I’m releasing an update to My Calendar today as part of a coordinated security release affecting dozens of major plug-ins in the WordPress.org repository. If you’re currently running any version in the 2.3.x branch of My Calendar, your site is vulnerable. If you’re on an older version of My Calendar, you are not vulnerable to this security issue, but you may be vulnerable to a security issue I fixed in version 2.3.10.
My recommendation is that all users should upgrade as soon as possible.
The issue has been extensively documented by some of the other plug-ins affected, so I won’t go into those details here. What you need to know specific to My Calendar is that these vulnerabilities only apply to authenticated users in the admin; there is no front-end vulnerability.
Knowing that there was no front-end vulnerability, I have opted out of automated updates. An automated update would force all users on the 2.3.x branch onto the latest version. While I firmly believe that all users running any version of 2.3.x should be running the most recent version of My Calendar, there is a risk that upgrade routines won’t run during a forced automatic upgrade, which would potentially cause problems for users on versions older than version 2.3.15.
Read more about this vulnerability:
- Easy Digital Downloads Security Update
- Jetpack Security Update
- Yoast Coordinated Security Release
- Sucuri.net Article on XSS vulnerability
This security issue became so widespread due to ambiguous documentation, which included example implementations of the functions that were vulnerable. The documentation has been fixed, but this is a great example of the dangers of incomplete code examples.
Thanks to Joost de Valk for getting the coordination process started and the WordPress Security team for keeping all the balls in the air coordinating dozens of plug-in authors and a core update. Thank you!