|
James Murrin
|
July 15, 2021 at 5:40 am
Hello,
I’ve just received an email from WPEngine to say that my site is running a vulnerable version of the Event Espresso Core plugin.
Researching through the links given in that email, though, it seems that this vulnerability was fixed in version 4.10.7 (pls see https://wpscan.com/vulnerability/923e6ddc-163b-48b0-96e9-ee9180d2f856).
I am running version 4.10.10.p and I would prefer not to upgrade, if possible, because the website is live selling tickets at the moment.
Please could you advise whether I need to upgrade the core plugin, or can I leave it until after the live event finishes (10 days’ time).
Thank you for your help.
Dee
|
|
Tony
|
July 15, 2021 at 5:57 am
Hi Dee,
If you are running 4.10.10.p then this should already be fixed on your site and confirming this is fairly simple if you have FTP or File Manager access.
On the site go to /wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/
Do you see an ee_msg_admin_overview.template.php file there? (You shouldn’t) If not, the above is a false positive.
(I’ve already tested your site using the proof of concept provided and didn’t reproduce, so I think this is correct, but you should check all the same)
Without meaning for this to come across the wrong way, 4.10.10.p was released December 10th, 2020 and you’ve been running it on the site since at least then so I’d say 10 days is unlikely to change anything. I do, however, recommend you update when you can do so 🙂
|
|
James Murrin
|
July 15, 2021 at 11:59 am
Hi Tony, very helpful, thank you for checking & for your feedback.
Kind regards
Dee
|
