garethsprice

Our ISP reports that this file was used to upload a malicious /wp-options.php file – it appears as though there is a serious vulnerability in the auto-update.php file, and a script that downloads an arbitrary file without doing any input validation is extremely dangerous.

This functionality should not be necessary – WordPress provides an update mechanism for plugins already?

We removed the file from our repository and recommend that anyone else using this plugin do so also.

@willem – this patch only excludes specific post types. To show one post type only, enter all the other post types into the exclude list.

The 678,6-679,10 numbers are because this is a patch for the existing plugin that you will need to apply using GNU diff from the command line. The numbers indicate which line numbers have been modified in the file.

Noting that with the above workaround you need to leave “Regex” unchecked, as htaccess Regexes are passed straight through to the file.

This happened to me too. There’s a screencast at https://wp-events-plugin.com/news/upgrade-issues-screencast-walkthrough/ but that did not work for me – my event listing page still read “no events”.

Edit: Tried downgrading to 3.0.98, events displayed but could not save as it threw an error.

Investigated further, could create new events and they would show up.

Looked into the database and found that my v3 events did not have the blog_id column set. Ran “UPDATE wp_11_em_events SET blog_id=11” in MySQL to set the blog_id and events now show up.

Seems redundant to have the blog_id set as it can be determined from the table name or WordPress API??