The changelog entry for the latest version of the 700,000+ install WordPress plugin The Events Calendar suggests that a security fix had been made:

Security – Ensure all password protected posts have their settings respected. [TCMN-167]

As at least one of our customers is using that plugin, we checked over the changes made to see if there was an attempt to fix a security issue and that it was complete. We found that the changelog entry refers to not including schema.org event data in the source code of password protected frontend pages from the plugin.

The change involved the following code added to the function get_data() in the file /common/src/Tribe/JSON_LD/Abstract.php:

92
93
94
95
96
97
98
99
100

// Double check that the user can read this post.
if ( ! current_user_can( 'read', $post->ID ) ) {
	return [];
}
 
// Ensure this post is not password protected.
if ( post_password_required( $post ) ) {
	return [];
}

That stops the rest of the function’s code from running if a request for the page is being made by someone that can not read the page or if the page is password protected. The rest of the code generates the schema.org event data that would otherwise be shown in the pages source code.

Plugin Security Scorecard Grade for The Events Calendar

See issues causing the plugin to get less than A+ grade