My site using the events calendar plugin and recently had a security scan. The scan noted 2 issues, Directory Traversal & XML Injection vulnerabilities. Please note that there has been no customization to the events calendar on our site. Also, I update WP Core and the plugins monthly. This is a very normal instance of the events calendar plugin.
Directory Traversal:
It noted that the following path was effected.
- /events/ with parameter tribe-events-views[tribe-bar-search]
I checked Events Calendar documentation and could not find any issues pertaining to security, nor remediations for this. As of writing, the plugins are up to date and are always updated each month.
XML Injection
It noted that the following paths was effected:
- /events/ical
- /events/category/national/list/ical
Again, no documentation or remediations around XML Injection concerns with events calendar.
Perhaps these are false positives? Or perhaps there is a solution out there I haven’t found?