Security release 1.0.6 of our WordPress plugin

Oct. 9, 2024

We have received a report about a security issue in our WordPress plugin pretix-widget. We therefore just released version 1.0.6 of the plugin that fixes this problem. It is strongly recommended that you update your installation as soon as possible.

#1: Local File Inclusion [HIGH]

CVE ID: CVE-2024-9575

When manually crafting an invalid internal state of the plugin's block element (e.g. through the browser developer tools), an attacker is able to cause arbitrary .php files of the system to be included on the page, including possible directory traversal. However, we have only been able to reproduce this problem on WordPress installations running on a Windows machine, since the directory traversal fails on Linux due to the way paths with non-existent components are handled.

Severity rating: Since this theoretically allows for a privilege escalation within the WordPress application, we assess the severity of this issue as high.

Affected versions: Plugin 1.0.0 until 1.0.5 are affected.

This issue has been found by João Pedro Soares de Alcântara (Kinorth) and reported through Patchstack.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.

We take the security of our products very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.

Raphael Michel

Raphael is the founder and main developer of pretix. He is passionate about user-friendly, elegant software, and when he's not busy building software for conference organizers, he enjoys co-organizing conferences himself.