Hey folks! We’ve found a particularly nasty bug within Event Tickets but have patched it up and are eager to get this latest update in your hands.
We discovered that it was possible for a malicious formula (payload) to be injected into the data when completing the Full Name section of the ticket purchase form. Essentially, this opens up a potential scenario where downloading the attendee data CSV file from the WordPress admin and opening the file could trigger malicious code to run on a computer. Even though there were no reports of this actually happening and Excel will indeed warn you before running any of the code, we saw the possibility and decided to patch it up before it could become a thing.
In most cases, you will be able to take advantage of automated updates directly in WordPress to get this latest release, but if that’s unavailable for any reason, you can download Event Tickets 22.214.171.124 from the downloads page in your account then update manually.
Event Tickets 126.96.36.199
- Fix – Exclude formulas when exporting attendee reports to CSV.
Not Updated This Release
The following plugins have not been updated this release and will remain at the version numbers specified here: