Analysis Report · Folder Analysis cache/wp-event-solution_4.0.51 → cache/wp-event-solution_4.0.52 — CVE-2025-14657

--- cache/wp-event-solution_4.0.51/base/Enqueue/register.php	2026-01-09 00:38:09.556518971 +0000+++ cache/wp-event-solution_4.0.52/base/Enqueue/register.php	2026-01-09 00:43:13.323057564 +0000@@ -225,14 +225,21 @@ 		$primary_color   = '#5D78FF'; 		$secondary_color = ''; -		// cart bg color.+		// SECURITY: Sanitize color values to prevent XSS 		if ( ! empty( $settings['etn_primary_color'] ) ) {-			$primary_color = $settings['etn_primary_color'];+			$primary_color = sanitize_hex_color( $settings['etn_primary_color'] );+			// Fallback to default if sanitization fails+			if ( empty( $primary_color ) ) {+				$primary_color = '#5D78FF';+			} 		} -		// cart icon color. 		if ( ! empty( $settings['etn_secondary_color'] ) ) {-			$secondary_color = $settings['etn_secondary_color'];+			$secondary_color = sanitize_hex_color( $settings['etn_secondary_color'] );+			// Fallback to empty if sanitization fails+			if ( empty( $secondary_color ) && ! empty( $settings['etn_secondary_color'] ) ) {+				$secondary_color = '';+			} 		}  		$etn_custom_css .= "

```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - base/Enqueue/register.php - Lines 229, 236

Old Code:
if ( ! empty( $settings['etn_primary_color'] ) ) {
    $primary_color = $settings['etn_primary_color'];
}

if ( ! empty( $settings['etn_secondary_color'] ) ) {
    $secondary_color = $settings['etn_secondary_color'];
}

Fixed Code:
if ( ! empty( $settings['etn_primary_color'] ) ) {
    $primary_color = sanitize_hex_color( $settings['etn_primary_color'] );
    // Fallback to default if sanitization fails
    if ( empty( $primary_color ) ) {
        $primary_color = '#5D78FF';
    }
}

if ( ! empty( $settings['etn_secondary_color'] ) ) {
    $secondary_color = sanitize_hex_color( $settings['etn_secondary_color'] );
    // Fallback to empty if sanitization fails
    if ( empty( $secondary_color ) && ! empty( $settings['etn_secondary_color'] ) ) {
        $secondary_color = '';
    }
}

Explanation:
The original code directly assigned user-controlled color settings ($settings['etn_primary_color'] and $settings['etn_secondary_color']) to variables that are later used in CSS generation without any validation or sanitization. This creates a Stored/Reflected XSS vulnerability - an attacker could inject malicious JavaScript code through color input fields, which would then be rendered in CSS and potentially execute in users' browsers. The fix properly uses WordPress's sanitize_hex_color() function to validate that values are legitimate hexadecimal color codes, with fallback values ensuring the CSS remains functional even if sanitization fails. This prevents injection of arbitrary code through the color input fields.
```

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- /dev/null+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventAttendee.php@@ -0,0 +1,91 @@+<?php+    namespace Eventin\Blocks\BlockTypes;++    use Etn\Core\Event\Event_Model;+    use Eventin\Blocks\BlockTypes\AbstractBlock;+    use Wpeventin;++    /**+     * Event Attendee Gutenberg block+     */+    class EventAttendee extends AbstractBlock+    {+        /**+         * Block namespace.+         *+         * @var string+         */+        protected $namespace = 'eventin-pro';++        /**+         * Block name.+         *+         * @var string+         */+        protected $block_name = 'event-attendee';++        /**+         * Include and render the block+         *+         * @param   array  $attributes  Block attributes. Default empty array+         * @param   string  $content     Block content. Default empty string+         * @param   WP_Block  $block       Block instance+         *+         * @return  string Rendered block type output+         */+        protected function render($attributes, $content, $block)+        {+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+            $items_per_row   = ! empty($attributes['itemsPerRow']) ? intval($attributes['itemsPerRow']) : 3;+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];++            if ($this->is_editor()) {+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;++                if ($event_id == 0) {+                    $template = new \Eventin\Template\TemplateModel(get_the_ID());+                    $event_id = $template->get_preview_event_id();+                }+            } else if ('etn-template' == get_post_type(get_the_ID())) {+                $template = new \Eventin\Template\TemplateModel(get_the_ID());+                $event_id = $template->get_preview_event_id();+            } else {+                $event_id = get_the_ID();+            }++            $event           = new Event_Model($event_id);+            $event_attendees = $event->get_attendees();++            $attendee_page_url = get_post_meta($event_id, 'attende_page_link', true);+            ob_start();+        ?>+        <?php+            // Generate CSS with !important for attendee block to override SCSS+                    $frontend_css = $this->generate_frontend_css($styles, $container_class);+                    if (! empty($frontend_css)) {+                        // Add !important to common properties that need to override SCSS+                        $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'margin', 'padding', 'border-radius'];+                        foreach ($important_properties as $prop) {+                            $frontend_css = preg_replace(+                                "/({$prop}):\s*([^;!]+?)(?!\s*!important)\s*;/im",+                                "$1: $2 !important;",+                                $frontend_css+                            );+                        }+                        +                        // Ensure img always uses 100% width/height to fill container, overriding any saved styles+                        $avatar_img_selector = ".{$container_class} .etn-attendee-item .etn-attendee-avatar img";+                        $frontend_css .= "\n{$avatar_img_selector} {\n";+                        $frontend_css .= "  width: 100% !important;\n";+                        $frontend_css .= "  height: 100% !important;\n";+                        $frontend_css .= "}\n";+                        +                        echo '<style>' . $frontend_css . '</style>';+                    }+                ?>+        <?php+            $items_per_row = $items_per_row; // Make available to template+                    require_once Wpeventin::templates_dir() . 'event/parts/event-attendee.php';+                    return ob_get_clean();+                }+        }

```
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventAttendee.php - Lines 75-82

[Old Code]
$avatar_img_selector = ".{$container_class} .etn-attendee-item .etn-attendee-avatar img";
$frontend_css .= "\n{$avatar_img_selector} {\n";
$frontend_css .= "  width: 100% !important;\n";
$frontend_css .= "  height: 100% !important;\n";
$frontend_css .= "}\n";

echo '<style>' . $frontend_css . '</style>';

[Fixed Code]
(No fix present in this diff - this is a new file)

Explanation:
The `$container_class` variable is directly interpolated into a CSS selector without sanitization or escaping. This variable comes from block attributes (`$attributes['containerClassName']`) which are user-controlled. An attacker could inject malicious CSS or break out of the style tag by providing a specially crafted `containerClassName` value. For example, `containerClassName: "test</style><script>alert('xss')</script><style>"` would execute arbitrary JavaScript. The variable should be sanitized using `sanitize_html_class()` before being used in the CSS selector.

---

```
Vulnerability Existed: not sure
Unvalidated Output - CWE-94 - core/Blocks/BlockTypes/EventAttendee.php - Line 83

[Old Code]
echo '<style>' . $frontend_css . '</style>';

[Fixed Code]
(No fix present in this diff - this is a new file)

Explanation:
While `preg_replace()` is used to manipulate the CSS string, the source of `$frontend_css` comes from `$this->generate_frontend_css($styles, $container_class)`, which is not shown in this diff. Without seeing the implementation of `generate_frontend_css()`, it's uncertain whether the styles parameter is properly validated/escaped. If the styles come from unsanitized user input (from block attributes), this could allow CSS injection. The output should ideally be passed through `wp_kses_post()` or similar sanitization before echoing if it contains user-controlled content.
```

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventCountDownTimer.php	2026-01-09 00:38:09.776532361 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventCountDownTimer.php	2026-01-09 00:43:15.995221018 +0000@@ -74,7 +74,7 @@          ob_start();         ?>-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>         <?php         require_once Wpeventin::templates_dir() . 'event/parts/event-count-down-timer.php';         ?>

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/EventCountDownTimer.php - Line 77

Old Code:
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```

Fixed Code:
```php
<?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
```

Explanation:
The vulnerability was a reflected Cross-Site Scripting (XSS) flaw. The `$container_class` variable was being passed directly to the `render_frontend_css()` method without proper sanitization or escaping. If `$container_class` contains user-controlled input that wasn't properly validated upstream, an attacker could inject malicious JavaScript code that would execute in the context of the page. The fix applies `esc_attr()`, a WordPress escaping function designed to safely escape data for use within HTML attributes, preventing XSS attacks by converting special characters to their HTML entity equivalents.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventDescription.php	2026-01-09 00:38:09.776532361 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventDescription.php	2026-01-09 00:43:16.007221752 +0000@@ -1,66 +1,67 @@ <?php-namespace Eventin\Blocks\BlockTypes;+    namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Description Gutenberg block- */-class EventDescription extends AbstractBlock {-    /**-     * Namespace for the block-     * -     * @var string-     */-    protected $namespace = 'eventin-pro';--    /**-     * Block name.-     *-     * @var string-     */-    protected $block_name = 'event-description';+    use Etn\Core\Event\Event_Model;+    use Eventin\Blocks\BlockTypes\AbstractBlock;+    use Wpeventin;      /**-     * Include and render the block-     *-     * @param   array  $attributes  Block attributes. Default empty array-     * @param   string  $content     Block content. Default empty string-     * @param   WP_Block  $block       Block instance-     *-     * @return  string Rendered block type output+     * Event Description Gutenberg block      */-    protected function render( $attributes, $content, $block ) {-        $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';-        $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];--        if ( $this->is_editor() ) {-            $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;--            if ( $event_id == 0 ) {-                $template = new \Eventin\Template\TemplateModel( get_the_ID() );+    class EventDescription extends AbstractBlock+    {+        /**+         * Namespace for the block+         *+         * @var string+         */+        protected $namespace = 'eventin-pro';++        /**+         * Block name.+         *+         * @var string+         */+        protected $block_name = 'event-description';++        /**+         * Include and render the block+         *+         * @param   array  $attributes  Block attributes. Default empty array+         * @param   string  $content     Block content. Default empty string+         * @param   WP_Block  $block       Block instance+         *+         * @return  string Rendered block type output+         */+        protected function render($attributes, $content, $block)+        {+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];++            if ($this->is_editor()) {+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;++                if ($event_id == 0) {+                    $template = new \Eventin\Template\TemplateModel(get_the_ID());+                    $event_id = $template->get_preview_event_id();+                }+            } else if ('etn-template' == get_post_type(get_the_ID())) {+                $template = new \Eventin\Template\TemplateModel(get_the_ID());                 $event_id = $template->get_preview_event_id();+            } else {+                $event_id = get_the_ID();             }-        } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {-            $template = new \Eventin\Template\TemplateModel( get_the_ID() );-            $event_id = $template->get_preview_event_id();-        } else {-            $event_id = get_the_ID();-        } -        $event = new Event_Model( $event_id );+            $event = new Event_Model($event_id); -        ob_start();+            ob_start();         ?>-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>         <?php-        require_once Wpeventin::templates_dir() . 'event/parts/event-description.php';-        ?>+            require Wpeventin::templates_dir() . 'event/parts/event-description.php';+                ?>          <?php-        return ob_get_clean();-    }-}-+            return ob_get_clean();+                }+            }

Based on my analysis of the provided code diff for `core/Blocks/BlockTypes/EventDescription.php`, here are the security findings:

---

**Vulnerability 1:**

Vulnerability Existed: **yes**

**Cross-Site Scripting (XSS) - CWE-79** - EventDescription.php - Line 52

**Old Code:**
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```

**Fixed Code:**
```php
<?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
```

**Explanation:**
The `$container_class` variable is derived from user-supplied block attributes (`$attributes['containerClassName']`) without sanitization. By directly echoing it within an HTML context without escaping, an attacker could inject malicious JavaScript code through the block attributes. The fix applies `esc_attr()` to properly escape the value for safe use in HTML attributes, preventing XSS attacks.

---

**Vulnerability 2:**

Vulnerability Existed: **no**

**Potential Code Injection via file inclusion - CWE-98** - EventDescription.php - Lines 61-62

**Old Code:**
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-description.php';
```

**Fixed Code:**
```php
require Wpeventin::templates_dir() . 'event/parts/event-description.php';
```

**Explanation:**
While the change from `require_once` to `require` appears minor, this is not a security fix. The included path is constructed from a controlled internal constant (`Wpeventin::templates_dir()`) with a hardcoded filename, so there is no injection risk. The change is a code style/refactoring decision, not a security mitigation.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/EventSocial.php	2026-01-09 00:38:09.780532605 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/EventSocial.php	2026-01-09 00:43:16.131229338 +0000@@ -1,53 +1,61 @@ <?php-namespace Eventin\Blocks\BlockTypes;+    namespace Eventin\Blocks\BlockTypes; -use Etn\Core\Event\Event_Model;-use Eventin\Blocks\BlockTypes\AbstractBlock;-use Wpeventin;--/**- * Event Social Gutenberg block- */-class EventSocial extends AbstractBlock {-    /**-     * Block name.-     *-     * @var string-     */-    protected $block_name = 'event-social';+    use Etn\Core\Event\Event_Model;+    use Eventin\Blocks\BlockTypes\AbstractBlock;+    use Wpeventin;      /**-     * Include and render the block-     *-     * @param   array  $attributes  Block attributes. Default empty array-     * @param   string  $content     Block content. Default empty string-     * @param   WP_Block  $block       Block instance-     *-     * @return  string Rendered block type output+     * Event Social Gutenberg block      */-    protected function render( $attributes, $content, $block ) {-        $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';-        $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];--        if ( $this->is_editor() ) {-            $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;-        } else {-            $event_id = get_the_ID();-        }+    class EventSocial extends AbstractBlock+    {+        /**+         * Block name.+         *+         * @var string+         */+        protected $block_name = 'event-social';++        /**+         * Include and render the block+         *+         * @param   array  $attributes  Block attributes. Default empty array+         * @param   string  $content     Block content. Default empty string+         * @param   WP_Block  $block       Block instance+         *+         * @return  string Rendered block type output+         */+        protected function render($attributes, $content, $block)+        {+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];+            $style_variant   = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';++            $allowed_variants = ['style-1'];+            if (! in_array($style_variant, $allowed_variants, true)) {+                $style_variant = 'style-1';+            }++            if ($this->is_editor()) {+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;+            } else {+                $event_id = get_the_ID();+            } -        $event = new Event_Model( $event_id );+            $event = new Event_Model($event_id); -        $event_socials = $event->get_social();+            $event_socials = $event->get_social(); -        ob_start();+            ob_start();         ?>-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>         <?php-        require_once Wpeventin::templates_dir() . 'event/parts/event-social.php';-        ?>+            $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-social/' . $style_variant . '.php';+                    require $style_template;+                ?>          <?php-        return ob_get_clean();-    }-}-+            return ob_get_clean();+                }+            }

---

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE

Path Traversal / Local File Inclusion (LFI) - CWE-22 - EventSocial.php Lines 54-55

**Old Code:**
```php
require_once Wpeventin::templates_dir() . 'event/parts/event-social.php';
```

**Fixed Code:**
```php
$style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-social/' . $style_variant . '.php';
require $style_template;
```

**Explanation:**
The old code had a critical path traversal vulnerability where `$style_variant` was directly concatenated into a file path without proper validation. Although `sanitize_key()` was applied to `$style_variant` on line 33 in the fixed version, the original code did not have this sanitization step. In the fixed code, the vulnerability is mitigated by: (1) applying `sanitize_key()` to user input, (2) creating a whitelist of allowed variants, and (3) resetting to a safe default if the value is not in the allowlist. This prevents an attacker from using directory traversal sequences like `../` to include arbitrary files.

---

**Vulnerability 2:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - EventSocial.php Line 44/52

**Old Code:**
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```

**Fixed Code:**
```php
<?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
```

**Explanation:**
The `$container_class` variable was passed to `render_frontend_css()` without escaping. Since it derives from user-controlled block attributes (`$attributes['containerClassName']`), it could contain malicious HTML/JavaScript. The fix applies `esc_attr()` to properly escape the value for HTML attribute context, preventing XSS injection.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/Blocks/BlockTypes/RecurringEvent.php	2026-01-09 00:38:09.784532848 +0000+++ cache/wp-event-solution_4.0.52/core/Blocks/BlockTypes/RecurringEvent.php	2026-01-09 00:43:16.155230806 +0000@@ -42,9 +42,9 @@          ob_start(); -        +         ?>-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>         <?php         require_once Wpeventin::templates_dir() . 'event/parts/recurring-event.php';         ?>

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/Blocks/BlockTypes/RecurringEvent.php - Line 47

Old Code:
```php
<?php echo $this->render_frontend_css( $styles, $container_class ); ?>
```

Fixed Code:
```php
<?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
```

Explanation:
The `$container_class` variable is being passed directly to the `render_frontend_css()` method without sanitization or escaping. If this variable contains user-controlled data (from block attributes, query parameters, or other external sources), an attacker could inject malicious JavaScript or HTML through a crafted class name. The fix applies `esc_attr()`, which is WordPress's standard function for escaping HTML attribute values, preventing XSS attacks by encoding special characters that could break out of the attribute context.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/Template/Api/TemplateController.php	2026-01-09 00:38:09.908540395 +0000+++ cache/wp-event-solution_4.0.52/core/Template/Api/TemplateController.php	2026-01-09 00:43:16.967280480 +0000@@ -256,13 +256,18 @@     public function prepare_item_for_response( $item, $request ) {         $is_static = $item instanceof StaticTemplate; +        // Get thumbnail: WordPress featured image if available, otherwise use item thumbnail+        $post_id = $is_static ? $item->get_id() : $item->id;+        $featured_image = ! $is_static ? get_the_post_thumbnail_url( $post_id, 'full' ) : false;+        $thumbnail = $featured_image ? $featured_image : $item->thumbnail;+         $response = [             'id'            => $is_static ? $item->get_id() : $item->id,             'name'          => $item->get_name(),             'status'        => $item->get_status(),             'type'          => $item->get_type(),             'orientation'   => $item->get_orientation(),-            'thumbnail'     => $item->thumbnail,+            'thumbnail'     => $thumbnail,             'content'       => $item->get_content(),             'is_clone'      => $item->is_clone,             'is_pro'        => $item->is_pro,@@ -352,8 +357,7 @@      * @return  WP_Rest_Response | WP_Error      */     public function get_item_permissions_check( $request ) {-        return current_user_can( 'etn_manage_template' ) -                || current_user_can( 'etn_manage_event' );+        return true;     }      /**

I'll analyze this code diff for security vulnerabilities.

---

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE

**Improper Access Control - CWE-639** - CWE-639 - core/Template/Api/TemplateController.php [360]

Old Code:
```php
return current_user_can( 'etn_manage_template' ) 
        || current_user_can( 'etn_manage_event' );
```

Fixed Code:
```php
return true;
```

Explanation:
This is a critical security vulnerability. The permission check for `get_item_permissions_check()` was replaced with an unconditional `return true;`. This removes all access control, allowing any user (including unauthenticated users) to access template API endpoints. Previously, the code properly checked if the user had either 'etn_manage_template' or 'etn_manage_event' capabilities. Now, there are no capability checks whatsoever, creating an authorization bypass vulnerability.

---

**Vulnerability 2:**

Vulnerability Existed: not sure

**Cross-Site Scripting (XSS) - CWE-79** - CWE-79 - core/Template/Api/TemplateController.php [259-262]

Old Code:
```php
'thumbnail'     => $item->thumbnail,
```

Fixed Code:
```php
// Get thumbnail: WordPress featured image if available, otherwise use item thumbnail
$post_id = $is_static ? $item->get_id() : $item->id;
$featured_image = ! $is_static ? get_the_post_thumbnail_url( $post_id, 'full' ) : false;
$thumbnail = $featured_image ? $featured_image : $item->thumbnail;
```

Explanation:
Uncertain about XSS vulnerability. The change adds `get_the_post_thumbnail_url()` which is a WordPress core function that should return a sanitized URL. However, without seeing how `$item->thumbnail` is stored/generated and how the API response is escaped when output, it's difficult to confirm if XSS protection exists. If `$item->thumbnail` is user-controlled and not properly escaped in the API response output, this could be vulnerable. The use of WordPress's core function is positive, but the fallback to `$item->thumbnail` needs proper output escaping when rendered.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/Template/TemplatePreview.php	2026-01-09 00:38:09.936542099 +0000+++ cache/wp-event-solution_4.0.52/core/Template/TemplatePreview.php	2026-01-09 00:43:17.027284150 +0000@@ -39,7 +39,7 @@     $template_id = ! empty( $_GET['template_id'] ) ? intval( $_GET['template_id'] ) : 0;      if ( ! $template_id ) {-        printf( '<p>%s</p>', __( 'No template found. Please select one first.', 'eventin' ) );+        printf( '<p>%s</p>', esc_html__( 'No template found. Please select one first.', 'eventin' ) );         return;     } @@ -56,7 +56,7 @@       <div class="etn-ticket-wrapper">             <div class="etn-ticket-main-wrapper">                 <div class="etn-ticket">-                    <?php echo $template_html; ?>+                    <?php echo wp_kses_post( $template_html ); ?>                 </div>                 <!-- <div class="etn-ticket-action"></div> -->             </div>

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/Template/TemplatePreview.php Line 59
[Old Code]
<?php echo $template_html; ?>
[Fixed Code]
<?php echo wp_kses_post( $template_html ); ?>
Explanation:
The original code directly echoes `$template_html` without any sanitization or escaping. This is a Stored XSS vulnerability if `$template_html` contains user-controlled or untrusted content. An attacker could inject malicious JavaScript that would be executed in the browser of anyone viewing the template preview. The fix applies `wp_kses_post()`, which is the WordPress function that safely sanitizes HTML while allowing safe tags like `<p>`, `<a>`, `<strong>`, etc., while stripping out potentially dangerous content like `<script>` tags and event handlers.

---

Vulnerability Existed: not sure
Internationalization/Localization Output Encoding - CWE-80 - core/Template/TemplatePreview.php Line 42
[Old Code]
printf( '<p>%s</p>', __( 'No template found. Please select one first.', 'eventin' ) );
[Fixed Code]
printf( '<p>%s</p>', esc_html__( 'No template found. Please select one first.', 'eventin' ) );
Explanation:
The change replaces `__()` with `esc_html__()`. While this is a defensive improvement, whether this was truly a vulnerability depends on the source of the string. Since this is a hardcoded string in the code (not user-controlled), the original code would not have been vulnerable to XSS in this specific case. However, `esc_html__()` is the WordPress best practice for echoing translated strings in HTML context, as it provides defense-in-depth against potential future modifications or plugin conflicts. This change represents hardening rather than fixing an exploitable vulnerability in the current code.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/event/api.php	2026-01-09 00:38:09.800533822 +0000+++ cache/wp-event-solution_4.0.52/core/event/api.php	2026-01-09 00:43:16.499251850 +0000@@ -195,16 +195,14 @@ 		$request     = $this->request; 		$settings    = etn_get_option(); -		if ( ! is_admin() && ! current_user_can( 'manage_options' ) ) {-			if ( ! wp_verify_nonce( $this->request->get_header( 'X-WP-Nonce' ), 'wp_rest' ) ) {-				$messages[] = esc_html__( 'Nonce is not valid! Please try again.', 'eventin' );-			} else {-				if ( ! empty( $settings ) ) {-					$content['settings'] = $settings;-				}-			}+		// Require proper capability - permission callback handles this but double-check+		if ( ! current_user_can( 'manage_options' ) ) {+			$messages[] = esc_html__( 'You haven\'t authorization permission to view settings.', 'eventin' ); 		} else {-			$messages[] = esc_html__( 'You haven\'t authorization permission to update settings.', 'eventin' );+			if ( ! empty( $settings ) ) {+				$status_code         = 1;+				$content['settings'] = $settings;+			} 		}  		$sample_date      = strtotime( date( 'd' ) . " " . date( 'M' ) . " " . date( 'Y' ) );@@ -235,27 +233,29 @@ 		$messages    = $content    = []; 		$request     = json_decode( $this->request->get_body(), true ); -		if ( ! is_admin() && ! current_user_can( 'manage_options' ) ) {+		// Require proper capability - permission callback handles this but double-check+		if ( ! current_user_can( 'manage_options' ) ) {+			$messages[] = esc_html__( 'You haven\'t authorization permission to update settings.', 'eventin' );+		} else {+			if ( isset( $request ) && ! empty( $request ) ) {+				$status_code  = 1;+				$all_settings = get_option( 'etn_event_options', [] );+				$settings     = $request;++				// Sanitize all inputs to prevent XSS and other attacks+				$all_settings['events_per_page']       = isset( $settings['events_per_page'] ) ? absint( $settings['events_per_page'] ) : 10;+				$all_settings['date_format']           = isset( $settings['date_format'] ) ? sanitize_text_field( $settings['date_format'] ) : "";+				$all_settings['time_format']           = isset( $settings['time_format'] ) ? sanitize_text_field( $settings['time_format'] ) : "";++				// CRITICAL: Sanitize color fields to prevent XSS+				$all_settings['etn_primary_color']     = isset( $settings['etn_primary_color'] ) ? sanitize_hex_color( $settings['etn_primary_color'] ) : "";+				$all_settings['etn_secondary_color']   = isset( $settings['etn_secondary_color'] ) ? sanitize_hex_color( $settings['etn_secondary_color'] ) : "";++				$all_settings['attendee_registration'] = isset( $settings['attendee_registration'] ) ? sanitize_text_field( $settings['attendee_registration'] ) : "";+				$all_settings['sell_tickets']          = isset( $settings['sell_tickets'] ) ? sanitize_text_field( $settings['sell_tickets'] ) : ""; -			if ( ! wp_verify_nonce( $this->request->get_header( 'X-WP-Nonce' ), 'wp_rest' ) ) {-				$messages[] = esc_html__( 'Nonce is not valid! Please try again.', 'eventin' );-			} else {-				if ( isset( $request ) && ! empty( $request ) ) {-					$status_code                           = 1;-					$all_settings                          = get_option( 'etn_event_options', [] );-					$settings                              = $request;-					$all_settings['events_per_page']       = isset( $settings['events_per_page'] ) ? absint( $settings['events_per_page'] ) : 10;-					$all_settings['date_format']           = isset( $settings['date_format'] ) ? $settings['date_format'] : "";-					$all_settings['time_format']           = isset( $settings['time_format'] ) ? $settings['time_format'] : "";-					$all_settings['etn_primary_color']     = isset( $settings['etn_primary_color'] ) ? $settings['etn_primary_color'] : "";-					$all_settings['etn_secondary_color']   = isset( $settings['etn_secondary_color'] ) ? $settings['etn_secondary_color'] : "";-					$all_settings['attendee_registration'] = isset( $settings['attendee_registration'] ) ? $settings['attendee_registration'] : "";-					$all_settings['sell_tickets']          = isset( $settings['sell_tickets'] ) ? $settings['sell_tickets'] : "";-					update_option( 'etn_event_options', $all_settings );-				}+				update_option( 'etn_event_options', $all_settings ); 			}-		} else {-			$messages[] = esc_html__( 'You haven\'t authorization permission to update settings.', 'eventin' ); 		}  		return [@@ -606,6 +606,7 @@ 		$event_id           = ! empty( $request['event_id'] ) ? intval( $request['event_id'] ) : 0; 		$seat_plan          = ! empty( $request['seat_plan'] ) ?  $request['seat_plan']  : []; 		$seat_plan_settings = ! empty( $request['seat_plan_settings'] ) ? $request['seat_plan_settings']  : [];+		error_log(print_r($seat_plan,true)); 		if ( ! empty( $seat_plan ) ) { 			$chair_id = 1; 			foreach ($seat_plan as $key => &$seat) {@@ -615,8 +616,9 @@ 						$chair_id++; 					} 				}-				-				$seat['id'] = $key;+				// Set the seat id to the seat number+				$seat['id'] = $seat['number'];+			 			} 		} 

I'll analyze this code diff for security vulnerabilities following the specified format.

---

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE

**Cross-Site Scripting (XSS) - CWE-79** - core/event/api.php - Lines 248-251

Old Code:
```php
$all_settings['date_format']           = isset( $settings['date_format'] ) ? $settings['date_format'] : "";
$all_settings['time_format']           = isset( $settings['time_format'] ) ? $settings['time_format'] : "";
$all_settings['etn_primary_color']     = isset( $settings['etn_primary_color'] ) ? $settings['etn_primary_color'] : "";
$all_settings['etn_secondary_color']   = isset( $settings['etn_secondary_color'] ) ? $settings['etn_secondary_color'] : "";
$all_settings['attendee_registration'] = isset( $settings['attendee_registration'] ) ? $settings['attendee_registration'] : "";
$all_settings['sell_tickets']          = isset( $settings['sell_tickets'] ) ? $settings['sell_tickets'] : "";
```

Fixed Code:
```php
$all_settings['date_format']           = isset( $settings['date_format'] ) ? sanitize_text_field( $settings['date_format'] ) : "";
$all_settings['time_format']           = isset( $settings['time_format'] ) ? sanitize_text_field( $settings['time_format'] ) : "";
$all_settings['etn_primary_color']     = isset( $settings['etn_primary_color'] ) ? sanitize_hex_color( $settings['etn_primary_color'] ) : "";
$all_settings['etn_secondary_color']   = isset( $settings['etn_secondary_color'] ) ? sanitize_hex_color( $settings['etn_secondary_color'] ) : "";
$all_settings['attendee_registration'] = isset( $settings['attendee_registration'] ) ? sanitize_text_field( $settings['attendee_registration'] ) : "";
$all_settings['sell_tickets']          = isset( $settings['sell_tickets'] ) ? sanitize_text_field( $settings['sell_tickets'] ) : "";
```

Explanation:
The original code directly assigned unsanitized user input from the request to settings without any validation or sanitization. This allowed arbitrary HTML/JavaScript to be stored and later output, causing stored XSS vulnerabilities. The fix applies `sanitize_text_field()` for text inputs and `sanitize_hex_color()` for color fields, preventing malicious code from being persisted.

---

**Vulnerability 2:**

Vulnerability Existed: yes
FALSE POSITIVE

**Improper Authentication/Authorization - CWE-287** - core/event/api.php - Lines 197-211 and Lines 235-245

Old Code:
```php
if ( ! is_admin() && ! current_user_can( 'manage_options' ) ) {
    if ( ! wp_verify_nonce( $this->request->get_header( 'X-WP-Nonce' ), 'wp_rest' ) ) {
        $messages[] = esc_html__( 'Nonce is not valid! Please try again.', 'eventin' );
    } else {
        // allow access
    }
} else {
    $messages[] = esc_html__( 'You haven\'t authorization permission to update settings.', 'eventin' );
}
```

Fixed Code:
```php
if ( ! current_user_can( 'manage_options' ) ) {
    $messages[] = esc_html__( 'You haven\'t authorization permission to view settings.', 'eventin' );
} else {
    // allow access
}
```

Explanation:
The original logic was flawed: it only checked the nonce for non-admin users without `manage_options` capability, but allowed admins to bypass nonce verification. Additionally, the `is_admin()` check is unreliable for REST API endpoints. The fix properly enforces the capability check regardless of admin status, relying on the REST API permission callback for consistent authentication. However, the nonce verification was removed entirely—this is a trade-off assuming the REST API permission callback provides adequate protection.

---

**Vulnerability 3:**

Vulnerability Existed: yes
FALSE POSITIVE

**Debug Information Disclosure - CWE-215** - core/event/api.php - Line 609

Old Code:
```php
// (no debug output)
```

Fixed Code:
```php
error_log(print_r($seat_plan,true));
```

Explanation:
The addition of `error_log(print_r($seat_plan,true))` outputs detailed debugging information to server logs. While this doesn't directly expose data to users, it increases the risk of information disclosure if logs are accessed by unauthorized parties. Debug statements like this should be removed in production code or replaced with proper logging frameworks that respect security levels.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/event/template-functions.php	2026-01-09 00:38:09.804534065 +0000+++ cache/wp-event-solution_4.0.52/core/event/template-functions.php	2026-01-09 00:43:16.643260659 +0000@@ -214,7 +214,7 @@ 	function etn_after_single_event_meta_ticket_form( $single_event_id ) { 		$single_event_id = ! empty( $single_event_id ) ? $single_event_id : get_the_ID(); 		$disable_purchase_form = get_post_meta( $single_event_id, 'etn_disable_purchase_form', true );-	+		 		$rsv_settings = get_post_meta( get_the_ID(), 'rsvp_settings', true ); 		$recurring_enabled = get_post_meta( get_the_ID(), 'recurring_enabled', true ); 	@@ -227,12 +227,12 @@ 	 		// Whether to show ticket selector and sell tickets, are controlled in frontend now. 		?>-<div class="etn-single-event-ticket-wrap">-    <?php if ($recurring_enabled !== 'yes') { -				Helper::eventin_ticket_widget( $single_event_id );-			} ?>-</div>-<?php+			<div class="etn-single-event-ticket-wrap">+				<?php if ($recurring_enabled !== 'yes') { +							Helper::eventin_ticket_widget( $single_event_id, "", "", "style-1" );+						} ?>+			</div>+		 <?php 	} }  @@ -772,6 +772,6 @@ 		];  		// Convert schema array into ld+json file and add into the DOM-		echo '<script type="application/ld+json">' . wp_unslash( json_encode( $event_data ) ) . '</script>';+		echo '<script type="application/ld+json">' . wp_json_encode( $event_data ) . '</script>'; 	} }\ No newline at end of file

```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - core/event/template-functions.php Line 775
[Old Code]
echo '<script type="application/ld+json">' . wp_unslash( json_encode( $event_data ) ) . '</script>';
[Fixed Code]
echo '<script type="application/ld+json">' . wp_json_encode( $event_data ) . '</script>';
Explanation:
The original code used `wp_unslash( json_encode( $event_data ) )` which is unsafe for outputting JSON in HTML context. The `wp_unslash()` function removes slashes and reduces escaping, which could allow malicious data within `$event_data` to break out of the JSON context and execute JavaScript. The fix uses `wp_json_encode()`, which is WordPress's safe JSON encoding function that properly escapes special characters to prevent JSON/script injection attacks. This prevents XSS vulnerabilities where malicious characters in event data could break the JSON structure and inject executable code.
```

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/core/woocommerce/hooks.php	2026-01-09 00:38:09.964543803 +0000+++ cache/wp-event-solution_4.0.52/core/woocommerce/hooks.php	2026-01-09 00:43:17.091288065 +0000@@ -328,7 +328,7 @@                     <tr>                         <td><?php echo esc_html($attendee['etn_name']); ?></td>                         <td><?php echo esc_html($attendee['ticket_name']); ?></td>-                        <td><?php echo $event_display; ?></td>+                        <td><?php echo wp_kses_post( $event_display ); ?></td>                         <td>                             <?php                                  $url = add_query_arg(@@ -663,7 +663,7 @@ 		$thankyou_redirect   = isset( $thankyou_redirect ) ? $thankyou_redirect : '';            $eventin_order           = new OrderModel($order_id);-        $validate_ticket         = $eventin_order->validate_ticket();+        $validate_ticket         = $eventin_order->validate_ticket(true);          if ( is_wp_error( $validate_ticket ) ) {             wp_redirect( site_url( 'eventin-purchase/checkout/#/failed?action=ticket-limit-exit' ) );@@ -700,17 +700,7 @@                 $eventin_order->send_email(); 		    }         }-		-        -        // deducing coupon discount from Order($post_type = 'etn-order')-        -//        $eventin_order->update_meta([-//	        "total_price" => $wc_order->order-//        ]);-		-		//dd($wc_order->get_data()); -   		// Redirect to Eventin  thank you page 		$url = ''; 		@@ -750,7 +740,7 @@                         <ul class="single-ticket-seats__list">                             <?php                                 if (!empty($single_variation['selected_seats'])) {-                                    echo "<li>". $single_variation['selected_seats']. "</li>";+                                    echo "<li>". esc_html( $single_variation['selected_seats'] ). "</li>";                                 }                             ?>                         </ul>@@ -1031,6 +1021,7 @@         foreach ( $order->get_items() as $item_id => $item ) {             $event_id       = \Etn\Core\Event\Helper::instance()->order_event_id($item);             $event_object   = get_post( $event_id );+            $sold_tickets   = $event_id ? (array)Helper::etn_get_sold_tickets_by_event( $event_id ) : [];             if ( !empty( $event_object ) ) {                 $ticket_variations  = !empty( get_post_meta( $event_id, "etn_ticket_variations", true ) ) ? get_post_meta( $event_id, "etn_ticket_variations", true ) : []; @@ -1063,7 +1054,7 @@                             $ticket_index = $this->search_array_by_value( $ticket_variations, $item_variation['etn_ticket_slug'] );                             if ( isset( $ticket_variations[ $ticket_index ] ) ) {                                 $variation_picked_qty   = absint( $item_variation[ 'etn_ticket_qty' ] );-                                $etn_sold_tickets       = absint( $ticket_variations[ $ticket_index ]['etn_sold_tickets'] );+                                $etn_sold_tickets       = $sold_tickets[$item_variation['etn_ticket_slug']] ?? 0;                                 $total_tickets          = absint( $ticket_variations[ $ticket_index ]['etn_avaiilable_tickets'] );                                  if ( $decrease_time ) {@@ -1508,6 +1499,7 @@             $error_messages = $ticket_qty_errors = $cart_picked_data = [];              $event_id   = $product_id;+            $sold_tickets   = $event_id ? (array)Helper::etn_get_sold_tickets_by_event( $event_id ) : [];             $event_name = get_the_title( $event_id );             $ticket_variations = !empty( get_post_meta( $event_id, "etn_ticket_variations", true ) ) ? get_post_meta( $event_id, "etn_ticket_variations", true ) : []; @@ -1544,7 +1536,7 @@                             $error_cat = [];                              $total_tickets      = absint( $ticket_variations[ $ticket_index ]['etn_avaiilable_tickets'] );-                            $etn_sold_tickets   = absint( $ticket_variations[ $ticket_index ]['etn_sold_tickets'] );+                            $etn_sold_tickets   = $sold_tickets[$post_contents['ticket_slug'][ $quantity_index ]] ?? 0;                             $remaining_ticket   = $total_tickets - $etn_sold_tickets;                              $etn_min_ticket     = absint( $ticket_variations[ $ticket_index ]['etn_min_ticket'] );@@ -2222,8 +2214,8 @@             }                      $table_content .= "</div>";-        -            echo $table_content;++            echo wp_kses_post( $table_content );         } else {             echo esc_html__('No Attendee Found', 'eventin');         }

I'll analyze the provided code diff for security vulnerabilities.

---

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - core/woocommerce/hooks.php Line 331
Old Code:
```php
<td><?php echo $event_display; ?></td>
```
Fixed Code:
```php
<td><?php echo wp_kses_post( $event_display ); ?></td>
```
Explanation:
The variable `$event_display` was being output directly without any sanitization. This is a stored XSS vulnerability because if `$event_display` contains user-controlled HTML/JavaScript, it will be executed in the browser. The fix uses `wp_kses_post()` which safely strips dangerous HTML tags while preserving safe formatting tags like `<p>`, `<br>`, etc. This is appropriate for WordPress post content.

---

**Vulnerability 2:**

Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - core/woocommerce/hooks.php Line 743
Old Code:
```php
echo "<li>". $single_variation['selected_seats']. "</li>";
```
Fixed Code:
```php
echo "<li>". esc_html( $single_variation['selected_seats'] ). "</li>";
```
Explanation:
The `$single_variation['selected_seats']` variable was being concatenated into HTML output without escaping. This is a stored XSS vulnerability because user-controlled data in the `selected_seats` field could contain malicious scripts. The fix uses `esc_html()` which converts HTML special characters to entities, preventing script execution.

---

**Vulnerability 3:**

Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - core/woocommerce/hooks.php Line 2217
Old Code:
```php
echo $table_content;
```
Fixed Code:
```php
echo wp_kses_post( $table_content );
```
Explanation:
The `$table_content` variable is being output without sanitization. Since this variable is constructed from post meta data and user input throughout the function, it could contain unintended HTML/JavaScript. The fix uses `wp_kses_post()` to allow safe post formatting while stripping dangerous tags.

---

**Additional Changes (Non-Security):**

The other changes in the diff (parameter addition to `validate_ticket(true)`, removal of commented code, and use of null coalescing operator `??` for safer array access) are improvements but not direct security vulnerability fixes. The null coalescing changes do improve type safety and prevent potential notice errors.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/attendee/attendee-details.php	2026-01-09 00:38:09.976544534 +0000+++ cache/wp-event-solution_4.0.52/templates/attendee/attendee-details.php	2026-01-09 00:43:17.147291491 +0000@@ -70,7 +70,7 @@                 <?php if ( $include_phone ) { ?>                     <td><?php echo esc_html( $etn_phone ); ?></td>                 <?php } ?>-                <td><?php echo $event_display; ?></td>+                <td><?php echo wp_kses_post( $event_display ); ?></td>                 <td><?php echo esc_html( $ticket_status_arr[$ticket_status] ); ?></td>                 <td>                     <div class=''>

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/attendee/attendee-details.php [73]

Old Code:
```php
<td><?php echo $event_display; ?></td>
```

Fixed Code:
```php
<td><?php echo wp_kses_post( $event_display ); ?></td>
```

Explanation:
The original code directly echoed the `$event_display` variable without any sanitization or escaping. This is a stored/reflected XSS vulnerability (CWE-79) because if `$event_display` contains user-controlled or unsanitized data with HTML/JavaScript content, it would be executed in the browser context. The fix applies `wp_kses_post()`, which is a WordPress function that sanitizes content by allowing only safe HTML tags and removing potentially malicious scripts. This prevents XSS attacks by ensuring any dangerous markup is stripped or escaped before output.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/attendee/ticket-markup.php	2026-01-09 00:38:09.976544534 +0000+++ cache/wp-event-solution_4.0.52/templates/attendee/ticket-markup.php	2026-01-09 00:43:17.179293449 +0000@@ -83,8 +83,8 @@                                         <li class="etn-ticket-body-top-li">                                             <?php echo esc_html__( "PRICE :", "eventin" ); ?>                                              <p>-                                                <?php -                                                    printf( '%s %s', etn_currency_symbol(), $ticket_price );+                                                <?php+                                                    printf( '%s %s', esc_html( etn_currency_symbol() ), esc_html( $ticket_price ) );                                                 ?>                                             </p>                                         </li>

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/attendee/ticket-markup.php [86-87]

Old Code:
```php
printf( '%s %s', etn_currency_symbol(), $ticket_price );
```

Fixed Code:
```php
printf( '%s %s', esc_html( etn_currency_symbol() ), esc_html( $ticket_price ) );
```

Explanation:
The original code directly output the results of `etn_currency_symbol()` and `$ticket_price` without any sanitization or escaping. If either of these values contained user-controlled or untrusted data (such as HTML or JavaScript code), it would be rendered directly in the browser, enabling a Stored or Reflected XSS attack. The fix applies `esc_html()` to both values before output, which properly escapes HTML special characters and prevents any injected scripts from executing. This is the correct WordPress escaping function for displaying data in HTML context.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/emails/attendee-event-reminder-email-template.php	2026-01-09 00:38:09.992545507 +0000+++ cache/wp-event-solution_4.0.52/templates/emails/attendee-event-reminder-email-template.php	2026-01-09 00:43:17.231296629 +0000@@ -52,9 +52,9 @@                 <?php                  if ($event->etn_start_date == $event->etn_end_date) {-                    printf('%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone());+                    printf('%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ));                 } else {-                    printf('%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone());+                    printf('%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ));                 }                 ?>             </p>@@ -86,9 +86,9 @@                     echo esc_html($event->get_address());                 } elseif ($event->event_type == 'hybrid') {                     echo esc_html($event->get_address());-                    printf('Online meeting link: %s', $event->meeting_link);+                    printf('Online meeting link: %s', esc_html( $event->meeting_link ));                 } elseif ($event->event_type == 'online') {-                    printf('Online meeting link: %s', $event->meeting_link);+                    printf('Online meeting link: %s', esc_html( $event->meeting_link ));                 }                 ?>             </p>

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/emails/attendee-event-reminder-email-template.php Lines 55, 57, 89, 91

Old Code:
```php
printf('%s from %s - %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('h:i A'), $event->get_timezone());
printf('%s at %s - %s at %s %s', $event->get_start_datetime('l, F d, Y'), $event->get_start_datetime('h:i A'), $event->get_end_datetime('l, F d, Y'), $event->get_end_datetime('h:i A'), $event->get_timezone());
printf('Online meeting link: %s', $event->meeting_link);
printf('Online meeting link: %s', $event->meeting_link);
```

Fixed Code:
```php
printf('%s from %s - %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ));
printf('%s at %s - %s at %s %s', esc_html( $event->get_start_datetime('l, F d, Y') ), esc_html( $event->get_start_datetime('h:i A') ), esc_html( $event->get_end_datetime('l, F d, Y') ), esc_html( $event->get_end_datetime('h:i A') ), esc_html( $event->get_timezone() ));
printf('Online meeting link: %s', esc_html( $event->meeting_link ));
printf('Online meeting link: %s', esc_html( $event->meeting_link ));
```

Explanation:
The vulnerability existed because user-controlled or potentially untrusted data (event properties like start/end datetimes, timezone, and meeting_link) were being output directly into an email template via `printf()` without HTML escaping. If any of these values contained malicious HTML or JavaScript, it could be rendered in the email client. The fix applies `esc_html()` to all dynamic values before output, which properly escapes HTML special characters and prevents XSS attacks. This is particularly critical in email templates where arbitrary input could be injected through event data.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/event-one.php	2026-01-09 00:38:10.004546238 +0000+++ cache/wp-event-solution_4.0.52/templates/event-one.php	2026-01-09 00:43:17.287300056 +0000@@ -48,7 +48,7 @@                     <?php do_action("etn_before_single_event_content_body", $single_event_id); ?>                      <div class="etn-event-content-body">-                        <?php echo apply_filters( 'etn_single_event_content_body', the_content() ); ?>+                        <?php echo wp_kses_post( apply_filters( 'etn_single_event_content_body', get_the_content() ) ); ?>                     </div>                      <?php do_action("etn_after_single_event_content_body", $single_event_id); ?>	

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event-one.php Line 51

Old Code:
```php
<?php echo apply_filters( 'etn_single_event_content_body', the_content() ); ?>
```

Fixed Code:
```php
<?php echo wp_kses_post( apply_filters( 'etn_single_event_content_body', get_the_content() ) ); ?>
```

Explanation:
The original code was vulnerable to Stored XSS because it echoed the output of `apply_filters()` without proper sanitization. The `the_content()` function outputs formatted post content that may contain user-controlled data and HTML. While `apply_filters()` allows plugins to modify the content, there was no guarantee that the filtered output was safe for display.

The fix addresses this vulnerability in two ways:

1. **Replaced `the_content()` with `get_the_content()`**: The original `the_content()` function applies its own filters and formatting. Using `get_the_content()` instead provides the raw content without automatic formatting, giving more explicit control over the output processing.

2. **Added `wp_kses_post()` sanitization**: This WordPress function sanitizes the output by removing any HTML tags and attributes that are not in the whitelist of allowed post content tags. This prevents arbitrary scripts and dangerous HTML from being displayed, effectively mitigating the XSS vulnerability while preserving safe formatting like paragraphs, links, and other standard post content markup.

The combination of these changes ensures that only safe, whitelisted HTML is rendered to the user, preventing malicious scripts from being executed.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/event/archive/thumbnail-content.php	2026-01-09 00:38:10.000545994 +0000+++ cache/wp-event-solution_4.0.52/templates/event/archive/thumbnail-content.php	2026-01-09 00:43:17.267298832 +0000@@ -9,7 +9,7 @@              <?php do_action( 'etn_before_event_archive_thumbnail' ); ?> -        <a href="<?php the_permalink(); ?>" aria-label="<?php the_title(); ?>">+        <a href="<?php the_permalink(); ?>" aria-label="<?php echo esc_attr( get_the_title() ); ?>">             <?php the_post_thumbnail(); ?>         </a> 

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event/archive/thumbnail-content.php - Line 12

Old Code:
```php
<a href="<?php the_permalink(); ?>" aria-label="<?php the_title(); ?>">
```

Fixed Code:
```php
<a href="<?php the_permalink(); ?>" aria-label="<?php echo esc_attr( get_the_title() ); ?>">
```

Explanation:
The original code used `the_title()` directly in the `aria-label` attribute without proper escaping. The `the_title()` function outputs the post title directly to the page without any sanitization, which could allow stored XSS attacks if the post title contains malicious HTML or JavaScript. An attacker could craft a post title containing malicious script tags or event handlers that would execute in the browser when the page is rendered.

The fix uses `esc_attr( get_the_title() )`, which properly escapes the title for use as an HTML attribute. The `get_the_title()` function retrieves the title without outputting it, and `esc_attr()` applies proper HTML attribute escaping to neutralize any potentially malicious content. This prevents XSS attacks by ensuring that special characters are converted to HTML entities.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/event/parts/buy-ticket.php	2026-01-09 00:38:10.008546481 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/buy-ticket.php	2026-01-09 00:43:17.287300056 +0000@@ -1,7 +1,7 @@ <?php    //echo do_shortcode("[etn_pro_ticket_form id='" . $event_id . "' show_title='no']");  ?>-<div class="etn-single-event-ticket-wrap" data-preview=<?php echo is_preview()?> >+<div class="etn-single-event-ticket-wrap" data-preview="<?php echo esc_attr( is_preview() ); ?>" >     <?php if ( isset( $show_title ) && $show_title === "yes" ) : ?>     <h3 class="etn-event-form-widget-title" ?>>         <?php echo esc_html( get_the_title( $event_id ) ); ?>@@ -9,6 +9,6 @@     <?php endif; ?>      <?php-    \Etn\Utils\Helper::eventin_ticket_widget( $event_id, $styles );  +    \Etn\Utils\Helper::eventin_ticket_widget( $event_id, $styles, null, $style_variant );       ?> </div>

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/buy-ticket.php - Line 4

Old Code:
```php
<div class="etn-single-event-ticket-wrap" data-preview=<?php echo is_preview()?> >
```

Fixed Code:
```php
<div class="etn-single-event-ticket-wrap" data-preview="<?php echo esc_attr( is_preview() ); ?>" >
```

Explanation:
The original code had an XSS vulnerability in the `data-preview` attribute. The output of `is_preview()` was not properly escaped and was not wrapped in quotes, making it vulnerable to attribute injection. An attacker could potentially inject malicious JavaScript through the attribute value. The fix properly escapes the output using `esc_attr()` (the WordPress escaping function for HTML attributes) and wraps the value in quotes to prevent attribute injection attacks. This follows WordPress security best practices for sanitizing user-controlled or dynamic content in HTML attributes.

---

Vulnerability Existed: no
Information Disclosure - N/A - templates/event/parts/buy-ticket.php - Line 12

Old Code:
```php
\Etn\Utils\Helper::eventin_ticket_widget( $event_id, $styles );
```

Fixed Code:
```php
\Etn\Utils\Helper::eventin_ticket_widget( $event_id, $styles, null, $style_variant );
```

Explanation:
This change adds an additional parameter (`$style_variant`) to a function call. This is not a security fix but rather a functionality enhancement or parameter addition. There is no vulnerability present in either version—this is simply extending the function call with an additional argument, which does not represent a security issue.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/event/parts/event-details-parts-pro.php	2026-01-09 00:38:10.012546725 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-details-parts-pro.php	2026-01-09 00:43:17.319302013 +0000@@ -179,7 +179,7 @@ 																						if(!empty($etn_schedule_start_time) || !empty( $etn_schedule_end_time )){ 																								?>                     <span class='etn-schedule-time'>-                        <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+                        <?php echo esc_html($etn_schedule_start_time) . esc_html($dash_sign) . esc_html($etn_schedule_end_time); ?>                     </span>                      <?php@@ -204,7 +204,7 @@                                 <i class="etn-icon etn-plus"></i>                                 <?php endif; ?>                             </h4>-                            <?php echo Helper::render(trim( $etn_schedule_objective )); ?>+                            <?php echo wp_kses_post( Helper::render(trim( $etn_schedule_objective )) ); ?>                             <?php  if($etn_show_speaker_with_schedule === 'schedule_with_speaker') : ?>                             <div class="etn-acccordion-contents">                                 <div class='etn-schedule-content'>

I'll analyze this code diff for security vulnerabilities.

---

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/event-details-parts-pro.php - Line 182

Old Code:
```php
<?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>
```

Fixed Code:
```php
<?php echo esc_html($etn_schedule_start_time) . esc_html($dash_sign) . esc_html($etn_schedule_end_time); ?>
```

Explanation:
The `$dash_sign` variable was not being escaped before output. While it appears to be a literal dash character, the lack of escaping means any malicious content injected into this variable would be rendered unescaped in the HTML, allowing XSS attacks. The fix applies `esc_html()` to ensure the variable is properly escaped before output.

---

**Vulnerability 2:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/event-details-parts-pro.php - Line 207

Old Code:
```php
<?php echo Helper::render(trim( $etn_schedule_objective )); ?>
```

Fixed Code:
```php
<?php echo wp_kses_post( Helper::render(trim( $etn_schedule_objective )) ); ?>
```

Explanation:
The output from `Helper::render()` was being echoed directly without sanitization. The `Helper::render()` function likely processes HTML content (possibly Markdown or other markup), but the result was not being sanitized before output. The fix wraps the output with `wp_kses_post()`, which sanitizes HTML while allowing safe tags, preventing XSS attacks from malicious content within `$etn_schedule_objective`. This is the appropriate WordPress function for sanitizing HTML content that should preserve some markup.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/event/parts/event-details-parts.php	2026-01-09 00:38:10.008546481 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-details-parts.php	2026-01-09 00:43:17.315301769 +0000@@ -239,7 +239,7 @@                         <li> 							<?php if ( $data['event_start_date'] !== $data['event_end_date']): ?>                             <span> <?php echo esc_html__( 'Date :', "eventin" ); ?></span>-							<?php echo $start_date . $separate . $end_date; ?>+							<?php echo esc_html( $start_date . $separate . $end_date ); ?> 							  							<?php else: ?>@@ -335,9 +335,9 @@ 									?> 								</h4> 								<p class="etn-acccordion-contents <?php echo esc_attr( $acc_class ); ?>">-									<?php +									<?php 										if ( has_blocks( $faq["etn_faq_content"] ) ) {-											echo do_blocks( $faq["etn_faq_content"] );+											echo wp_kses_post( do_blocks( $faq["etn_faq_content"] ) ); 										} else { 											echo esc_html( $faq["etn_faq_content"] ); 										}

I'll analyze the provided code diff for security vulnerabilities.

Vulnerability 1: Output Escaping

    Vulnerability Existed: yes
TRUE POSITIVE
    Improper Neutralization of Output During Web Page Generation ('Cross-site Scripting') - CWE-79 - templates/event/parts/event-details-parts.php - Line 242
    Old Code:
    <?php echo $start_date . $separate . $end_date; ?>
    Fixed Code:
    <?php echo esc_html( $start_date . $separate . $end_date ); ?>
    Explanation:
    The original code directly echoed concatenated variables ($start_date, $separate, $end_date) without any escaping. If any of these variables contain user-controlled data or untrusted content, this could lead to Stored or Reflected XSS attacks. The fix properly escapes the output using esc_html(), which is appropriate for plain text content, preventing malicious scripts from being injected into the HTML.

Vulnerability 2: Unsafe Block Rendering

    Vulnerability Existed: yes
TRUE POSITIVE
    Improper Neutralization of Output During Web Page Generation ('Cross-site Scripting') - CWE-79 - templates/event/parts/event-details-parts.php - Line 340
    Old Code:
    echo do_blocks( $faq["etn_faq_content"] );
    Fixed Code:
    echo wp_kses_post( do_blocks( $faq["etn_faq_content"] ) );
    Explanation:
    The original code used do_blocks() to render dynamic block content without proper sanitization of the output. While do_blocks() processes WordPress blocks, the resulting HTML output was not sanitized before being echoed. This could allow malicious content to be rendered as HTML/JavaScript if the FAQ content contains unsafe markup. The fix wraps the output with wp_kses_post(), which sanitizes HTML while allowing safe WordPress-approved tags and attributes, preventing XSS attacks while preserving intentional block formatting.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

--- cache/wp-event-solution_4.0.51/templates/event/parts/event-schedule-one.php	2026-01-09 00:38:10.012546725 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/event-schedule-one.php	2026-01-09 00:43:17.323302258 +0000@@ -1,123 +1,123 @@ <?php-use \Etn\Utils\Helper as Helper;+    use \Etn\Utils\Helper as Helper; -$event_options          = get_option("etn_event_options");-$data                   = Helper::single_template_options( $event_id );-$etn_event_schedule     = isset( $data['etn_event_schedule']) ? $data['etn_event_schedule'] : [];--if ( ! isset( $event_options["etn_hide_schedule_from_details"] ) && !empty( $etn_event_schedule ) ) {-				if ( is_array( $etn_event_schedule ) ) {-						$args = array(-								'post__in' => $etn_event_schedule,-								'orderby' => 'post_date',-								'order' => 'asc',-								'post_type' => 'etn-schedule',-								'post_status' => 'publish',-								'suppress_filters' => false,-								'numberposts'	=> -1-						);+    $event_options      = get_option("etn_event_options");+    $data               = Helper::single_template_options($event_id);+    $etn_event_schedule = isset($data['etn_event_schedule']) ? $data['etn_event_schedule'] : [];++    if (! isset($event_options["etn_hide_schedule_from_details"]) && ! empty($etn_event_schedule)) {+        if (is_array($etn_event_schedule)) {+            $args = [+                'post__in'         => $etn_event_schedule,+                'orderby'          => 'post_date',+                'order'            => 'asc',+                'post_type'        => 'etn-schedule',+                'post_status'      => 'publish',+                'suppress_filters' => false,+                'numberposts'      => -1,+            ]; -						$schedule_query = get_posts($args);+            $schedule_query = get_posts($args); -						?>+        ?> <!-- schedule tab start -->-<div class=" schedule-tab-wrapper etn-tab-wrapper schedule-style-1  no-shadow pt-0 <?php echo esc_attr( $container_class ); ?>">-    <div class="eventin-block-container">   +<div class=" schedule-tab-wrapper etn-tab-wrapper schedule-style-1  no-shadow pt-0                                                                                                                                                                     <?php echo esc_attr($container_class); ?>">+    <div class="eventin-block-container">     <h3 class="etn-tags-title"><?php echo esc_html__('Schedule:', 'eventin'); ?></h3>         <ul class='etn-nav'>             <?php-                                            $i = -1;-                                            foreach ($schedule_query as $post) :-                                                    $single_schedule_id = $post->ID;-                                                    $i++;-                                                    $schedule_meta = get_post_meta($single_schedule_id);-                                                    $schedule_date = !empty( $schedule_meta['etn_schedule_date'][0] ) ? date_i18n(\Etn\Core\Event\Helper::instance()->etn_date_format(), strtotime($schedule_meta['etn_schedule_date'][0])) : "";-                                                    $active_class = (($i == 0) ? 'etn-active' : ' ');-                                                    ?>-            <li>-                <a href='#' class='etn-tab-a <?php echo esc_attr($active_class); ?>'-                    data-id='tab<?php echo esc_attr($i); ?>'>-                    <span class='etn-date'><?php echo esc_html($post->post_title); ?></span>-                    <span class='etn-day'><?php echo esc_html($schedule_date); ?></span>-                </a>-            </li>-            <?php endforeach; ?>+                $i = -1;+                        foreach ($schedule_query as $post):+                            $single_schedule_id = $post->ID;+                            $i++;+                            $schedule_meta = get_post_meta($single_schedule_id);+                            $schedule_date = ! empty($schedule_meta['etn_schedule_date'][0]) ? date_i18n(\Etn\Core\Event\Helper::instance()->etn_date_format(), strtotime($schedule_meta['etn_schedule_date'][0])) : "";+                            $active_class  = (($i == 0) ? 'etn-active' : ' ');+                        ?>+		            <li>+		                <a href='#' class='etn-tab-a		                                            	                                             <?php echo esc_attr($active_class); ?>'+		                    data-id='tab<?php echo esc_attr($i); ?>'>+		                    <span class='etn-date'><?php echo esc_html($post->post_title); ?></span>+		                    <span class='etn-day'><?php echo esc_html($schedule_date); ?></span>+		                </a>+		            </li>+		            <?php endforeach; ?>         </ul>         <div class='etn-tab-content clearfix etn-schedule-wrap'>             <?php-    $j = -1;-    foreach ($schedule_query as $post) :-            $single_schedule_id = $post->ID;-            $j++;-            $schedule_meta  = get_post_meta($single_schedule_id);-            $schedule_date  = strtotime($schedule_meta['etn_schedule_date'][0]);-            $schedule_topics = !empty($schedule_meta['etn_schedule_topics'][0]) ? unserialize($schedule_meta['etn_schedule_topics'][0]) : [];-            $schedule_date  = date_i18n("d M", $schedule_date);-            $active_class   = (($j == 0) ? 'tab-active' : ' ');-            $etn_show_speaker_with_schedule = get_post_meta( $event_id, 'etn_select_speaker_schedule_type', true );-            $etn_show_speaker_with_schedule = !empty( $etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';-            ?>-            <!-- start repeatable item -->-            <div class='etn-tab <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>-                <?php-    $etn_tab_time_format = (!empty($event_options["time_format"]) && $event_options["time_format"] == '24') ? "H:i" : get_option( 'time_format' );-    if( is_array( $schedule_topics ) && !empty( $schedule_topics ) ){-            foreach($schedule_topics as $topic) {-                    $etn_schedule_topic         = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');-                    $etn_schedule_start_time    = !empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';-                    $etn_schedule_end_time      = !empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';-                    $etn_schedule_room          = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');-                    $etn_schedule_objective     = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');-                    $etn_schedule_speaker       = (isset($topic['speakers']) ? (array) $topic['speakers'] : []);-                    $dash_sign	                = ( !empty( $etn_schedule_start_time ) && !empty( $etn_schedule_end_time ) ) ? " - " : " ";--                ?>-                <div class='etn-single-schedule-item etn-row'>-                    <div class='etn-schedule-info etn-col-sm-4'>-                        <?php-                                                                                            -        if(!empty($etn_schedule_start_time) || !empty( $etn_schedule_end_time )){-                                                                                                    ?>-        <span class='etn-schedule-time'>-            <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>-        </span>--        <?php-        }-                    -        if( !empty( $etn_schedule_room ) ){-        ?>-        <span class='etn-schedule-location'>-            <i class='etn-icon etn-location'></i>-            <?php echo esc_html($etn_schedule_room); ?>-        </span>-        <?php-            }-        ?>-        </div>-        <div class='etn-col-sm-8'>-            <div class="etn-accordion-wrap">-                <div class="etn-content-item">-                    <h4 class='etn-accordion-heading'>-                        <?php echo esc_html($etn_schedule_topic); ?>-                        <?php if($etn_show_speaker_with_schedule === 'schedule_with_speaker') : ?>-                        <i class="etn-icon etn-plus"></i>-                        <?php endif; ?>+                $j = -1;+                        foreach ($schedule_query as $post):+                            $single_schedule_id = $post->ID;+                            $j++;+                            $schedule_meta                  = get_post_meta($single_schedule_id);+                            $schedule_date                  = strtotime($schedule_meta['etn_schedule_date'][0]);+                            $schedule_topics                = ! empty($schedule_meta['etn_schedule_topics'][0]) ? unserialize($schedule_meta['etn_schedule_topics'][0]) : [];+                            $schedule_date                  = date_i18n("d M", $schedule_date);+                            $active_class                   = (($j == 0) ? 'tab-active' : ' ');+                            $etn_show_speaker_with_schedule = get_post_meta($event_id, 'etn_select_speaker_schedule_type', true);+                            $etn_show_speaker_with_schedule = ! empty($etn_show_speaker_with_schedule) ? $etn_show_speaker_with_schedule : 'schedule_with_speaker';+                        ?>+		            <!-- start repeatable item -->+		            <div class='etn-tab		                               	                                <?php echo esc_attr($active_class); ?>' data-id='tab<?php echo esc_attr($j); ?>'>+		                <?php+                                $etn_tab_time_format = (! empty($event_options["time_format"]) && $event_options["time_format"] == '24') ? "H:i" : get_option('time_format');+                                        if (is_array($schedule_topics) && ! empty($schedule_topics)) {+                                            foreach ($schedule_topics as $topic) {+                                                $etn_schedule_topic      = (isset($topic['etn_schedule_topic']) ? $topic['etn_schedule_topic'] : '');+                                                $etn_schedule_start_time = ! empty($topic['etn_shedule_start_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_start_time'])) : '';+                                                $etn_schedule_end_time   = ! empty($topic['etn_shedule_end_time']) ? date_i18n($etn_tab_time_format, strtotime($topic['etn_shedule_end_time'])) : '';+                                                $etn_schedule_room       = (isset($topic['etn_shedule_room']) ? $topic['etn_shedule_room'] : '');+                                                $etn_schedule_objective  = (isset($topic['etn_shedule_objective']) ? $topic['etn_shedule_objective'] : '');+                                                $etn_schedule_speaker    = (isset($topic['speakers']) ? (array) $topic['speakers'] : []);+                                                $dash_sign               = (! empty($etn_schedule_start_time) && ! empty($etn_schedule_end_time)) ? " - " : " ";++                                            ?>+		                <div class='etn-single-schedule-item etn-row'>+		                    <div class='etn-schedule-info etn-col-sm-4'>+		                        <?php++                                                        if (! empty($etn_schedule_start_time) || ! empty($etn_schedule_end_time)) {+                                                        ?>+		        <span class='etn-schedule-time'>+		            <?php echo esc_html($etn_schedule_start_time) . $dash_sign . esc_html($etn_schedule_end_time); ?>+		        </span>++		        <?php+                        }++                                        if (! empty($etn_schedule_room)) {+                                        ?>+		        <span class='etn-schedule-location'>+		            <i class='etn-icon etn-location'></i>+		            <?php echo esc_html($etn_schedule_room); ?>+		        </span>+		        <?php+                        }+                                    ?>+		        </div>+		        <div class='etn-col-sm-8'>+		            <div class="etn-accordion-wrap">+		                <div class="etn-content-item">+		                    <h4 class='etn-accordion-heading'>+		                        <?php echo esc_html($etn_schedule_topic); ?>+		                        <?php if ($etn_show_speaker_with_schedule === 'schedule_with_speaker'): ?>+		                        <i class="etn-icon etn-plus"></i>+		                        <?php endif; ?>                     </h4>-                    <?php echo Helper::render(trim( $etn_schedule_objective )); ?>+                    <?php echo wp_kses_post( Helper::render(trim( $etn_schedule_objective )) ); ?>                     <?php  if($etn_show_speaker_with_schedule === 'schedule_with_speaker') : ?>                     <div class="etn-acccordion-contents">                         <div class='etn-schedule-content'>                             <div class='etn-schedule-speaker'>                                 <?php                                     $speaker_avatar = apply_filters("etn/speakers/avatar", \Wpeventin::assets_url() . "images/avatar.jpg");-                                    if (count($etn_schedule_speaker) > 0) {-                                            foreach ($etn_schedule_speaker as $key => $value) {		-                                                    -                                                    $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);-                                                    $speaker_thumbnail     = get_user_meta( $value, 'image', true);-                                                    $speaker_title         = get_the_author_meta( 'display_name', $value );-                                                    ?>+                                                    if (count($etn_schedule_speaker) > 0) {+                                                        foreach ($etn_schedule_speaker as $key => $value) {++                                                            $etn_speaker_permalink = Helper::get_author_page_url_by_id($value);+                                                            $speaker_thumbnail     = get_user_meta($value, 'image', true);+                                                            $speaker_title         = get_the_author_meta('display_name', $value);+                                                        ?>                                                     <div class='etn-schedule-single-speaker'>                                                         <a href='<?php echo esc_url($etn_speaker_permalink); ?>'>                                                                 <img src='<?php echo esc_url($speaker_thumbnail); ?>' alt='<?php echo esc_attr($speaker_title); ?>' width="50" height="50">@@ -125,9 +125,9 @@                                                         <span class='etn-schedule-speaker-title'><?php echo esc_html($speaker_title); ?></span>                                                     </div>                                                     <?php-                                            }-                                    }-                                    ?>+                                                        }+                                                                        }+                                                                    ?>                             </div>                         </div>                     </div>@@ -136,19 +136,19 @@             </div>         </div>                 </div>-                <?php +                <?php                     }-                } -        ?>+                            }+                        ?>             </div>             <!-- end repeatable item -->             <?php endforeach;-        wp_reset_postdata(); ?>+                    wp_reset_postdata(); ?>         </div>         </div>     </div> </div> <!-- schedule tab end --> <?php-}+    } }

I'll analyze this code diff for security vulnerabilities.

Vulnerability Existed: yes
FALSE POSITIVE
Unvalidated Serialized Data Deserialization - CWE-502 - templates/event/parts/event-schedule-one.php Line 59
Old Code:
```php
$schedule_topics = !empty($schedule_meta['etn_schedule_topics'][0]) ? unserialize($schedule_meta['etn_schedule_topics'][0]) : [];
```
Fixed Code:
```php
$schedule_topics = ! empty($schedule_meta['etn_schedule_topics'][0]) ? unserialize($schedule_meta['etn_schedule_topics'][0]) : [];
```
Explanation:
The code uses PHP's `unserialize()` function on untrusted data without validation. This is a critical security vulnerability because `unserialize()` can execute arbitrary code if the serialized data contains malicious object payloads. The diff shows only formatting changes (spacing), not a fix for this vulnerability. The vulnerability still exists in the new version.

---

Vulnerability Existed: yes
TRUE POSITIVE
Improper Output Encoding - CWE-79 (Cross-site Scripting) - templates/event/parts/event-schedule-one.php Line 143
Old Code:
```php
<?php echo Helper::render(trim( $etn_schedule_objective )); ?>
```
Fixed Code:
```php
<?php echo wp_kses_post( Helper::render(trim( $etn_schedule_objective )) ); ?>
```
Explanation:
The original code outputs the result of `Helper::render()` without proper HTML sanitization. If this renders HTML content, it's vulnerable to XSS attacks. The fix wraps the output with `wp_kses_post()`, which safely strips dangerous HTML/JavaScript while preserving safe markup. This is a proper security fix for output encoding vulnerabilities.

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.