin" ) . absint( $etn_max_ticket ); ?>" data-etn_cart_limit="<?php echo absint( $etn_cart_limit ); ?>" data-etn_cart_limit_message="<?php echo esc_attr__( "You have already added $etn_cart_limit, Which is greater than maximum quantity $etn_max_ticket . You can add maximum $etn_max_ticket tickets. ", "eventin" ); ?>"/> <button type="button" class="qt-btn qt-add" data-multi="1"@@ -208,7 +208,7 @@ <strong> <?php $price = '<span class="_sub_total_' . floatval( $key ) . '">0</span>';- echo \Etn\Core\Event\Helper::instance()->currency_with_position( $price );+ echo wp_kses_post( \Etn\Core\Event\Helper::instance()->currency_with_position( $price ) ); ?> </strong> </div>@@ -239,7 +239,7 @@ <strong> <?php $price = '<span class="variation_total_price">0</span>';- echo \Etn\Core\Event\Helper::instance()->currency_with_position( $price );+ echo wp_kses_post( \Etn\Core\Event\Helper::instance()->currency_with_position( $price ) ); ?> </strong> </div>@@ -272,7 +272,7 @@ ?> <small> <?php echo esc_html__( 'Please', 'eventin' ); ?> <a- href="<?php echo wp_login_url( get_permalink() ); ?>"><?php echo esc_html__( "Login", "eventin" ); ?></a> <?php echo esc_html__( ' to buy ticket!', "eventin" ); ?>+ href="<?php echo esc_url( wp_login_url( get_permalink() ) ); ?>"><?php echo esc_html__( "Login", "eventin" ); ?></a> <?php echo esc_html__( ' to buy ticket!', "eventin" ); ?> </small> <?php }
# Security Analysis Report ## Vulnerability 1 **Vulnerability Existed:** yes **Cross-Site Scripting (XSS) - CWE-79** - variable-ticket-form-template.php - Line 151 **Old Code:** ```php echo $start_date->format( 'Y-m-d' ) .' ' . $start_time ; ``` **Fixed Code:** ```php echo esc_html( $start_date->format( 'Y-m-d' ) .' ' . $start_time ) ; ``` **Explanation:** The `$start_time` variable was output directly to HTML without escaping. An attacker could inject malicious JavaScript if this variable contains user-controlled or unsanitized data. The fix applies `esc_html()` to escape the output and prevent XSS attacks. --- ## Vulnerability 2 **Vulnerability Existed:** yes **Cross-Site Scripting (XSS) - CWE-79** - variable-ticket-form-template.php - Line 175 **Old Code:** ```php echo \Etn\Core\Event\Helper::instance()->currency_with_position( $price ); ``` **Fixed Code:** ```php echo wp_kses_post( \Etn\Core\Event\Helper::instance()->currency_with_position( $price ) ); ``` **Explanation:** The output from `currency_with_position()` was echoed directly without sanitization. Although `$price` is formatted as a float, the helper function may return HTML (e.g., currency symbols with HTML markup). The fix applies `wp_kses_post()` to allow safe HTML while removing any potentially malicious content. --- ## Vulnerability 3 **Vulnerability Existed:** yes **Cross-Site Scripting (XSS) - CWE-79** - variable-ticket-form-template.php - Line 185 **Old Code:** ```php echo $value['etn_ticket_name'] ``` **Fixed Code:** ```php echo esc_attr( $value['etn_ticket_name'] ); ``` **Explanation:** The `etn_ticket_name` is used in an HTML attribute (`name="ticket_quantity[...]"`) without escaping. An attacker could inject malicious attribute values to break out of the attribute context and inject JavaScript. The fix applies `esc_attr()` to properly escape attribute values. --- ## Vulnerability 4 **Vulnerability Existed:** yes **Improper Neutralization of Input During Web Page Generation (Improper Output Encoding) - CWE-116** - variable-ticket-form-template.php - Line 195 **Old Code:** ```php echo esc_attr__( "Total ticket quantity should be atleast ", "eventin" ) . $etn_min_ticket . esc_attr__( " and can not be higher than ", "eventin" ) . $etn_max_ticket; ``` **Fixed Code:** ```php echo esc_attr__( "Total ticket quantity should be atleast ", "eventin" ) . absint( $etn_min_ticket ) . esc_attr__( " and can not be higher than ", "eventin" ) . absint( $etn_max_ticket ); ``` **Explanation:** The variables `$etn_min_ticket` and `$etn_max_ticket` are concatenated into an attribute value without type validation or escaping. If these variables contain malicious strings or non-numeric values, they could break out of the attribute context. The fix applies `absint()` to ensure these values are integers before output, preventing injection attacks. --- ## Vulnerability 5 **Vulnerability Existed:** yes **Cross-Site Scripting (XSS) - CWE-79** - variable-ticket-form-template.php - Line 211 **Old Code:** ```php echo \Etn\Core\Event\Helper::instance()->currency_with_position( $price ); ``` **Fixed Code:** ```php echo wp_kses_post( \Etn\Core\Event\Helper::instance()->currency_with_position( $price ) ); ``` **Explanation:** Same vulnerability as Vulnerability 2. The helper function output contains HTML markup that needs sanitization via `wp_kses_post()` to prevent XSS attacks while preserving safe HTML. --- ## Vulnerability 6 **Vulnerability Existed:** yes **Cross-Site Scripting (XSS) - CWE-79** - variable-ticket-form-template.php - Line 242 **Old Code:** ```php echo \Etn\Core\Event\Helper::instance()->currency_with_position( $price ); ``` **Fixed Code:** ```php echo wp_kses_post( \Etn\Core\Event\Helper::instance()->currency_with_position( $price ) ); ``` **Explanation:** Same vulnerability as Vulnerabilities 2 and 5. The third occurrence of the unescaped `currency_with_position()` output is fixed with `wp_kses_post()`. --- ## Vulnerability 7 **Vulnerability Existed:** yes **Open Redirect - CWE-601** - variable-ticket-form-template.php - Line 275 **Old Code:** ```php href="<?php echo wp_login_url( get_permalink() ); ?>" ``` **Fixed Code:** ```php href="<?php echo esc_url( wp_login_url( get_permalink() ) ); ?>" ``` **Explanation:** The URL is output directly in an `href` attribute without escaping. While `wp_login_url()` is generally safe, applying `esc_url()` ensures the URL is properly escaped for HTML attribute context and prevents any potential URL-based XSS or open redirect attacks if the underlying function behavior changes or if there are edge cases.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/related-events-free.php 2026-01-09 00:38:10.020547212 +0000+++ cache/wp-event-solution_4.0.52/templates/event/related-events-free.php 2026-01-09 00:43:17.479311801 +0000@@ -52,7 +52,7 @@ <div class="etn-event-thumb"> <a href="<?php echo esc_url( get_the_permalink( $value->ID ) ); ?>"- aria-label="<?php echo get_the_title(); ?>"+ aria-label="<?php echo esc_attr( get_the_title() ); ?>" > <?php echo get_the_post_thumbnail( $value->ID, 'medium' ); ?> </a>@@ -88,7 +88,7 @@ <div class="etn-atend-btn"> <a href="<?php echo esc_url( get_the_permalink( $value->ID ) ); ?>" class="etn-btn etn-btn-border"- title="<?php echo get_the_title( $value->ID ); ?>"><?php echo esc_html__( 'attend', "eventin" ) ?>+ title="<?php echo esc_attr( get_the_title( $value->ID ) ); ?>"><?php echo esc_html__( 'attend', "eventin" ) ?> <i class="etn-icon etn-arrow-right"></i></a> </div> </div>
Vulnerability Existed: yes
TRUE POSITIVE
[Cross-site Scripting (XSS)] - [CWE-79] - [templates/event/related-events-free.php] [Lines 55, 91]
Old Code:
```php
aria-label="<?php echo get_the_title(); ?>"
```
```php
title="<?php echo get_the_title( $value->ID ); ?>"
```
Fixed Code:
```php
aria-label="<?php echo esc_attr( get_the_title() ); ?>"
```
```php
title="<?php echo esc_attr( get_the_title( $value->ID ) ); ?>"
```
Explanation:
The original code outputs post titles directly into HTML attributes without proper escaping. The `get_the_title()` function returns unescaped content, which can contain special characters including quotes and angle brackets. When placed in HTML attributes, an attacker could inject malicious JavaScript by crafting a post title like `" onclick="alert('xss')`. The fix applies `esc_attr()` which is the correct WordPress escaping function for attribute context, converting special characters to HTML entities and preventing attribute injection attacks.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/event/schedule-list.php 2026-01-09 00:38:10.024547455 +0000+++ cache/wp-event-solution_4.0.52/templates/event/schedule-list.php 2026-01-09 00:43:17.479311801 +0000@@ -86,7 +86,7 @@ if(!empty($etn_schedule_start_time) || !empty( $etn_schedule_end_time )){ ?> <span class='etn-schedule-time'>- <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+ <?php echo esc_html($etn_schedule_start_time) . esc_html($dash_sign) . esc_html($etn_schedule_end_time); ?> </span> <?php }
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/event/schedule-list.php Line 89 Old Code: ```php <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?> ``` Fixed Code: ```php <?php echo esc_html($etn_schedule_start_time) . esc_html($dash_sign) . esc_html($etn_schedule_end_time); ?> ``` Explanation: The original code failed to escape the `$dash_sign` variable before outputting it to the HTML context. While `$etn_schedule_start_time` and `$etn_schedule_end_time` were properly escaped with `esc_html()`, the `$dash_sign` variable was concatenated directly without escaping. If `$dash_sign` contains user-controlled or untrusted data, an attacker could inject malicious HTML or JavaScript code (e.g., `" onclick="alert(1)"` or `<script>alert(1)</script>`). The fix properly applies `esc_html()` to all three variables, ensuring all output is safely escaped before being rendered in the HTML context.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/layout/header.php 2026-01-09 00:38:10.024547455 +0000+++ cache/wp-event-solution_4.0.52/templates/layout/header.php 2026-01-09 00:43:17.487312291 +0000@@ -38,7 +38,7 @@ <div class="etn-logo-wrap"> <img src="<?php echo esc_url($wpc_main_logo); ?>" alt="<?php echo esc_attr__('logo', 'eventin'); ?>" /> <span class="etn-version">- <?php echo esc_html__('v','eventin') . \Wpeventin::version(); ?>+ <?php echo esc_html__('v','eventin') . esc_html( \Wpeventin::version() ); ?> </span> </div>
Vulnerability Existed: yes
FALSE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [templates/layout/header.php] [Lines 41]
Old Code:
```php
<?php echo esc_html__('v','eventin') . \Wpeventin::version(); ?>
```
Fixed Code:
```php
<?php echo esc_html__('v','eventin') . esc_html( \Wpeventin::version() ); ?>
```
Explanation:
The vulnerability existed because the output of `\Wpeventin::version()` was not being escaped before being echoed to the page. While `esc_html__()` was applied to the string literal 'v', the version string returned by `\Wpeventin::version()` was output directly without any escaping function applied. This could allow an attacker to inject malicious JavaScript or HTML if they could manipulate the version string value. The fix properly wraps the version output with `esc_html()`, which escapes HTML entities and prevents XSS attacks by converting potentially dangerous characters (like `<`, `>`, `&`, etc.) into their HTML entity equivalents.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/speaker/speaker-designation.php 2026-01-09 00:38:10.048548916 +0000+++ cache/wp-event-solution_4.0.52/templates/speaker/speaker-designation.php 2026-01-09 00:43:17.667323302 +0000@@ -5,4 +5,4 @@ $author_id = get_queried_object_id(); $etn_speaker_designation = get_user_meta( $author_id , 'etn_speaker_designation', true); ?>- <p class="etn-speaker-designation"><?php echo Helper::kses( $etn_speaker_designation ); ?></p> \ No newline at end of file+ <p class="etn-speaker-designation"><?php echo Helper::kses( $etn_speaker_designation ); ?></p>\ No newline at end of file
Vulnerability Existed: no
No Vulnerability - File: templates/speaker/speaker-designation.php [Line 8]
Old Code:
```
<p class="etn-speaker-designation"><?php echo Helper::kses( $etn_speaker_designation ); ?></p>
```
Fixed Code:
```
<p class="etn-speaker-designation"><?php echo Helper::kses( $etn_speaker_designation ); ?></p>
```
Explanation:
This diff only removes trailing whitespace at the end of line 8. The security implementation remains unchanged - the code continues to use `Helper::kses()` to sanitize the `$etn_speaker_designation` output before echoing it to the HTML. This is proper output escaping that prevents XSS vulnerabilities. The trailing whitespace removal is a code style/formatting improvement with no security implications.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/speaker/speaker-objective.php 2026-01-09 00:38:10.048548916 +0000+++ cache/wp-event-solution_4.0.52/templates/speaker/speaker-objective.php 2026-01-09 00:43:17.675323792 +0000@@ -4,7 +4,7 @@ use \Etn\Utils\Helper; if ( !empty( $objective ) ) {- ?> - <p><?php echo Helper::render(trim( $objective )); ?></p>+ ?>+ <p><?php echo wp_kses_post( Helper::render(trim( $objective )) ); ?></p> <?php }\ No newline at end of file
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/speaker/speaker-objective.php [Lines 7] Old Code: ```php <p><?php echo Helper::render(trim( $objective )); ?></p> ``` Fixed Code: ```php <p><?php echo wp_kses_post( Helper::render(trim( $objective )) ); ?></p> ``` Explanation: The original code directly echoed the output of `Helper::render(trim( $objective ))` without any sanitization. While `Helper::render()` may perform some processing, there is no guarantee it properly escapes HTML entities for safe output in a web context. User-controlled or untrusted data in the `$objective` variable could contain malicious JavaScript code that would be executed in the browser. The fix wraps the output with `wp_kses_post()`, a WordPress function that sanitizes content to allow safe HTML while stripping out potentially dangerous elements and attributes. This prevents XSS attacks by ensuring that any malicious scripts in the `$objective` data are neutralized before being rendered in the HTML.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/speaker/speaker-summary.php 2026-01-09 00:38:10.056549403 +0000+++ cache/wp-event-solution_4.0.52/templates/speaker/speaker-summary.php 2026-01-09 00:43:17.707325749 +0000@@ -4,6 +4,6 @@ $author_id = get_queried_object_id(); $etn_speaker_summary = get_user_meta( $author_id, 'etn_speaker_summery', true); ?>-<div class="etn-speaker-summery"> - <?php echo wpautop($etn_speaker_summary) ; ?>+<div class="etn-speaker-summery">+ <?php echo wp_kses_post( wpautop($etn_speaker_summary) ); ?> </div>
Vulnerability Existed: yes TRUE POSITIVE Stored Cross-Site Scripting (XSS) - CWE-79 - templates/speaker/speaker-summary.php - Line 8 Old Code: ```php <?php echo wpautop($etn_speaker_summary) ; ?> ``` Fixed Code: ```php <?php echo wp_kses_post( wpautop($etn_speaker_summary) ); ?> ``` Explanation: The original code directly echoed user-controlled content (speaker summary from user meta) after only applying `wpautop()`, which formats paragraphs but does NOT sanitize HTML or JavaScript. This allowed stored XSS attacks where an attacker with speaker profile access could inject malicious scripts that would execute when the speaker summary page is viewed by other users. The fix applies `wp_kses_post()`, a WordPress security function that: 1. Removes dangerous HTML tags and attributes 2. Strips JavaScript event handlers and script tags 3. Only allows a whitelist of safe HTML tags suitable for post content (p, br, strong, em, etc.) 4. Prevents XSS while preserving legitimate formatting from `wpautop()` This is a critical security fix for a Stored XSS vulnerability in user-generated content display.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/templates/template-parts/attendee/ticket-markup-block.php 2026-01-09 00:38:10.056549403 +0000+++ cache/wp-event-solution_4.0.52/templates/template-parts/attendee/ticket-markup-block.php 2026-01-09 00:43:17.839333824 +0000@@ -68,13 +68,13 @@ <div class="etn-ticket-wrapper"> <div class="etn-ticket-main-wrapper"> <div class="etn-ticket">- <?php + <?php if ( $post && $post->post_status === 'draft' ) { ?> <p><?php esc_html_e( 'The template is not published', 'eventin' ); ?></p> <?php } else {- echo $template_html;+ echo wp_kses_post( $template_html ); } ?> </div>
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/template-parts/attendee/ticket-markup-block.php - Line 77 Old Code: ```php echo $template_html; ``` Fixed Code: ```php echo wp_kses_post( $template_html ); ``` Explanation: The original code directly echoed `$template_html` without any sanitization or escaping. This creates a Cross-Site Scripting (XSS) vulnerability where malicious scripts could be injected and executed in the browser if `$template_html` contains user-controlled or untrusted content. The fix applies WordPress's `wp_kses_post()` function, which safely sanitizes HTML content by removing dangerous tags and attributes while preserving safe HTML markup. This is the appropriate sanitization function for post content in WordPress and prevents XSS attacks by ensuring only safe HTML is rendered.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/utils/font/unifont/ttfonts.php 2026-01-09 00:38:10.076550620 +0000+++ cache/wp-event-solution_4.0.52/utils/font/unifont/ttfonts.php 2026-01-09 00:43:18.419369306 +0000@@ -77,7 +77,7 @@ function getMetrics($file) { $this->filename = $file;- $this->fh = fopen($file,'rb') or die('Can\'t open file ' . $file);+ $this->fh = fopen($file,'rb') or die( esc_html( 'Can\'t open file ' . $file ) ); $this->_pos = 0; $this->charWidths = ''; $this->glyphPos = array();@@ -88,12 +88,12 @@ $this->descent = 0; $this->TTCFonts = array(); $this->version = $version = $this->read_ulong();- if ($version==0x4F54544F) - die("Postscript outlines are not supported");- if ($version==0x74746366) - die("ERROR - TrueType Fonts Collections not supported");+ if ($version==0x4F54544F)+ die( esc_html( "Postscript outlines are not supported" ) );+ if ($version==0x74746366)+ die( esc_html( "ERROR - TrueType Fonts Collections not supported" ) ); if (!in_array($version, array(0x00010000,0x74727565)))- die("Not a TrueType font: version=".$version);+ die( esc_html( "Not a TrueType font: version=".$version ) ); $this->readTableDirectory(); $this->extractInfo(); fclose($this->fh);@@ -250,7 +250,7 @@ function get_table($tag) { list($pos, $length) = $this->get_table_pos($tag);- if ($length == 0) { die('Truetype font ('.$this->filename.'): error reading table: '.$tag); }+ if ($length == 0) { die( esc_html( 'Truetype font ('.$this->filename.'): error reading table: '.$tag ) ); } fseek($this->fh,$pos); return (fread($this->fh,$length)); }@@ -279,7 +279,7 @@ $name_offset = $this->seek_table("name"); $format = $this->read_ushort(); if ($format != 0)- die("Unknown name table format ".$format);+ die( esc_html( "Unknown name table format ".$format ) ); $numRecords = $this->read_ushort(); $string_data_offset = $name_offset + $this->read_ushort(); $names = array(1=>'',2=>'',3=>'',4=>'',6=>'');@@ -355,7 +355,7 @@ $indexToLocFormat = $this->read_ushort(); $glyphDataFormat = $this->read_ushort(); if ($glyphDataFormat != 0)- die('Unknown glyph data format '.$glyphDataFormat);+ die( esc_html( 'Unknown glyph data format '.$glyphDataFormat ) ); /////////////////////////////////// // hhea metrics table@@ -381,7 +381,7 @@ $this->skip(2); $fsType = $this->read_ushort(); if ($fsType == 0x0002 || ($fsType & 0x0300) != 0) {- die('ERROR - Font file '.$this->filename.' cannot be embedded due to copyright restrictions.');+ die( esc_html( 'ERROR - Font file '.$this->filename.' cannot be embedded due to copyright restrictions.' ) ); $this->restrictedUse = true; } $this->skip(20);@@ -494,7 +494,7 @@ function makeSubset($file, &$subset) { $this->filename = $file;- $this->fh = fopen($file ,'rb') or die('Can\'t open file ' . $file);+ $this->fh = fopen($file ,'rb') or die( esc_html( 'Can\'t open file ' . $file ) ); $this->_pos = 0; $this->charWidths = ''; $this->glyphPos = array();
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - utils/font/unifont/ttfonts.php [80, 91, 92, 94, 97, 253, 282, 358, 384, 497]
Old Code:
```php
die('Can\'t open file ' . $file);
die("Postscript outlines are not supported");
die("ERROR - TrueType Fonts Collections not supported");
die("Not a TrueType font: version=".$version);
die('Truetype font ('.$this->filename.'): error reading table: '.$tag);
die("Unknown name table format ".$format);
die('Unknown glyph data format '.$glyphDataFormat);
die('ERROR - Font file '.$this->filename.' cannot be embedded due to copyright restrictions.');
```
Fixed Code:
```php
die( esc_html( 'Can\'t open file ' . $file ) );
die( esc_html( "Postscript outlines are not supported" ) );
die( esc_html( "ERROR - TrueType Fonts Collections not supported" ) );
die( esc_html( "Not a TrueType font: version=".$version ) );
die( esc_html( 'Truetype font ('.$this->filename.'): error reading table: '.$tag ) );
die( esc_html( "Unknown name table format ".$format ) );
die( esc_html( 'Unknown glyph data format '.$glyphDataFormat ) );
die( esc_html( 'ERROR - Font file '.$this->filename.' cannot be embedded due to copyright restrictions.' ) );
```
Explanation:
This is a WordPress plugin (wp-event-solution) that was outputting user-controlled or file-derived data directly in `die()` statements without proper escaping. The `die()` function outputs content to the browser, and if that content contains variables derived from filenames or version strings, an attacker could potentially inject malicious HTML/JavaScript. The fix wraps all `die()` messages with `esc_html()`, which is WordPress's standard escaping function for outputting text in HTML context. This prevents XSS by converting special characters like `<`, `>`, and `"` to their HTML entity equivalents, ensuring the output is treated as plain text rather than executable code.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/utils/functions.php 2026-01-09 00:38:10.080550864 +0000+++ cache/wp-event-solution_4.0.52/utils/functions.php 2026-01-09 00:43:18.439370530 +0000@@ -3,6 +3,7 @@ use Eventin\Settings; use Eventin\Validation\Validator; use Etn\Core\Event\Event_Model;+use Etn\Utils\Helper; use SureCart\Support\Currency; if ( ! function_exists( 'etn_array_csv_column' ) ) {@@ -1187,20 +1188,26 @@ * * @return bool | WP_Error */- function etn_validate_event_tickets( $event_id, $order_tickets ) {+ function etn_validate_event_tickets( $event_id, $order_tickets,$is_for_update = false ) { $event = new Event_Model( $event_id );+ $sold_tickets = (array)Helper::etn_get_sold_tickets_by_event( $event_id ); foreach( $order_tickets as $ticket ) { $event_ticket = $event->get_ticket( $ticket['ticket_slug'] ); $available = $event_ticket['etn_avaiilable_tickets'];- $sold = $event_ticket['etn_sold_tickets'];+ $sold = $sold_tickets[$ticket['ticket_slug']]??0;+ $pending = $event_ticket['pending']; // check if `etn_avaiilable_tickets` exists. if not means unlimited ticket if ( !isset($available) || !is_numeric($available) ) { return true; }- $ticket_left = intval($available) - intval($sold);+ if($is_for_update){+ $ticket_left = intval($available) - intval($sold) - intval($pending) + intval($ticket['ticket_quantity']);+ }else{+ $ticket_left = intval($available) - intval($sold) - intval($pending);+ } if ( $ticket['ticket_quantity'] > $ticket_left ) { return new WP_Error( 'ticket_limit', __( 'The ticket limit has been exceeded', 'eventin' ), ['status' => 422] );@@ -1211,7 +1218,36 @@ } } +if ( ! function_exists( 'etn_validate_seat_ids' ) ) {+ /**+ * Validate seat ids+ *+ * @param array $seat_ids Seat ids+ *+ * @return bool | WP_Error+ */+ function etn_validate_seat_ids( $event_id, $seat_ids ) {+ $booked_seats = maybe_unserialize( get_post_meta( $event_id, '_etn_seat_unique_id', true ));+ $already_booked_seats = $booked_seats ? explode(',', $booked_seats) : [];+ $pending_seats = maybe_unserialize( get_post_meta( $event_id, 'pending_seats', true ));+ if ( empty( $pending_seats ) ) {+ $pending_seats = [];+ }+ $is_enable_payment_timer = etn_get_option( 'ticket_purchase_timer_enable', 'off' );++ foreach ( $seat_ids as $seat_id ) {+ // need to handle the corner in rush condition + // if ( !in_array( $seat_id, $pending_seats ) && $is_enable_payment_timer == 'on') {+ // return new WP_Error( 'seat_limit', __( 'The requested seat is already booked, please select another seat', 'eventin' ), ['status' => 422] );+ // }+ if ( in_array( $seat_id, $already_booked_seats ) ) {+ return new WP_Error( 'seat_limit', __( 'The requested seat is already booked', 'eventin' ), ['status' => 422] );+ }+ } + return true;+ }+} if ( ! function_exists('etn_humanize_number') ) {
I'll analyze this code diff for security vulnerabilities.
## Security Analysis
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - CWE-79 - utils/functions.php, Lines 1230-1233
Old Code:
```php
function etn_validate_seat_ids( $event_id, $seat_ids ) {
$booked_seats = maybe_unserialize( get_post_meta( $event_id, '_etn_seat_unique_id', true ));
$already_booked_seats = $booked_seats ? explode(',', $booked_seats) : [];
```
Fixed Code:
```php
function etn_validate_seat_ids( $event_id, $seat_ids ) {
$booked_seats = maybe_unserialize( get_post_meta( $event_id, '_etn_seat_unique_id', true ));
$already_booked_seats = $booked_seats ? explode(',', $booked_seats) : [];
$pending_seats = maybe_unserialize( get_post_meta( $event_id, 'pending_seats', true ));
```
Explanation:
The new `etn_validate_seat_ids()` function accepts `$seat_ids` as user input but does not validate or sanitize it before using it in `in_array()` comparisons. If `$seat_ids` originates from user input (GET/POST), an attacker could potentially inject malicious data. While `in_array()` itself doesn't directly cause XSS, the function appears designed to validate seat availability without proper input type checking or escaping before any subsequent database operations or output. The function lacks explicit validation that `$seat_ids` is a properly formatted array of expected values.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
**Insecure Deserialization of Untrusted Data - CWE-502** - CWE-502 - utils/functions.php, Lines 1230-1231
Old Code:
```php
$booked_seats = maybe_unserialize( get_post_meta( $event_id, '_etn_seat_unique_id', true ));
```
Fixed Code:
```php
$booked_seats = maybe_unserialize( get_post_meta( $event_id, '_etn_seat_unique_id', true ));
```
Explanation:
The code uses `maybe_unserialize()` on data retrieved from post meta without validation. If an attacker can modify post meta (e.g., via a privilege escalation vulnerability), they could store serialized malicious objects that execute arbitrary code upon unserialization. This is not fixed in the diff, but represents a potential vulnerability if post meta can be tampered with. The code doesn't appear to have new protections against this.
---
**Vulnerability 3:**
Vulnerability Existed: no
**Improved Logic for Ticket Validation** - N/A - utils/functions.php, Lines 1190-1210
Old Code:
```php
$sold = $event_ticket['etn_sold_tickets'];
// ...
$ticket_left = intval($available) - intval($sold);
```
Fixed Code:
```php
$sold = $sold_tickets[$ticket['ticket_slug']]??0;
$pending = $event_ticket['pending'];
// ...
if($is_for_update){
$ticket_left = intval($available) - intval($sold) - intval($pending) + intval($ticket['ticket_quantity']);
}else{
$ticket_left = intval($available) - intval($sold) - intval($pending);
}
```
Explanation:
This is a security improvement. The fix properly accounts for pending tickets in availability calculations and distinguishes between new orders and updates. This prevents overselling by ensuring pending orders are reserved. The addition of the `$is_for_update` parameter allows correct logic for update scenarios where existing quantities should be factored back in before checking availability.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/utils/helper.php 2026-01-09 00:38:10.080550864 +0000+++ cache/wp-event-solution_4.0.52/utils/helper.php 2026-01-09 00:43:18.447371019 +0000@@ -1,1784 +1,1799 @@ <?php+ namespace Etn\Utils; -namespace Etn\Utils;+ defined('ABSPATH') || exit; -defined( 'ABSPATH' ) || exit;+ /**+ * Global helper class.+ *+ * @since 1.0.0+ */++ use Etn\Core\Event\Event_Model;+ use Eventin\Speaker\Api\SpeakerController;+ use WP_Query;+ use WP_User_Query;++ class Helper+ {++ use \Etn\Traits\Singleton;++ private static $settings_key = 'etn_event_options';++ /**+ * Auto generate classname from path.+ */+ public static function make_classname($dirname)+ {+ $dirname = pathinfo($dirname, PATHINFO_FILENAME);+ $class_name = explode('-', $dirname);+ $class_name = array_map('ucfirst', $class_name);+ $class_name = implode('_', $class_name);++ return $class_name;+ }++ /**+ * Renders provided markup+ */+ public static function render($content)+ {+ return $content;+ }++ /**+ * Filters only accepted kses+ */+ public static function kses($raw)+ {+ $allowed_tags = [+ 'a' => [+ 'class' => [],+ 'href' => [],+ 'rel' => [],+ 'title' => [],+ 'target' => [],+ ],+ 'input' => [+ 'value' => [],+ 'type' => [],+ 'size' => [],+ 'name' => [],+ 'checked' => [],+ 'data-value' => [],+ 'data-default-color' => [],+ 'placeholder' => [],+ 'id' => [],+ 'class' => [],+ 'min' => [],+ 'step' => [],+ 'readonly' => 'readonly',+ ],+ 'button' => [+ 'type' => [],+ 'name' => [],+ 'id' => [],+ 'class' => [],+ 'onclick' => [],+ ],+ 'select' => [+ 'value' => [],+ 'type' => [],+ 'size' => [],+ 'name' => [],+ 'placeholder' => [],+ 'id' => [],+ 'class' => [],+ 'option' => [+ 'value' => [],+ 'checked' => [],+ ],+ ],+ 'textarea' => [+ 'value' => [],+ 'type' => [],+ 'size' => [],+ 'name' => [],+ 'rows' => [],+ 'cols' => [],+ 'placeholder' => [],+ 'id' => [],+ 'class' => [],+ ],+ 'abbr' => [+ 'title' => [],+ ],+ 'b' => [],+ 'blockquote' => [+ 'cite' => [],+ ],+ 'cite' => [+ 'title' => [],+ ],+ 'code' => [],+ 'del' => [+ 'datetime' => [],+ 'title' => [],+ ],+ 'dd' => [],+ 'div' => [+ 'class' => [],+ 'title' => [],+ 'style' => [],+ ],+ 'dl' => [],+ 'dt' => [],+ 'em' => [],+ 'h1' => [+ 'class' => [],+ ],+ 'h2' => [+ 'class' => [],+ ],+ 'h3' => [+ 'class' => [],+ ],+ 'h4' => [+ 'class' => [],+ ],+ 'h5' => [+ 'class' => [],+ ],+ 'h6' => [+ 'class' => [],+ ],+ 'i' => [+ 'class' => [],+ ],+ 'img' => [+ 'alt' => [],+ 'class' => [],+ 'height' => [],+ 'src' => [],+ 'width' => [],+ ],+ 'li' => [+ 'class' => [],+ ],+ 'ol' => [+ 'class' => [],+ ],+ 'p' => [+ 'class' => [],+ ],+ 'q' => [+ 'cite' => [],+ 'title' => [],+ ],+ 'span' => [+ 'class' => [],+ 'title' => [],+ 'style' => [],+ ],+ 'iframe' => [+ 'width' => [],+ 'height' => [],+ 'scrolling' => [],+ 'frameborder' => [],+ 'allow' => [],+ 'src' => [],+ ],+ 'strike' => [],+ 'br' => [],+ 'strong' => [],+ 'data-wow-duration' => [],+ 'data-wow-delay' => [],+ 'data-wallpaper-options' => [],+ 'data-stellar-background-ratio' => [],+ 'ul' => [+ 'class' => [],+ ],+ 'label' => [+ 'class' => [],+ 'for' => [],+ 'data-left' => [],+ 'data-right' => [],+ ],+ 'form' => [+ 'class' => [],+ 'id' => [],+ 'role' => [],+ 'action' => [],+ 'method' => [],+ ],+ ];++ if (function_exists('wp_kses')) { // WP is here+ return wp_kses($raw, $allowed_tags);+ } else {+ return $raw;+ }+ }++ /**+ * internal+ *+ * @param [type] $text+ *+ * @return void+ */+ public static function kspan($text)+ {+ return str_replace(['{', '}'], ['<span>', '</span>'], self::kses($text));+ }++ /**+ * retuns trimmed word+ */+ public static function trim_words($text, $num_words)+ {+ return wp_trim_words($text, $num_words, '');+ }++ /**+ * Undocumented function+ *+ * @param [type] $id+ * */+ public static function img_meta($id)+ {+ $attachment = get_post($id);++ if ($attachment == null || $attachment->post_type != 'attachment') {+ return null;+ }++ return [+ 'alt' => get_post_meta($attachment->ID, '_wp_attachment_image_alt', true),+ 'caption' => $attachment->post_excerpt,+ 'description' => $attachment->post_content,+ 'href' => get_permalink($attachment->ID),+ 'src' => $attachment->guid,+ 'title' => $attachment->post_title,+ ];+ }++ /**+ * Date format+ *+ */+ public static function get_date_formats()+ {+ return [+ 'Y-m-d',+ 'm/d/Y',+ 'd/m/Y',+ 'm-d-Y',+ 'd-m-Y',+ 'Y.m.d',+ 'm.d.Y',+ 'd.m.Y',+ 'd M Y',+ 'j F Y',+ ];+ }++ /**+ * Undocumented function+ *+ * @param [type] $path+ *+ * @return void+ */+ public static function safe_path($path)+ {+ $path = str_replace(['//', '\\\\'], ['/', '\\'], $path);++ return str_replace(['/', '\\'], DIRECTORY_SEPARATOR, $path);+ }++ /**+ * Convert a multi-dimensional array into a single-dimensional array.+ *+ * @param array $array The multi-dimensional array.+ *+ * @return array+ * @author Sean Cannon, LitmusBox.com | [email protected]+ */+ public static function array_flatten($array)+ {++ if (! is_array($array)) {+ return false;+ }++ $result = [];++ foreach ($array as $key => $value) {++ if (is_array($value)) {+ $result = array_merge($result, self::array_flatten($value));+ } else {+ $result = array_merge($result, [$key => $value]);+ }+ }++ return $result;+ }++ public static function show_parent_child($show_parent_event, $show_child_event)+ {+ if ('yes' === $show_parent_event) {+ return 'yes' === $show_child_event ? 'show_both' : 'parent';+ } else {+ return 'yes' === $show_child_event ? 'child' : 'hide_both';+ }+ }++ /**+ * User query to get data for widget and shortcode+ */+ public static function user_data_query($count = '-1', $order = 'DESC', $term_arr = null, $orderby = 'ID', $paged = 1)+ {++ $user_data = [];++ // Ensure $term_arr is a string before using explode+ if (is_array($term_arr)) {+ $term_arr = implode(',', $term_arr);+ }++ $term_arrr = explode(',', $term_arr);++ if (! empty($term_arrr)) {+ foreach ($term_arrr as $group_id) {+ $args = [+ 'number' => $count,+ 'role__in' => ['etn-speaker', 'etn-organizer'],+ 'order' => $order,+ 'orderby' => $orderby,+ 'paged' => $paged,+ 'meta_query' => [+ 'relation' => 'AND',+ [+ 'key' => 'etn_speaker_group',+ 'value' => strval($group_id),+ 'compare' => 'LIKE',+ ],+ ],+ ];++ // Check if the get_users() function returns an array+ if (is_array(get_users($args))) {+ $user_data = array_merge($user_data, get_users($args));+ }+ }+ }++ // Remove duplicates+ $unique_users = array_unique($user_data, SORT_REGULAR);++ // Sort the users by name if 'title' is passed as the orderby argument+ if ($orderby === 'title' || $orderby === 'display_name') {+ usort($unique_users, function ($a, $b) use ($order) {+ return $order === 'ASC' ? strcmp($a->display_name, $b->display_name) : strcmp($b->display_name, $a->display_name);+ });+ }++ return $unique_users;+ } -/**- * Global helper class.- *- * @since 1.0.0- */--use DateTime;-use Etn\Core\Event\Event_Model;-use Eventin\Speaker\Api\SpeakerController;-use WP_Query;-use WP_User_Query;--class Helper {-- use \Etn\Traits\Singleton;-- private static $settings_key = 'etn_event_options';-- /**- * Auto generate classname from path.- */- public static function make_classname( $dirname ) {- $dirname = pathinfo( $dirname, PATHINFO_FILENAME );- $class_name = explode( '-', $dirname );- $class_name = array_map( 'ucfirst', $class_name );- $class_name = implode( '_', $class_name );-- return $class_name;- }-- /**- * Renders provided markup- */- public static function render( $content ) {- return $content;- }-- /**- * Filters only accepted kses- */- public static function kses( $raw ) {- $allowed_tags = [- 'a' => [- 'class' => [],- 'href' => [],- 'rel' => [],- 'title' => [],- 'target' => [],- ],- 'input' => [- 'value' => [],- 'type' => [],- 'size' => [],- 'name' => [],- 'checked' => [],- 'data-value' => [],- 'data-default-color' => [],- 'placeholder' => [],- 'id' => [],- 'class' => [],- 'min' => [],- 'step' => [],- 'readonly' => 'readonly',- ],- 'button' => [- 'type' => [],- 'name' => [],- 'id' => [],- 'class' => [],- 'onclick' => [],- ],- 'select' => [- 'value' => [],- 'type' => [],- 'size' => [],- 'name' => [],- 'placeholder' => [],- 'id' => [],- 'class' => [],- 'option' => [- 'value' => [],- 'checked' => [],- ],- ],- 'textarea' => [- 'value' => [],- 'type' => [],- 'size' => [],- 'name' => [],- 'rows' => [],- 'cols' => [],- 'placeholder' => [],- 'id' => [],- 'class' => [],- ],- 'abbr' => [- 'title' => [],- ],- 'b' => [],- 'blockquote' => [- 'cite' => [],- ],- 'cite' => [- 'title' => [],- ],- 'code' => [],- 'del' => [- 'datetime' => [],- 'title' => [],- ],- 'dd' => [],- 'div' => [- 'class' => [],- 'title' => [],- 'style' => [],- ],- 'dl' => [],- 'dt' => [],- 'em' => [],- 'h1' => [- 'class' => [],- ],- 'h2' => [- 'class' => [],- ],- 'h3' => [- 'class' => [],- ],- 'h4' => [- 'class' => [],- ],- 'h5' => [- 'class' => [],- ],- 'h6' => [- 'class' => [],- ],- 'i' => [- 'class' => [],- ],- 'img' => [- 'alt' => [],- 'class' => [],- 'height' => [],- 'src' => [],- 'width' => [],- ],- 'li' => [- 'class' => [],- ],- 'ol' => [- 'class' => [],- ],- 'p' => [- 'class' => [],- ],- 'q' => [- 'cite' => [],- 'title' => [],- ],- 'span' => [- 'class' => [],- 'title' => [],- 'style' => [],- ],- 'iframe' => [- 'width' => [],- 'height' => [],- 'scrolling' => [],- 'frameborder' => [],- 'allow' => [],- 'src' => [],- ],- 'strike' => [],- 'br' => [],- 'strong' => [],- 'data-wow-duration' => [],- 'data-wow-delay' => [],- 'data-wallpaper-options' => [],- 'data-stellar-background-ratio' => [],- 'ul' => [- 'class' => [],- ],- 'label' => [- 'class' => [],- 'for' => [],- 'data-left' => [],- 'data-right' => [],- ],- 'form' => [- 'class' => [],- 'id' => [],- 'role' => [],- 'action' => [],- 'method' => [],- ],- ];-- if ( function_exists( 'wp_kses' ) ) { // WP is here- return wp_kses( $raw, $allowed_tags );- } else {- return $raw;- }-- }-- /**- * internal- *- * @param [type] $text- *- * @return void- */- public static function kspan( $text ) {- return str_replace( [ '{', '}' ], [ '<span>', '</span>' ], self::kses( $text ) );- }-- /**- * retuns trimmed word- */- public static function trim_words( $text, $num_words ) {- return wp_trim_words( $text, $num_words, '' );- }-- /**- * Undocumented function- *- * @param [type] $id- * */- public static function img_meta( $id ) {- $attachment = get_post( $id );-- if ( $attachment == null || $attachment->post_type != 'attachment' ) {- return null;- }-- return [- 'alt' => get_post_meta( $attachment->ID, '_wp_attachment_image_alt', true ),- 'caption' => $attachment->post_excerpt,- 'description' => $attachment->post_content,- 'href' => get_permalink( $attachment->ID ),- 'src' => $attachment->guid,- 'title' => $attachment->post_title,- ];- }-- /**- * Date format- *- */- public static function get_date_formats() {- return [- 'Y-m-d',- 'm/d/Y',- 'd/m/Y',- 'm-d-Y',- 'd-m-Y',- 'Y.m.d',- 'm.d.Y',- 'd.m.Y',- 'd M Y',- 'j F Y',- ];- }-- /**- * Undocumented function- *- * @param [type] $path- *- * @return void- */- public static function safe_path( $path ) {- $path = str_replace( [ '//', '\\\\' ], [ '/', '\\' ], $path );-- return str_replace( [ '/', '\\' ], DIRECTORY_SEPARATOR, $path );- }-- /**- * Convert a multi-dimensional array into a single-dimensional array.- *- * @param array $array The multi-dimensional array.- *- * @return array- * @author Sean Cannon, LitmusBox.com | [email protected]- */- public static function array_flatten( $array ) {-- if ( ! is_array( $array ) ) {- return false;- }-- $result = [];-- foreach ( $array as $key => $value ) {-- if ( is_array( $value ) ) {- $result = array_merge( $result, self::array_flatten( $value ) );- } else {- $result = array_merge( $result, [ $key => $value ] );- }-- }-- return $result;- }-- public static function show_parent_child( $show_parent_event, $show_child_event ) {- if( 'yes' === $show_parent_event ) {- return 'yes' === $show_child_event ? 'show_both' : 'parent';- } else {- return 'yes' === $show_child_event ? 'child' : 'hide_both';- }- }-- - /**- * User query to get data for widget and shortcode- */- public static function user_data_query( $count = '-1', $order = 'DESC', $term_arr = null, $orderby = 'ID', $paged = 1 ) {-- $user_data = [];-- // Ensure $term_arr is a string before using explode- if (is_array($term_arr)) {- $term_arr = implode(',', $term_arr);- }-- $term_arrr = explode(',', $term_arr);-- if( !empty( $term_arrr ) ) {- foreach( $term_arrr as $group_id ) {- $args = [- 'number' => $count,- 'role__in' => array( 'etn-speaker', 'etn-organizer' ),- 'order' => $order,- 'orderby' => $orderby,- 'paged' => $paged,- 'meta_query' => [- 'relation' => 'AND',- [- 'key' => 'etn_speaker_group',- 'value' => strval($group_id),- 'compare' => 'LIKE',- ],- ],- ];-- // Check if the get_users() function returns an array- if ( is_array( get_users( $args ) ) ) {- $user_data = array_merge( $user_data, get_users( $args ) );- }- }- }- - // Remove duplicates- $unique_users = array_unique($user_data, SORT_REGULAR);-- // Sort the users by name if 'title' is passed as the orderby argument- if ( $orderby === 'title' || $orderby === 'display_name' ) {- usort($unique_users, function($a, $b) use ($order) {- return $order === 'ASC' ? strcmp($a->display_name, $b->display_name) : strcmp($b->display_name, $a->display_name);- });- }-- return $unique_users;- }---- /**- * Post query to get data for widget and shortcode- */- public static function post_data_query( $post_type, $count = null, $order = 'DESC', $term_arr = null, $taxonomy_slug = null, $post__in = null, $post_not_in = null, $tag__in = null, $orderby_meta = null, $orderby = 'post_date', $filter_with_status = null, $post_parent = '0', $post_author = '', $paged = 1 ) {- $data = [];- $args = [- 'post_type' => $post_type,- 'post_status' => 'publish',- 'suppress_filters' => false,- 'tax_query' => [- 'relation' => 'AND',- ],- 'paged' => $paged,- ];-- if ( $post_author != '' ) {- $args['author'] = $post_author;- }-- if ( $order != null ) {-- if ( $orderby_meta == null ) {- $args['orderby'] = $orderby;- } else {- if ( in_array( $orderby, [ 'etn_start_date', 'etn_end_date' ] ) ) {- $args['meta_query'] = isset( $args['meta_query'] ) ? $args['meta_query'] : [ 'relation' => 'AND' ];- - // Add meta_query entries without overriding existing ones- $args['meta_query'][] = [- 'key' => $orderby,- 'type' => 'DATE',- ];- $args['meta_query'][] = [- 'key' => 'etn_start_time',- 'type' => 'TIME',- ];- - // Register both for ordering- $args['meta_key'] = $orderby;- $args['orderby'] = [- 'meta_value' => $order, // ordering by $orderby (etn_start_date or etn_end_date)- 'etn_start_time' => $order // secondary order by time- ];- - // Support for named keys- add_filter( 'posts_orderby', function ( $orderby_statement, $query ) {- global $wpdb;- if ( $query->get( 'orderby' ) && is_array( $query->get( 'orderby' ) ) ) {- return "+ /**+ * Post query to get data for widget and shortcode+ */+ public static function post_data_query($post_type, $count = null, $order = 'DESC', $term_arr = null, $taxonomy_slug = null, $post__in = null, $post_not_in = null, $tag__in = null, $orderby_meta = null, $orderby = 'post_date', $filter_with_status = null, $post_parent = '0', $post_author = '', $paged = 1)+ {+ $data = [];+ $args = [+ 'post_type' => $post_type,+ 'post_status' => 'publish',+ 'suppress_filters' => false,+ 'tax_query' => [+ 'relation' => 'AND',+ ],+ 'paged' => $paged,+ ];++ if ($post_author != '') {+ $args['author'] = $post_author;+ }++ if ($order != null) {++ if ($orderby_meta == null) {+ $args['orderby'] = $orderby;+ } else {+ if (in_array($orderby, ['etn_start_date', 'etn_end_date'])) {+ $args['meta_query'] = isset($args['meta_query']) ? $args['meta_query'] : ['relation' => 'AND'];++ // Add meta_query entries without overriding existing ones+ $args['meta_query'][] = [+ 'key' => $orderby,+ 'type' => 'DATE',+ ];+ $args['meta_query'][] = [+ 'key' => 'etn_start_time',+ 'type' => 'TIME',+ ];++ // Register both for ordering+ $args['meta_key'] = $orderby;+ $args['orderby'] = [+ 'meta_value' => $order, // ordering by $orderby (etn_start_date or etn_end_date)+ 'etn_start_time' => $order, // secondary order by time+ ];++ // Support for named keys+ add_filter('posts_orderby', function ($orderby_statement, $query) {+ global $wpdb;+ if ($query->get('orderby') && is_array($query->get('orderby'))) {+ return " (SELECT meta_value FROM {$wpdb->postmeta} WHERE post_id = {$wpdb->posts}.ID AND meta_key = 'etn_start_date') {$query->get('order')}, STR_TO_DATE((SELECT meta_value FROM {$wpdb->postmeta} WHERE post_id = {$wpdb->posts}.ID AND meta_key = 'etn_start_time'), '%h:%i %p') {$query->get('order')} ";- }- return $orderby_statement;- }, 10, 2 );- } else {- $args['meta_key'] = $orderby;- $args['orderby'] = $orderby_meta;- }- }-- $args['order'] = strtoupper( $order );- }-- if ( $post_not_in != null ) {- $args['post__not_in'] = $post_not_in;- }-- if ( $count != null ) {- $args['posts_per_page'] = $count;- }-- if ( $post__in != null ) {- $args['post__in'] = $post__in;- }-- // Elementor::If categories selected, add them to tax_query- if ( is_array( $term_arr ) && ! empty( $term_arr ) ) {- $categories = [- 'taxonomy' => $taxonomy_slug,- 'terms' => $term_arr,- 'field' => 'id',- 'include_children' => true,- 'operator' => 'IN',- ];- array_push( $args['tax_query'], $categories );- }-- // Elementor::If tags selected, add them to tax_query- if ( ! empty( $tag__in ) && is_array( $tag__in ) ) {- $tags = [- 'taxonomy' => 'etn_tags',- 'terms' => $tag__in,- 'field' => 'id',- 'include_children' => true,- 'operator' => 'IN',- ];- array_push( $args['tax_query'], $tags );- }-- // Elementor::If select upcoming event , filter out the upcoming events- if ( $post_type == "etn" ) {-- if ( $filter_with_status == 'upcoming' ) {-- $args['meta_query'] = [- [- 'key' => 'etn_start_date',- 'value' => date( 'Y-m-d' ),- 'compare' => '>=',- 'type' => 'DATE',- ],- ];- }-- if ( $filter_with_status == 'expire' ) {-- $args['meta_query'] = [- 'relation' => 'AND',- [- 'relation' => 'OR',- [- 'key' => 'etn_end_date',- 'value' => date( 'Y-m-d' ),- 'compare' => '<',- 'type' => 'DATE',-- ],- [- 'key' => 'etn_end_date',- 'value' => date( 'Y-m-d' ),- 'compare' => '=',- 'type' => 'DATE',- ],- [- 'key' => 'etn_end_date',- 'value' => '',- 'compare' => '=',- ],- ],- [- 'key' => 'etn_start_date',- 'value' => date( 'Y-m-d' ),- 'compare' => '<',- 'type' => 'DATE',- ],- ];- }- - if ( 'ongoing' === $filter_with_status ) {- $args['meta_query'] = [- 'relation' => 'AND',- [- 'key' => 'etn_start_date',- 'value' => date( 'Y-m-d H:i:s' ),- 'compare' => '<=',- 'type' => 'DATETIME'- ],- [- 'key' => 'etn_end_date',- 'value' => date( 'Y-m-d H:i:s' ),- 'compare' => '>=',- 'type' => 'DATETIME'- ],- ];- }- }-- if ( 'child' !== $post_parent || 'hide_both' == $post_parent ) {- $parent_id = ($post_parent == 'hide_both' || $post_parent == 'parent' ) ? '0' : $post_parent;- $args['post_parent'] = $parent_id;- }-- $data = get_posts( $args );- // adding recurring tag- $data = \Etn\Core\Event\Helper::instance()->recurring_tag( $data );-- if ( ( 'child' == $post_parent || 'hide_both' == $post_parent ) && ( is_array( $data ) && count( $data ) > 0 ) ) {- // Delete all the Parent recurring event- foreach ( $data as $index => $post ) {- $post_id = $post->ID;- $is_recurring_parent = Helper::get_child_events( $post_id );- if ( $is_recurring_parent ) {- unset( $data[ $index ] );- }- }- }-- return $data;- }-- /**- * returns list of all speaker- * returns single speaker if speaker id is provuded
Vulnerability Existed: no [Code Style/Formatting Change] - No CWE - utils/helper.php [Lines 1-900+] Old Code: Tab-based indentation with inconsistent spacing Mixed use of `array()` syntax with `[]` syntax Inconsistent spacing around operators and function calls Removed `use DateTime;` import statement Fixed Code: Space-based indentation (4 spaces) Consistent use of `[]` array syntax Consistent spacing around operators and function calls Removed unused `use DateTime;` import Explanation: This diff represents a code style and formatting refactor, not a security fix. The changes include: 1. Converting tab indentation to 4-space indentation for PSR-12 compliance 2. Standardizing array syntax from `array()` to `[]` throughout 3. Improving code consistency with spacing and operator alignment 4. Removing the unused `use DateTime;` import that was not referenced in the code No security vulnerabilities were introduced or fixed by these changes. The functionality remains identical - this is purely a code style standardization update. The removal of the unused DateTime import actually slightly improves code cleanliness by removing unnecessary dependencies.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/utils/locale/vars.php 2026-01-09 00:38:10.080550864 +0000+++ cache/wp-event-solution_4.0.52/utils/locale/vars.php 2026-01-09 00:43:18.463371998 +0000@@ -42,6 +42,7 @@ 'currency_position' => etn_get_currency_position(), 'elementor_supported' => class_exists( '\Elementor\Plugin' ) && in_array( 'etn-template', $elementor_post_types ), 'selected_template_builder' => etn_get_selected_template_builder(),+ 'is_dokan_enabled' => ( \Etn\Core\Addons\Helper::instance()->check_active_module( 'dokan' ) ) ? true : false, ]; return apply_filters( 'etn_locale_vars', $data );\ No newline at end of file
``` Vulnerability Existed: no No vulnerabilities identified in this diff. Explanation: This diff adds a single line to the `$data` array in `utils/locale/vars.php` at line 45. The new line checks if the 'dokan' module is active using a helper method and assigns a boolean value to the 'is_dokan_enabled' key. Security Analysis: - The code uses a static method call `Helper::instance()->check_active_module( 'dokan' )` which is a safe, internal plugin API call - The result is properly cast to a boolean using a ternary operator - No user input is involved in this operation - No database queries or external API calls are made - No sensitive data is being exposed or logged - The data structure is being returned through an `apply_filters()` hook, which is standard WordPress practice and allows other plugins to modify the data if needed - This appears to be a simple feature flag to indicate whether the Dokan marketplace addon is active, which is a legitimate use case This is a benign addition that adds functionality without introducing any security vulnerabilities. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/utils/tfpdf.php 2026-01-09 00:38:10.088551351 +0000+++ cache/wp-event-solution_4.0.52/utils/tfpdf.php 2026-01-09 00:43:18.531376158 +0000@@ -279,7 +279,7 @@ function Error( $msg ) { // Fatal error- throw new \Exception( 'FPDF error: ' . $msg );+ throw new \Exception( 'FPDF error: ' . esc_html( $msg ) ); } function Close() {
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - utils/tfpdf.php Line 282 Old Code: ```php throw new \Exception( 'FPDF error: ' . $msg ); ``` Fixed Code: ```php throw new \Exception( 'FPDF error: ' . esc_html( $msg ) ); ``` Explanation: The original code concatenated an unsanitized `$msg` parameter directly into an exception message. If `$msg` contained user-controlled or untrusted input that was later displayed in HTML output (such as in error pages or logs viewed through a web interface), it could lead to Cross-Site Scripting (XSS) attacks. The fix applies `esc_html()`, a WordPress escaping function, to sanitize the message before inclusion in the exception. This prevents any HTML/JavaScript in the `$msg` parameter from being interpreted as code when the error message is subsequently displayed, effectively mitigating the XSS vulnerability.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/vendor/composer/autoload_classmap.php 2026-01-09 00:38:10.092551594 +0000+++ cache/wp-event-solution_4.0.52/vendor/composer/autoload_classmap.php 2026-01-09 00:43:18.543376892 +0000@@ -48,6 +48,7 @@ 'Etn\\Core\\Event\\Event_Model' => $baseDir . '/core/event/event-model.php', 'Etn\\Core\\Event\\Helper' => $baseDir . '/core/event/helper.php', 'Etn\\Core\\Event\\Hooks' => $baseDir . '/core/event/hooks.php',+ 'Etn\\Core\\Event\\Pages\\Event_single_post' => $baseDir . '/core/event/pages/event-single-post.php', 'Etn\\Core\\Event\\Tags' => $baseDir . '/core/event/tags.php', 'Etn\\Core\\Modules\\Eventin_Ai\\Admin\\Admin' => $baseDir . '/core/modules/eventin-ai/admin/admin.php', 'Etn\\Core\\Modules\\Eventin_Ai\\Eventin_AI' => $baseDir . '/core/modules/eventin-ai/eventin-ai.php',@@ -113,6 +114,7 @@ 'Eventin\\Blocks\\BlockTypes\\CustomImage' => $baseDir . '/core/Blocks/BlockTypes/CustomImage.php', 'Eventin\\Blocks\\BlockTypes\\DiamondSeparator' => $baseDir . '/core/Blocks/BlockTypes/DiamondSeparator.php', 'Eventin\\Blocks\\BlockTypes\\EventAddToCalender' => $baseDir . '/core/Blocks/BlockTypes/EventAddToCalender.php',+ 'Eventin\\Blocks\\BlockTypes\\EventAttendee' => $baseDir . '/core/Blocks/BlockTypes/EventAttendee.php', 'Eventin\\Blocks\\BlockTypes\\EventBanner' => $baseDir . '/core/Blocks/BlockTypes/EventBanner.php', 'Eventin\\Blocks\\BlockTypes\\EventCalendar' => $baseDir . '/core/Blocks/BlockTypes/EventCalendar.php', 'Eventin\\Blocks\\BlockTypes\\EventCategory' => $baseDir . '/core/Blocks/BlockTypes/EventCategory.php',
# Security Analysis Report After analyzing the provided diff for `vendor/composer/autoload_classmap.php`, I have completed the security assessment. --- ## Analysis Result **Vulnerability Existed: no** This diff contains **no security vulnerabilities**. ### Explanation The changes shown in this diff are **autoloader class mappings** - they simply register the locations of PHP classes for Composer's autoloading mechanism. Specifically: 1. **Line 51**: Adds mapping for `'Etn\\Core\\Event\\Pages\\Event_single_post'` 2. **Line 117**: Adds mapping for `'Eventin\\Blocks\\BlockTypes\\EventAttendee'` These are purely **configuration entries** that map fully-qualified class names to their file paths. They do not: - Execute any code - Introduce input validation issues - Handle sensitive data - Modify security boundaries - Create injection vectors - Affect access controls Autoloader class mappings are declarative configuration and pose no security risk by themselves. The actual security of the codebase depends on the implementation of the classes being referenced (`event-single-post.php` and `EventAttendee.php`), which are not included in this diff. --- **No further analysis required.**
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/vendor/composer/autoload_static.php 2026-01-09 00:38:10.096551838 +0000+++ cache/wp-event-solution_4.0.52/vendor/composer/autoload_static.php 2026-01-09 00:43:18.559377871 +0000@@ -81,6 +81,7 @@ 'Etn\\Core\\Event\\Event_Model' => __DIR__ . '/../..' . '/core/event/event-model.php', 'Etn\\Core\\Event\\Helper' => __DIR__ . '/../..' . '/core/event/helper.php', 'Etn\\Core\\Event\\Hooks' => __DIR__ . '/../..' . '/core/event/hooks.php',+ 'Etn\\Core\\Event\\Pages\\Event_single_post' => __DIR__ . '/../..' . '/core/event/pages/event-single-post.php', 'Etn\\Core\\Event\\Tags' => __DIR__ . '/../..' . '/core/event/tags.php', 'Etn\\Core\\Modules\\Eventin_Ai\\Admin\\Admin' => __DIR__ . '/../..' . '/core/modules/eventin-ai/admin/admin.php', 'Etn\\Core\\Modules\\Eventin_Ai\\Eventin_AI' => __DIR__ . '/../..' . '/core/modules/eventin-ai/eventin-ai.php',@@ -146,6 +147,7 @@ 'Eventin\\Blocks\\BlockTypes\\CustomImage' => __DIR__ . '/../..' . '/core/Blocks/BlockTypes/CustomImage.php', 'Eventin\\Blocks\\BlockTypes\\DiamondSeparator' => __DIR__ . '/../..' . '/core/Blocks/BlockTypes/DiamondSeparator.php', 'Eventin\\Blocks\\BlockTypes\\EventAddToCalender' => __DIR__ . '/../..' . '/core/Blocks/BlockTypes/EventAddToCalender.php',+ 'Eventin\\Blocks\\BlockTypes\\EventAttendee' => __DIR__ . '/../..' . '/core/Blocks/BlockTypes/EventAttendee.php', 'Eventin\\Blocks\\BlockTypes\\EventBanner' => __DIR__ . '/../..' . '/core/Blocks/BlockTypes/EventBanner.php', 'Eventin\\Blocks\\BlockTypes\\EventCalendar' => __DIR__ . '/../..' . '/core/Blocks/BlockTypes/EventCalendar.php', 'Eventin\\Blocks\\BlockTypes\\EventCategory' => __DIR__ . '/../..' . '/core/Blocks/BlockTypes/EventCategory.php',
I'll analyze this diff for security vulnerabilities. Vulnerability Existed: no No Vulnerabilities Identified - vendor/composer/autoload_static.php Old Code: ```php 'Etn\\Core\\Event\\Hooks' => __DIR__ . '/../..' . '/core/event/hooks.php', 'Etn\\Core\\Event\\Tags' => __DIR__ . '/../..' . '/core/event/tags.php', ``` Fixed Code: ```php 'Etn\\Core\\Event\\Hooks' => __DIR__ . '/../..' . '/core/event/hooks.php', 'Etn\\Core\\Event\\Pages\\Event_single_post' => __DIR__ . '/../..' . '/core/event/pages/event-single-post.php', 'Etn\\Core\\Event\\Tags' => __DIR__ . '/../..' . '/core/event/tags.php', ``` Explanation: This diff adds two new class autoload mappings to the Composer autoloader. These are purely structural changes that register new classes for autoloading. The changes do not introduce any security vulnerabilities: 1. The autoload mappings use `__DIR__` which is a compile-time constant and is safe from path traversal attacks 2. The paths use relative path concatenation with hardcoded strings, not user input 3. No new code with potential vulnerabilities is being executed in this file 4. The additions follow the existing pattern and maintain the same security posture as the rest of the autoloader This is a routine maintenance update to register new plugin classes.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/vendor/composer/installed.php 2026-01-09 00:38:10.096551838 +0000+++ cache/wp-event-solution_4.0.52/vendor/composer/installed.php 2026-01-09 00:43:18.567378360 +0000@@ -3,7 +3,7 @@ 'name' => 'arraytics/eventin', 'pretty_version' => 'dev-develop', 'version' => 'dev-develop',- 'reference' => '7b7262062db40ed6f773895f7faf7ec6f1038183',+ 'reference' => '56a2291df2b964ce2ddd8b98b86355145c565083', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(),@@ -13,7 +13,7 @@ 'arraytics/eventin' => array( 'pretty_version' => 'dev-develop', 'version' => 'dev-develop',- 'reference' => '7b7262062db40ed6f773895f7faf7ec6f1038183',+ 'reference' => '56a2291df2b964ce2ddd8b98b86355145c565083', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(),@@ -22,7 +22,7 @@ 'themewinter/email-notification-sdk' => array( 'pretty_version' => 'dev-emarat/update-flow-calculation-logic', 'version' => 'dev-emarat/update-flow-calculation-logic',- 'reference' => '1272bc49b67e7e983f0aa10989a9eae8b8a0b890',+ 'reference' => 'ef5db6e2bd7a33354ed3b591171a34f557449e8e', 'type' => 'library', 'install_path' => __DIR__ . '/../themewinter/email-notification-sdk', 'aliases' => array(),
Vulnerability Existed: no No Vulnerabilities Detected - Composer Lock File Update This diff shows updates to `vendor/composer/installed.php`, which is an auto-generated Composer dependency manifest file. The changes are: 1. **arraytics/eventin** package reference updated from `7b7262062db40ed6f773895f7faf7ec6f1038183` to `56a2291df2b964ce2ddd8b98b86355145c565083` (appears twice in the file) 2. **themewinter/email-notification-sdk** package reference updated from `1272bc49b67e7e983f0aa10989a9eae8b8a0b890` to `ef5db6e2bd7a33354ed3b591171a34f557449e8e` Explanation: This is a routine dependency version update. The `installed.php` file contains commit hashes (Git references) that point to specific versions of dependencies. These changes represent: - **Not a code modification**: This file is auto-generated by Composer and should not be manually edited. It documents which versions of dependencies are installed. - **No direct security fix visible**: The diff alone does not indicate what changed in the actual dependency code. To determine if these are security fixes, one would need to review the actual commits in those packages (commits `56a2291...` and `ef5db6e...`). - **No vulnerability in this file itself**: The file contains only metadata about installed packages, not executable code that could contain vulnerabilities. If you need to verify whether these dependency updates include security patches, you should examine the commit logs and release notes for the `arraytics/eventin` and `themewinter/email-notification-sdk` packages.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/vendor/themewinter/email-notification-sdk/src/Flow/FlowManager.php 2026-01-09 00:38:10.108552568 +0000+++ cache/wp-event-solution_4.0.52/vendor/themewinter/email-notification-sdk/src/Flow/FlowManager.php 2026-01-09 00:43:18.667384478 +0000@@ -183,7 +183,7 @@ } $is_true = $this->compare_values( $field_value, $operator, $value );- $lebel = $is_true ? 'True' : 'false';+ $lebel = $is_true ? 'true' : 'false'; $current_node_id = $this->get_next_node_id( $edges, $node['id'],
I understand you want me to analyze the security implications of this code diff. Let me examine it directly.
---
**Vulnerability Existed:** no
**No Security Vulnerability Identified**
**File:** vendor/themewinter/email-notification-sdk/src/Flow/FlowManager.php (Line 186)
**Old Code:**
```php
$lebel = $is_true ? 'True' : 'false';
```
**Fixed Code:**
```php
$lebel = $is_true ? 'true' : 'false';
```
**Explanation:**
This change corrects a logic inconsistency by making the ternary operator return consistent boolean string representations ('true' vs 'false' in lowercase).
From a security perspective:
- This is **not a security vulnerability fix**. The change addresses a **code quality/logic bug** rather than a security issue.
- The inconsistent casing ('True' vs 'false') could cause logic errors if the returned string is compared with strict equality checks, but this doesn't directly expose the application to security risks like injection attacks, authentication bypass, or data exposure.
- There is no evidence of user input sanitization issues, authentication flaws, authorization problems, or any OWASP Top 10 vulnerabilities being fixed here.
**Classification:** Code Quality / Logic Bug (not a security vulnerability)
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/events-calendar/style/event-2.php 2026-01-09 00:38:10.120553298 +0000+++ cache/wp-event-solution_4.0.52/widgets/events-calendar/style/event-2.php 2026-01-09 00:43:18.807393042 +0000@@ -26,16 +26,16 @@ <!-- thumbnail --> <div class="etn-event-thumb"> <?php if ( get_the_post_thumbnail_url($value->ID) ): ?>- <a - href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($value->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <?php echo get_the_post_thumbnail($value->ID, 'large'); ?> </a> <?php elseif( $banner_image_url ): ?>- <a - href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($value->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <img src="<?php echo esc_url($banner_image_url); ?>" alt="Image"> </a>@@ -58,7 +58,7 @@ <?php if (!empty($etn_ticket_price) && class_exists('woocommerce')){ ?> <div class='etn-ticket-price'> <i class="etn-icon etn-money-bill"></i>- <?php echo get_woocommerce_currency_symbol(); ?><?php echo esc_html($etn_ticket_price); ?>+ <?php echo esc_html(get_woocommerce_currency_symbol()); ?><?php echo esc_html($etn_ticket_price); ?> </div> <?php } ?> </div>@@ -79,7 +79,7 @@ <?php } else { ?>- <a href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo get_the_title($value->ID); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etn-arrow-right"></i></a>+ <a href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo esc_attr(get_the_title($value->ID)); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etn-arrow-right"></i></a> <?php } ?>
Analyzing the provided diff for security vulnerabilities... --- **Vulnerability 1:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events-calendar/style/event-2.php [31, 37] ```php aria-label="<?php echo get_the_title(); ?>" ``` ```php aria-label="<?php echo esc_attr(get_the_title()); ?>" ``` Explanation: The `get_the_title()` function returns unescaped HTML content. When output directly into an HTML attribute without escaping, it can allow XSS attacks if the post title contains malicious JavaScript. The fix applies `esc_attr()` to properly escape the value for safe use in HTML attributes. --- **Vulnerability 2:** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events-calendar/style/event-2.php [61] ```php <?php echo get_woocommerce_currency_symbol(); ?><?php echo esc_html($etn_ticket_price); ?> ``` ```php <?php echo esc_html(get_woocommerce_currency_symbol()); ?><?php echo esc_html($etn_ticket_price); ?> ``` Explanation: The `get_woocommerce_currency_symbol()` function returns unescaped HTML content. When output directly into HTML context without escaping, it could allow XSS if the symbol data is compromised or manipulated. The fix applies `esc_html()` to properly escape the currency symbol for safe display. --- **Vulnerability 3:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events-calendar/style/event-2.php [82] ```php title="<?php echo get_the_title($value->ID); ?>" ``` ```php title="<?php echo esc_attr(get_the_title($value->ID)); ?>" ``` Explanation: The `get_the_title()` function returns unescaped HTML content. When output directly into the `title` HTML attribute without escaping, it can allow XSS attacks if the post title contains malicious JavaScript or special characters. The fix applies `esc_attr()` to properly escape the value for safe use in HTML attributes.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/events-tab/style/tab-1.php 2026-01-09 00:38:10.128553785 +0000+++ cache/wp-event-solution_4.0.52/widgets/events-tab/style/tab-1.php 2026-01-09 00:43:18.851395734 +0000@@ -16,9 +16,9 @@ $active_class = ($i===1) ? 'etn-active' : ''; ?> <li>- <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($widget_id) . "-" . $i; ?>'>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($widget_id) . "-" . esc_attr($i); ?>'> <?php- echo esc_html($category_name); + echo esc_html($category_name); ?> </a> </li>@@ -37,7 +37,7 @@ $event_cat = [$event_cat]; $active_class = (($j == 1) ? 'tab-active' : ''); ?>- <div class="etn-tab <?php echo esc_attr($active_class); ?>" data-id='tab<?php echo esc_attr($widget_id) . "-" . $j; ?>'>+ <div class="etn-tab <?php echo esc_attr($active_class); ?>" data-id='tab<?php echo esc_attr($widget_id) . "-" . esc_attr($j); ?>'> <?php include \Wpeventin::plugin_dir() . "widgets/events/style/{$style}.php"; ?>
## Security Analysis Results **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE **Cross-Site Scripting (XSS) - CWE-79 - widgets/events-tab/style/tab-1.php - Line 19** Old Code: ```php <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($widget_id) . "-" . $i; ?>'> ``` Fixed Code: ```php <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($widget_id) . "-" . esc_attr($i); ?>'> ``` Explanation: The variable `$i` is a loop counter that gets concatenated into an HTML attribute value without proper escaping. While `$i` is a numeric value incremented in a loop and unlikely to contain malicious input in practice, it should still be escaped using `esc_attr()` for defense-in-depth and to follow WordPress security best practices. An attacker with the ability to manipulate the loop behavior or variable reassignment could potentially inject malicious HTML/JavaScript into the data-id attribute. --- **Vulnerability 2:** Vulnerability Existed: yes FALSE POSITIVE **Cross-Site Scripting (XSS) - CWE-79 - widgets/events-tab/style/tab-1.php - Line 40** Old Code: ```php <div class="etn-tab <?php echo esc_attr($active_class); ?>" data-id='tab<?php echo esc_attr($widget_id) . "-" . $j; ?>'> ``` Fixed Code: ```php <div class="etn-tab <?php echo esc_attr($active_class); ?>" data-id='tab<?php echo esc_attr($widget_id) . "-" . esc_attr($j); ?>'> ``` Explanation: The variable `$j` is a loop counter concatenated into an HTML attribute without proper escaping. Similar to the first vulnerability, while `$j` is a numeric loop counter, it should be escaped with `esc_attr()` to prevent potential XSS attacks and to maintain secure coding practices. If the loop variable can be manipulated or affected by user input, this could become an attack vector. --- **Additional Note:** There is also a minor whitespace cleanup at line 21 (trailing space removal), which is not a security issue.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/events/parts/child-event.php 2026-01-09 00:38:10.124553542 +0000+++ cache/wp-event-solution_4.0.52/widgets/events/parts/child-event.php 2026-01-09 00:43:18.827394266 +0000@@ -13,9 +13,9 @@ <!-- thumbnail --> <?php if ( get_the_post_thumbnail_url( $item->ID ) ) : ?> <div class="etn-event-thumb">- <a - href="<?php echo esc_url(get_the_permalink($item->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($item->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <?php echo get_the_post_thumbnail( $item->ID, 'large' ); ?> </a>@@ -51,7 +51,7 @@ <?php } else { ?>- <a href="<?php echo esc_url(get_the_permalink($item->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo get_the_title($item->ID); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etn-arrow-right"></i></a>+ <a href="<?php echo esc_url(get_the_permalink($item->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo esc_attr(get_the_title($item->ID)); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etn-arrow-right"></i></a> <?php } ?>
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events/parts/child-event.php [16, 54] Old Code: Line 16: `aria-label="<?php echo get_the_title(); ?>"` Line 54: `title="<?php echo get_the_title($item->ID); ?>"` Fixed Code: Line 16: `aria-label="<?php echo esc_attr(get_the_title()); ?>"` Line 54: `title="<?php echo esc_attr(get_the_title($item->ID)); ?>"` Explanation: The vulnerability existed because `get_the_title()` output was not properly escaped when used in HTML attributes. While `esc_url()` was correctly applied to the `href` attribute on both lines, the `aria-label` and `title` attributes contained unescaped post titles. These attributes accept user-controlled content (post titles) that could contain malicious characters or JavaScript. By using `esc_attr()`, the fix properly escapes the output for safe use in HTML attributes, preventing XSS attacks through specially crafted post titles. The `esc_attr()` function escapes quotes, angle brackets, and ampersands to prevent attribute injection and script execution.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/events/style/event-1.php 2026-01-09 00:38:10.124553542 +0000+++ cache/wp-event-solution_4.0.52/widgets/events/style/event-1.php 2026-01-09 00:43:18.835394756 +0000@@ -4,8 +4,10 @@ use \Etn\Utils\Helper as Helper; // Ensure variables are defined with defaults+$posts_to_show = isset($posts_to_show) ? $posts_to_show : -1; $etn_paged = isset($etn_paged) ? $etn_paged : 1; $enable_pagination = isset($enable_pagination) ? $enable_pagination : 'no';+$post_parent = isset($post_parent) ? $post_parent : 0; // Use posts_to_show and paged for pagination $data = Helper::post_data_query('etn', $posts_to_show, $order, $event_cat, 'etn_category',@@ -35,16 +37,16 @@ <!-- thumbnail --> <div class="etn-event-thumb"> <?php if ( $banner_image_url ): ?>- <a - href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($value->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <img src="<?php echo esc_url($banner_image_url); ?>" alt="Image"> </a> <?php elseif ( get_the_post_thumbnail_url($value->ID) ): ?>- <a - href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($value->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <?php echo get_the_post_thumbnail($value->ID, 'large'); ?> </a>@@ -99,7 +101,7 @@ } else { ?> <a href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" class="etn-btn etn-btn-border"- title="<?php echo get_the_title($value->ID); ?>"><?php echo esc_html__('Attend', 'eventin') ?>+ title="<?php echo esc_attr(get_the_title($value->ID)); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etm-arrow-right"></i></a> <?php }@@ -111,7 +113,7 @@ if( isset( $show_remaining_tickets ) && $show_remaining_tickets =='yes'): ?> <div class="etn-mt-1 etn-remaining-tickets">- <small class="<?php echo $total_tickets > 5 ? 'etn-ticket-count-lot' : 'etn-ticket-count-few' ;?>"><?php echo etn_humanize_number($total_tickets); ?> ticket<?php echo $total_tickets > 1 ? "s" : ""; ?> remaining</small>+ <small class="<?php echo $total_tickets > 5 ? 'etn-ticket-count-lot' : 'etn-ticket-count-few' ;?>"><?php echo esc_html(etn_humanize_number($total_tickets)); ?> ticket<?php echo $total_tickets > 1 ? "s" : ""; ?> remaining</small> </div> <?php endif; ?> <!-- content end-->@@ -144,6 +146,7 @@ 'posts_per_page' => -1, // Get all posts to count 'meta_query' => [], 'tax_query' => [],+ 'post_parent' => $post_parent ]; // Add category filter@@ -164,11 +167,6 @@ ]; } - // Add parent/child filter- if (!empty($post_parent)) {- $args['post_parent'] = $post_parent;- }- // Add status filter if (!empty($filter_with_status)) { if ($filter_with_status === 'upcoming') {@@ -189,6 +187,7 @@ } $count_query = new WP_Query($args);+ $total_posts = $count_query->found_posts; $posts_per_page_int = max(1, intval($posts_per_page)); // Ensure it's an integer and at least 1 $total_pages = ceil($total_posts / $posts_per_page_int);
I'll analyze this code diff for security vulnerabilities.
Vulnerability 1: Cross-Site Scripting (XSS) - aria-label attribute
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - widgets/events/style/event-1.php Lines 41, 48
[Old Code]
aria-label="<?php echo get_the_title(); ?>"
[Fixed Code]
aria-label="<?php echo esc_attr(get_the_title()); ?>"
Explanation:
The aria-label attribute was outputting unescaped data. While aria-label is an HTML attribute, it can still be exploited with XSS if the title contains quotes or special characters (e.g., `" onclick="alert('xss')`). The fix properly escapes the output using `esc_attr()`, which is the correct WordPress function for escaping HTML attributes.
Vulnerability 2: Cross-Site Scripting (XSS) - title attribute
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - widgets/events/style/event-1.php Line 104
[Old Code]
title="<?php echo get_the_title($value->ID); ?>"
[Fixed Code]
title="<?php echo esc_attr(get_the_title($value->ID)); ?>"
Explanation:
Similar to the aria-label vulnerability, the title attribute was unescaped. HTML attributes like title are susceptible to attribute-based XSS attacks where special characters or quotes in the title could break out of the attribute context. The fix applies `esc_attr()` to properly escape the attribute value.
Vulnerability 3: Cross-Site Scripting (XSS) - etn_humanize_number output
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - widgets/events/style/event-1.php Line 116
[Old Code]
<?php echo etn_humanize_number($total_tickets); ?>
[Fixed Code]
<?php echo esc_html(etn_humanize_number($total_tickets)); ?>
Explanation:
The `etn_humanize_number()` function's output was being directly echoed without escaping. If this function returns user-influenced data or if the function itself doesn't properly escape, it could allow XSS attacks. The fix wraps the output with `esc_html()` to ensure HTML special characters are properly escaped before display.
Vulnerability 4: Uninitialized Variables - Logic Improvement (Not a security fix)
Vulnerability Existed: no
This change initializes `$posts_to_show` and `$post_parent` variables at the top of the file. While this improves code robustness and follows best practices, it's not fixing an existing vulnerability. These were likely already conditionally used, so the fix prevents undefined variable notices rather than fixing a security issue.
Vulnerability 5: Code Reorganization - post_parent parameter
Vulnerability Existed: not sure
Potential Logic Issue - widgets/events/style/event-1.php Lines 149, 170-174
[Old Code]
$args = [...];
// Later:
if (!empty($post_parent)) {
$args['post_parent'] = $post_parent;
}
[Fixed Code]
$args = [
...
'post_parent' => $post_parent
];
// Conditional removed
Explanation:
The original code conditionally set `post_parent` only if it was not empty. The new code always includes it in the args (initialized to 0 at the top). This could be a subtle behavioral change: setting `'post_parent' => 0` in WP_Query args may not be equivalent to omitting the parameter entirely, depending on WordPress's query handling. However, since `$post_parent` is initialized to 0 and only set to other values when intentionally provided, this is likely safe. The change improves code clarity but may warrant verification against the original conditional behavior.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/events/style/event-2.php 2026-01-09 00:38:10.124553542 +0000+++ cache/wp-event-solution_4.0.52/widgets/events/style/event-2.php 2026-01-09 00:43:18.839395000 +0000@@ -3,6 +3,11 @@ use \Etn\Utils\Helper as Helper; +// Ensure variables are defined with defaults+$posts_to_show = isset($posts_to_show) ? $posts_to_show : -1;+$paged = isset($etn_paged) ? $etn_paged : 1;+$enable_pagination = isset($enable_pagination) ? $enable_pagination : 'no';+ $data = Helper::post_data_query('etn', $posts_to_show, $order, $event_cat, 'etn_category', null, null, $event_tag, $orderby_meta, $orderby, $filter_with_status, $post_parent, '', $paged); ?>@@ -37,16 +42,16 @@ <!-- thumbnail --> <div class="etn-event-thumb"> <?php if ( $banner_image_url ): ?>- <a - href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($value->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <img src="<?php echo esc_url($banner_image_url); ?>" alt="Image"> </a> <?php elseif ( get_the_post_thumbnail_url($value->ID) ): ?>- <a - href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($value->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <?php echo get_the_post_thumbnail($value->ID, 'large'); ?> </a>@@ -115,7 +120,7 @@ <?php } else { ?>- <a href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo get_the_title($value->ID); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etn-arrow-right"></i></a>+ <a href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo esc_attr(get_the_title($value->ID)); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etn-arrow-right"></i></a> <?php } ?>@@ -126,7 +131,7 @@ if( isset( $show_remaining_tickets ) && $show_remaining_tickets =='yes'): ?> <div class="etn-mt-1 etn-remaining-tickets">- <small class="<?php echo $total_tickets > 5 ? 'etn-ticket-count-lot' : 'etn-ticket-count-few' ;?>"><?php echo etn_humanize_number($total_tickets); ?> ticket<?php echo $total_tickets > 1 ? "s" : ""; ?> remaining</small>+ <small class="<?php echo $total_tickets > 5 ? 'etn-ticket-count-lot' : 'etn-ticket-count-few' ;?>"><?php echo esc_html(etn_humanize_number($total_tickets)); ?> ticket<?php echo $total_tickets > 1 ? "s" : ""; ?> remaining</small> </div> <?php endif; ?>
I'll analyze this code diff for security vulnerabilities. ``` Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events/style/event-2.php Lines 47, 52, 123, 134 Old Code: Line 47: aria-label="<?php echo get_the_title(); ?>" Line 52: aria-label="<?php echo get_the_title(); ?>" Line 123: title="<?php echo get_the_title($value->ID); ?>" Line 134: <?php echo etn_humanize_number($total_tickets); ?> Fixed Code: Line 47: aria-label="<?php echo esc_attr(get_the_title()); ?>" Line 52: aria-label="<?php echo esc_attr(get_the_title()); ?>" Line 123: title="<?php echo esc_attr(get_the_title($value->ID)); ?>" Line 134: <?php echo esc_html(etn_humanize_number($total_tickets)); ?> Explanation: The original code used unescaped output of `get_the_title()` and `etn_humanize_number()` in HTML attribute and content contexts. This is a classic reflected XSS vulnerability where malicious characters in post titles or ticket numbers could break out of the HTML attribute/element and execute arbitrary JavaScript. The fix applies appropriate escaping functions: `esc_attr()` for HTML attributes (lines 47, 52, 123) and `esc_html()` for HTML content (line 134), preventing XSS attacks. ``` ``` Vulnerability Existed: not sure Variable Initialization/Undefined Variable - CWE-456 - widgets/events/style/event-2.php Lines 6-8 Old Code: [Variables $posts_to_show, $paged, $enable_pagination used without explicit initialization] Fixed Code: $posts_to_show = isset($posts_to_show) ? $posts_to_show : -1; $paged = isset($etn_paged) ? $etn_paged : 1; $enable_pagination = isset($enable_pagination) ? $enable_pagination : 'no'; Explanation: The added code initializes variables with default values before use. However, the vulnerability classification is uncertain because: (1) These variables may be set elsewhere in the include chain before this file is processed, (2) PHP doesn't prevent undefined variable access in template files, but this could cause notices/warnings, (3) The fix is defensive and improves robustness, but without seeing the complete call context, it's unclear if undefined variables were actually occurring. The fix represents good defensive programming practice to prevent undefined variable warnings/errors. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/events/style/parts/child-event.php 2026-01-09 00:38:10.124553542 +0000+++ cache/wp-event-solution_4.0.52/widgets/events/style/parts/child-event.php 2026-01-09 00:43:18.843395245 +0000@@ -13,9 +13,9 @@ <!-- thumbnail --> <?php if ( get_the_post_thumbnail_url( $item->ID ) ) : ?> <div class="etn-event-thumb">- <a + <a href="<?php echo esc_url(get_the_permalink($item->ID)); ?>"- aria-label="<?php echo get_the_title(); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <?php echo get_the_post_thumbnail( $item->ID, 'large' ); ?> </a>@@ -51,7 +51,7 @@ <?php } else { ?>- <a href="<?php echo esc_url(get_the_permalink($item->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo get_the_title($item->ID); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etm-arrow-right"></i></a>+ <a href="<?php echo esc_url(get_the_permalink($item->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo esc_attr(get_the_title($item->ID)); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etm-arrow-right"></i></a> <?php } ?>
``` Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events/style/parts/child-event.php [Line 18] aria-label="<?php echo get_the_title(); ?>" aria-label="<?php echo esc_attr(get_the_title()); ?>" Explanation: The original code output get_the_title() directly into an HTML attribute without escaping. The esc_attr() function escapes data for safe use in HTML attributes, preventing XSS attacks where malicious JavaScript could be injected through the title attribute. An event title containing quotes or other special characters could break out of the attribute context and inject malicious code. --- Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events/style/parts/child-event.php [Line 54] title="<?php echo get_the_title($item->ID); ?>" title="<?php echo esc_attr(get_the_title($item->ID)); ?>" Explanation: Similar to the first vulnerability, the title attribute was not properly escaped for HTML context. Using esc_attr() ensures that any special characters in the title are properly encoded, preventing attribute-based XSS attacks. Without escaping, an event title with malicious content could execute arbitrary JavaScript. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/schedule-list/style/schedule-list-1.php 2026-01-09 00:38:10.128553785 +0000+++ cache/wp-event-solution_4.0.52/widgets/schedule-list/style/schedule-list-1.php 2026-01-09 00:43:18.867396713 +0000@@ -1,23 +1,24 @@ <?php+ use \Etn\Utils\Helper as Helper; $post_perpage = 3; //$data = Helper::post_data_query( 'etn-schedule' , $post_perpage, $order, null , null , $etn_schedule_id );-$data = Helper::post_data_query( 'etn-schedule' , null, null, null, null, (array) $etn_schedule_id);+$data = Helper::post_data_query('etn-schedule', null, null, null, null, (array) $etn_schedule_id); date_default_timezone_set('UTC'); -if ( is_array( $data ) && !empty( $data ) ) {+if (is_array($data) && !empty($data)) { $schedule_data = $data[0]; $schedule_meta = get_post_meta($schedule_data->ID); $schedule_date = strtotime($schedule_meta['etn_schedule_date'][0]);- $schedule_date = date_i18n(get_option( "date_format" ), $schedule_date);+ $schedule_date = date_i18n(get_option("date_format"), $schedule_date); $schedule_topics = unserialize($schedule_meta['etn_schedule_topics'][0]); $time_format = Helper::get_option("time_format");- $time_format = !empty( $time_format ) ? $time_format : '12';- $etn_sched_time_format = ( $time_format == '24') ? "H:i": get_option( 'time_format');- ?>+ $time_format = !empty($time_format) ? $time_format : '12';+ $etn_sched_time_format = ($time_format == '24') ? "H:i" : get_option('time_format');+?> <div class="schedule-list-wrapper"> <div class="container"> <!-- row end-->@@ -25,7 +26,7 @@ <div class="col-lg-12"> <div class=""> <?php- if( is_array( $schedule_topics ) && !empty( $schedule_topics )){+ if (is_array($schedule_topics) && !empty($schedule_topics)) { foreach ($schedule_topics as $topic) { $etn_schedule_topic = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : ''); $etn_schedule_start_time = !empty($topic['etn_shedule_start_time']) ? date_i18n($etn_sched_time_format, strtotime($topic['etn_shedule_start_time'])) : '';@@ -33,16 +34,16 @@ $etn_schedule_room = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : ''); $etn_schedule_objective = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : ''); $etn_schedule_speaker = (isset($topic['speakers']) ? $topic['speakers'] : []);- ?>+ ?> <div class="schedule-listing multi-schedule-list"> <div class="schedule-slot-time"> <?php- if(!empty($etn_schedule_start_time) || !empty( $etn_schedule_end_time )){- ?>+ if (!empty($etn_schedule_start_time) || !empty($etn_schedule_end_time)) {+ ?> <span> <?php echo esc_attr($etn_schedule_start_time); ?> - <?php echo esc_attr($etn_schedule_end_time); ?> </span>- <?php+ <?php }- echo esc_attr($etn_schedule_room); + echo esc_attr($etn_schedule_room); ?> </div> <div class="schedule-slot-info">@@ -54,27 +55,27 @@ <div class="multi-speaker"> <?php $speaker_avatar = apply_filters("etn/speakers/avatar", \Wpeventin::assets_url() . "images/avatar.jpg");- if ( is_array( $etn_schedule_speaker ) && !empty($etn_schedule_speaker) ) {+ if (is_array($etn_schedule_speaker) && !empty($etn_schedule_speaker)) { foreach ($etn_schedule_speaker as $key => $value) { $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);- $etn_speaker_image = get_user_meta( $value, 'image', true);- $speaker_title = get_the_author_meta( 'display_name', $value );- ?>+ $etn_speaker_image = get_user_meta($value, 'image', true);+ $speaker_title = get_the_author_meta('display_name', $value);+ ?> <div class="speaker-content"> - <a href='<?php echo esc_url($etn_speaker_permalink); ?>' target="_blank" rel="noopener" aria-label='<?php echo esc_attr($speaker_title);?>'>- <?php if($etn_speaker_image): ?>- <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="<?php echo esc_attr($speaker_title);?>">+ <a href='<?php echo esc_url($etn_speaker_permalink); ?>' target="_blank" rel="noopener" aria-label='<?php echo esc_attr($speaker_title); ?>'>+ <?php if ($etn_speaker_image): ?>+ <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="<?php echo esc_attr($speaker_title); ?>"> <?php else: ?>- <img src='<?php echo esc_url( $speaker_avatar);?>' class="schedule-slot-speakers" alt='<?php echo esc_attr($speaker_title);?>'>+ <img src='<?php echo esc_url($speaker_avatar); ?>' class="schedule-slot-speakers" alt='<?php echo esc_attr($speaker_title); ?>'> <?php endif; ?> </a> <p class="schedule-speaker <?php echo esc_attr("speaker-" . $key); ?>">- <?php echo esc_html( $speaker_title );?>+ <?php echo esc_html($speaker_title); ?> </p> </div>- <?php+ <?php } } ?>@@ -85,7 +86,7 @@ </div> <!-- Slot info end --> </div>- <?php+ <?php } } ?>@@ -96,7 +97,7 @@ <!-- container end--> </div> <!-- schedule tab end -->-<?php }else{ ?>+<?php } else { ?> <p class="etn-not-found-post"><?php echo esc_html__('No Schedule Found', 'eventin'); ?></p>- <?php-}\ No newline at end of file+<?php+}
I'll analyze this code diff for security vulnerabilities. After reviewing the diff, this appears to be a **code formatting/style change only** with no security-related modifications. The changes are entirely whitespace and formatting adjustments (spacing around parentheses, line breaks, indentation consistency). **Analysis Result:** Vulnerability Existed: **no** There are no security vulnerabilities introduced or fixed in this diff. The changes are purely cosmetic/style-related: - Spacing around function calls and control structures - Indentation consistency - Line break formatting - Parenthesis spacing All the actual security-relevant functions remain unchanged: - `esc_attr()` - still being used for output escaping - `esc_url()` - still being used for URL escaping - `esc_html()` - still being used for HTML escaping - `get_post_meta()` - still being called the same way - `unserialize()` - still present (though this could be a concern in general, it's not a change in this diff) The `unserialize()` function on line 16 could potentially be a vulnerability if the data comes from untrusted sources, but since this diff doesn't modify that code, it's not a security fix being analyzed here. **Conclusion:** This is a code style/formatting update with no security implications.
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/schedule/style/schedule-1.php 2026-01-09 00:38:10.128553785 +0000+++ cache/wp-event-solution_4.0.52/widgets/schedule/style/schedule-1.php 2026-01-09 00:43:18.875397202 +0000@@ -27,7 +27,7 @@ $active_class = (($i == 0) ? 'etn-active' : ' '); ?> <li>- <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr( $value->ID ) . "-" . $i; ?>'>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr( $value->ID ) . "-" . esc_attr($i); ?>'> <span class='etn-date'><?php echo esc_html($schedule_date); ?></span> <span class=etn-day><?php echo esc_html( get_the_title( $value->ID ) ); ?></span> </a>@@ -51,7 +51,7 @@ $active_class = (($j == 0) ? 'tab-active' : ' '); ?> <!-- start repeatable item -->- <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($post->ID) . "-" . $j; ?>'>+ <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($post->ID) . "-" . esc_attr($j); ?>'> <?php if( is_array( $schedule_topics ) && !empty( $schedule_topics )){ foreach ($schedule_topics as $topic) {
``` Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/schedule/style/schedule-1.php [30] Old Code: <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr( $value->ID ) . "-" . $i; ?>'> Fixed Code: <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr( $value->ID ) . "-" . esc_attr($i); ?>'> Explanation: The variable $i is a loop counter that was being concatenated directly into the data-id attribute without sanitization. While $i is typically an integer controlled by the application, it was not explicitly escaped. The fix applies esc_attr() to $i, ensuring proper output escaping for HTML attributes. This prevents potential XSS vulnerabilities if the loop counter or related logic were ever modified to accept user-controlled input. ``` ``` Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/schedule/style/schedule-1.php [54] Old Code: <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($post->ID) . "-" . $j; ?>'> Fixed Code: <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($post->ID) . "-" . esc_attr($j); ?>'> Explanation: Similarly, the variable $j is a loop counter being concatenated into the data-id attribute without escaping. The fix applies esc_attr() to $j, ensuring proper output escaping for HTML attributes. This follows WordPress security best practices by sanitizing all dynamic content used in HTML attributes, preventing potential XSS attacks even though $j is internally controlled. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/schedule/style/schedule-2.php 2026-01-09 00:38:10.128553785 +0000+++ cache/wp-event-solution_4.0.52/widgets/schedule/style/schedule-2.php 2026-01-09 00:43:18.879397447 +0000@@ -27,7 +27,7 @@ $active_class = (($i == 0) ? 'etn-active' : ' '); ?> <li>- <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr( $value->ID ) . "-" . $i; ?>'>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr( $value->ID ) . "-" . esc_attr($i); ?>'> <span class=etn-day><?php echo esc_html( get_the_title( $value->ID ) ); ?></span> <span class='etn-date'><?php echo esc_html($schedule_date); ?></span> </a>@@ -51,7 +51,7 @@ $active_class = (($j == 0) ? 'tab-active' : ' '); ?> <!-- start repeatable item -->- <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($post->ID) . "-" . $j; ?>'>+ <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($post->ID) . "-" . esc_attr($j); ?>'> <div class='etn-schedule-grid-container'> <?php if( is_array( $schedule_topics ) && !empty( $schedule_topics )){
``` Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/schedule/style/schedule-2.php [Lines 30, 54] Old Code: Line 30: data-id='tab<?php echo esc_attr( $value->ID ) . "-" . $i; ?>' Line 54: data-id='tab<?php echo esc_attr($post->ID) . "-" . $j; ?>' Fixed Code: Line 30: data-id='tab<?php echo esc_attr( $value->ID ) . "-" . esc_attr($i); ?>' Line 54: data-id='tab<?php echo esc_attr($post->ID) . "-" . esc_attr($j); ?>' Explanation: The variables `$i` and `$j` are loop counter integers that were being concatenated directly into HTML attributes without proper escaping. While integers are inherently safe from XSS, the fix applies `esc_attr()` to these values for consistency and defensive programming. This ensures that if the variable types change in the future or if there's any unexpected data transformation, the output will still be properly escaped. The vulnerability was a potential risk due to incomplete output escaping of all user-influenced data within HTML attributes, even though the current context (loop counters) is low-risk. ```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/speakers/style/speaker-2.php 2026-01-09 00:38:10.132554028 +0000+++ cache/wp-event-solution_4.0.52/widgets/speakers/style/speaker-2.php 2026-01-09 00:43:18.891398181 +0000@@ -1,113 +1,111 @@ <?php -use \Etn\Utils\Helper as Helper;+ use \Etn\Utils\Helper as Helper; -// Ensure variables are defined with defaults-$speakers_to_show = isset($speakers_to_show) ? $speakers_to_show : 6;-$enable_pagination = isset($enable_pagination) ? $enable_pagination : 'no';--// Get current page number, default to 1 if not set-$current_page = !empty($speaker_paged) ? max(1, intval($speaker_paged)) : 1;--// Get speakers for current page-$data = Helper::user_data_query( - $speakers_to_show, - $etn_speaker_order, - $speakers_category, - $orderby, - $current_page-);+ // Ensure variables are defined with defaults+ $speakers_to_show = isset($speakers_to_show) ? $speakers_to_show : 6;+ $enable_pagination = isset($enable_pagination) ? $enable_pagination : 'no';++ // Get current page number, default to 1 if not set+ $current_page = ! empty($speaker_paged) ? max(1, intval($speaker_paged)) : 1;++ // Get speakers for current page+ $data = Helper::user_data_query(+ $speakers_to_show,+ $etn_speaker_order,+ $speakers_category,+ $orderby,+ $current_page+ ); -if ( !empty( $data ) ) { + if (! empty($data)) { ?> <div class='etn-row etn-speaker-wrapper'> <?php- foreach( $data as $value ) {- $etn_speaker_designation = get_user_meta( $value->data->ID , 'etn_speaker_designation', true);- $etn_speaker_image = get_user_meta( $value->data->ID, 'image', true);- $social = get_user_meta( $value->data->ID, 'etn_speaker_social', true);- $author_id = get_the_author_meta($value->data->ID);- ?>+ foreach ($data as $value) {+ $etn_speaker_designation = get_user_meta($value->data->ID, 'etn_speaker_designation', true);+ $etn_speaker_image = get_user_meta($value->data->ID, 'image', true);+ $social = get_user_meta($value->data->ID, 'etn_speaker_social', true);+ $author_id = get_the_author_meta($value->data->ID);+ ?> <div class="etn-col-lg-<?php echo esc_attr($etn_speaker_col); ?> etn-col-md-6"> <div class="etn-speaker-item"> <div class="etn-speaker-thumb">- <a href="<?php echo esc_url( get_the_permalink( $value->data->ID ) ); ?>" class="etn-img-link" aria-label="<?php echo esc_html($value->data->display_name); ?>">- <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="">- </a>+ <a href="<?php echo esc_url(get_the_permalink($value->data->ID)); ?>" class="etn-img-link" aria-label="<?php echo esc_html($value->data->display_name); ?>">+ <img src="<?php echo esc_url($etn_speaker_image); ?>" alt="">+ </a> <div class="etn-speakers-social">- <?php - if (is_array($social) & !empty( $social )) { - ?>- <?php - foreach ($social as $social_value) { - if(!empty($social_value)){- ?>- <a href="<?php echo esc_url($social_value['etn_social_url']); ?>" title="<?php echo !empty($social_value['etn_social_title']) ? esc_attr($social_value['etn_social_title']) : ''; ?>">- <i class="etn-icon <?php echo esc_attr($social_value["icon"]); ?>"></i>+ <?php+ if (is_array($social) && ! empty($social)) {+ foreach ($social as $social_value) {+ if (! empty($social_value)) {+ ?>+ <a href="<?php echo esc_url($social_value['etn_social_url']); ?>" title="<?php echo ! empty($social_value['etn_social_title']) ? esc_attr($social_value['etn_social_title']) : ''; ?>">+ <i class="etn-icon <?php echo esc_attr($social_value["icon"]); ?>"></i> </a>- <?php - }- }- } - ?>+ <?php+ }+ }+ }+ ?> </div> </div> <div class="etn-speaker-content">- <h3 class="etn-title etn-speaker-title"><a href="<?php echo Helper::get_author_page_url_by_id($value->data->ID); ?>"> <?php echo esc_html($value->data->display_name); ?></a> </h3>+ <h3 class="etn-title etn-speaker-title"><a href="<?php echo Helper::get_author_page_url_by_id($value->data->ID); ?>"><?php echo esc_html($value->data->display_name); ?></a> </h3> <p> <?php echo Helper::kses($etn_speaker_designation); ?> </p> </div> </div> </div>- <?php- }- ?>+ <?php+ }+ ?> </div>- <?php -} else { +<?php+ } else { ?> <p class="etn-not-found-post"><?php echo esc_html__('No Post Found', 'eventin'); ?></p> <?php-}-?>+ }+ ?> <?php-// Add pagination if enabled-if ($enable_pagination === 'yes' && !empty($data)) {- // Get the total number of speakers- $total_speakers = count(get_users([- 'role__in' => ['etn-speaker', 'etn-organizer'],- 'fields' => 'ID',- 'count_total' => true- ]));- - // Get posts per page setting or use default 6- $posts_per_page = !empty($speakers_to_show) ? intval($speakers_to_show) : 6;- - // Calculate total pages- $total_pages = ceil($total_speakers / $posts_per_page);- - // Only show pagination if there are multiple pages- if ($total_pages > 1) {- // Get current URL and remove existing pagination parameter- $current_url = remove_query_arg('speaker_paged');- - // Include the pagination template- $args = [- 'paged' => max(1, intval($speaker_paged)),- 'total_pages' => $total_pages,- 'prev_text' => esc_html__('Previous', 'eventin'),- 'next_text' => esc_html__('Next', 'eventin'),- 'base_class' => 'etn',- 'current_class' => 'etn-pagination-current',- 'param' => 'speaker_paged',- ];- - // Include the template- include \Wpeventin::plugin_dir() . 'templates/parts/pagination.php';+ // Add pagination if enabled+ if ($enable_pagination === 'yes' && ! empty($data)) {+ // Get the total number of speakers+ $total_speakers = count(get_users([+ 'role__in' => ['etn-speaker', 'etn-organizer'],+ 'fields' => 'ID',+ 'count_total' => true,+ ]));++ // Get posts per page setting or use default 6+ $posts_per_page = ! empty($speakers_to_show) ? intval($speakers_to_show) : 6;++ // Calculate total pages+ $total_pages = ceil($total_speakers / $posts_per_page);++ // Only show pagination if there are multiple pages+ if ($total_pages > 1) {+ // Get current URL and remove existing pagination parameter+ $current_url = remove_query_arg('speaker_paged');++ // Include the pagination template+ $args = [+ 'paged' => max(1, intval($speaker_paged)),+ 'total_pages' => $total_pages,+ 'prev_text' => esc_html__('Previous', 'eventin'),+ 'next_text' => esc_html__('Next', 'eventin'),+ 'base_class' => 'etn',+ 'current_class' => 'etn-pagination-current',+ 'param' => 'speaker_paged',+ ];++ // Include the template+ include \Wpeventin::plugin_dir() . 'templates/parts/pagination.php';+ }++ wp_reset_postdata(); }- - wp_reset_postdata();-}-?>\ No newline at end of file+?>
I'll analyze this diff for security vulnerabilities.
```
Vulnerability Existed: no
Bitwise AND operator used instead of logical AND - CWE-480 - widgets/speakers/style/speaker-2.php - Line 42
[Old Code]
if (is_array($social) & !empty( $social )) {
[Fixed Code]
if (is_array($social) && ! empty($social)) {
Explanation:
The old code used the bitwise AND operator (&) instead of the logical AND operator (&&). While this is primarily a logic bug rather than a security vulnerability, it could potentially cause unexpected behavior. The fix corrects this to use the proper logical AND operator (&&), which is the intended behavior for this conditional check. This is not a security vulnerability per se, but rather a code quality issue that has been corrected.
```
**Summary:**
The diff primarily contains **code formatting and style improvements** (indentation, spacing, alignment) with one **logic correction**. The bitwise AND operator (&) was replaced with the logical AND operator (&&) on line 42, which is a best practice correction rather than a security vulnerability fix.
**No security vulnerabilities were found** in this diff. The changes are focused on code quality and maintainability through:
- Proper indentation and spacing
- Correcting logical operators
- Improving code readability
- Adding proper escaping functions that were already present (esc_url, esc_html, esc_attr)
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/speakers/style/speaker-3.php 2026-01-09 00:38:10.132554028 +0000+++ cache/wp-event-solution_4.0.52/widgets/speakers/style/speaker-3.php 2026-01-09 00:43:18.903398916 +0000@@ -1,21 +1,23 @@ <?php+ use \Etn\Utils\Helper as Helper;-$data = Helper::user_data_query( $etn_speaker_count, $etn_speaker_order, $speakers_category, $orderby ); -if ( !empty( $data ) ) { - ?>+$data = Helper::user_data_query($etn_speaker_count, $etn_speaker_order, $speakers_category, $orderby);++if (!empty($data)) {+?> <div class='etn-row etn-speaker-wrapper'> <?php- foreach( $data as $value ) {- $etn_speaker_designation = get_user_meta( $value->data->ID , 'etn_speaker_designation', true);- $etn_speaker_image = get_user_meta( $value->data->ID, 'image', true);- $social = get_user_meta( $value->data->ID, 'etn_speaker_social', true);+ foreach ($data as $value) {+ $etn_speaker_designation = get_user_meta($value->data->ID, 'etn_speaker_designation', true);+ $etn_speaker_image = get_user_meta($value->data->ID, 'image', true);+ $social = get_user_meta($value->data->ID, 'etn_speaker_social', true); $author_id = get_the_author_meta($value->data->ID);- ?>+ ?> <div class="etn-col-lg-<?php echo esc_attr($etn_speaker_col); ?> etn-col-md-6"> <div class="etn-speaker-item style-3"> <div class="etn-speaker-thumb">- <a href="<?php echo esc_url( get_the_permalink( $value->data->ID ) ); ?>" class="etn-img-link" aria-label="<?php echo esc_html($value->data->display_name); ?>">+ <a href="<?php echo esc_url(get_the_permalink($value->data->ID)); ?>" class="etn-img-link" aria-label="<?php echo esc_html($value->data->display_name); ?>"> <img src="<?php echo esc_url($etn_speaker_image); ?>" alt=""> </a> </div>@@ -28,15 +30,15 @@ </p> <div class="etn-speakers-social"> <?php- if (is_array($social) & !empty( $social )) {- ?>+ if (is_array($social) & !empty($social)) {+ ?> <?php if(!empty($social_value)){ ?> <a href="<?php echo esc_url($social_value['etn_social_url']); ?>" title="<?php echo !empty($social_value['etn_social_title']) ? esc_attr($social_value['etn_social_title']) : ''; ?>"> <i class="etn-icon <?php echo esc_attr($social_value["icon"]); ?>"></i> </a>- <?php + <?php } } ?>@@ -44,13 +46,13 @@ </div> </div> </div>- <?php+ <?php } ?> </div>- <?php -} else { - ?>+<?php+} else {+?> <p class="etn-not-found-post"><?php echo esc_html__('No Post Found', 'eventin'); ?></p>- <?php-}\ No newline at end of file+<?php+}
Vulnerability Existed: not sure
Logical Operator Error (Bitwise AND instead of Logical AND) - CWE-480 - widgets/speakers/style/speaker-3.php - Line 33
[Old Code]
if (is_array($social) & !empty( $social )) {
[Fixed Code]
if (is_array($social) & !empty($social)) {
Explanation:
The diff shows a change from `&` (bitwise AND) to `&` (still bitwise AND) in the condition. However, this appears to be a potential vulnerability or logic error. The code should use `&&` (logical AND) instead of `&` (bitwise AND). The bitwise operator will perform bitwise operations on the operands rather than short-circuit evaluation, which could lead to unexpected behavior. The diff does not appear to fix this issue - it only changes spacing around `!empty()`. This suggests the vulnerability may still exist in the fixed version, making this "not sure" whether it was actually fixed.
Additional Details:
- The primary changes in this diff are formatting/code style improvements (spacing, indentation)
- No obvious security vulnerabilities are being introduced or fixed
- The bitwise AND operator (`&`) on line 33 should likely be a logical AND operator (`&&`) for proper conditional logic, but this issue persists in both versions
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
--- cache/wp-event-solution_4.0.51/widgets/upcoming-event-tab/style/tab-1.php 2026-01-09 00:38:10.132554028 +0000+++ cache/wp-event-solution_4.0.52/widgets/upcoming-event-tab/style/tab-1.php 2026-01-09 00:43:18.911399405 +0000@@ -14,7 +14,7 @@ $active_class = ($i===1) ? 'etn-active' : ''; ?> <li>- <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($widget_id) . "-" . $i; ?>'>+ <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($widget_id) . "-" . esc_attr($i); ?>'> <?php echo esc_html($cat_id['tab_title']); ?>@@ -37,7 +37,7 @@ $active_class = (($j == 1) ? 'tab-active' : ''); ?>- <div class="etn-tab <?php echo esc_attr($active_class); ?>" data-id='tab<?php echo esc_attr($widget_id) . "-" . $j; ?>'>+ <div class="etn-tab <?php echo esc_attr($active_class); ?>" data-id='tab<?php echo esc_attr($widget_id) . "-" . esc_attr($j); ?>'> <?php $event_cat = $event_cats['etn_event_cat']; $event_tag = $event_cats["etn_event_tag"];
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - widgets/upcoming-event-tab/style/tab-1.php [17, 40]
Old Code:
Line 17: data-id='tab<?php echo esc_attr($widget_id) . "-" . $i; ?>'
Line 40: data-id='tab<?php echo esc_attr($widget_id) . "-" . $j; ?>'
Fixed Code:
Line 17: data-id='tab<?php echo esc_attr($widget_id) . "-" . esc_attr($i); ?>'
Line 40: data-id='tab<?php echo esc_attr($widget_id) . "-" . esc_attr($j); ?>'
Explanation:
The vulnerability existed in both locations where loop counter variables ($i and $j) were being concatenated into HTML attributes without proper escaping. While loop counters are typically integers and low-risk, they were not explicitly escaped with esc_attr(). The fix applies esc_attr() to both $i and $j variables, ensuring all user-controlled or dynamically generated content in HTML attributes is properly escaped to prevent potential XSS attacks. This follows WordPress security best practices of escaping all dynamic content at the point of output, regardless of perceived risk level. The fix is conservative and correct - it ensures that any value interpolated into an HTML attribute is properly neutralized.
```
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.