A recent WordPress security update featuring multiple security fixes is also causing some sites to stop functioning, causing one developer to exclaim, “This is chaos!!”
The update removed a key functionality that caused numerous plugins to stop working on site that use the WordPress blocks system.
Affected plugins ranged from forms to sliders to breadcrumbs.
Update: WordPress Releases 6.2.2 To Fix Version 6.2.1
WordPress released an update late on Friday to address the flawed security patch introduced in version 6.2.1.
The announcement stated:
“WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1.”
WordPress publishers affected by the shortcodes bug introduced in the previous update may wish to consider updating to the latest version.
WordPress 6.2.1 Update
Sites that support automatic background updates automatically received the WordPress 6.2.1 update because it was a Security Release (officially it was a maintenance & security Release).
According to the official WordPress release announcement, the update contained five security fixes:
- “Block themes parsing shortcodes in user generated data;…
- A CSRF issue updating attachment thumbnails; reported by John Blackbourn of the WordPress security team
- A flaw allowing XSS via open embed auto discovery; reported independently by Jakub Żoczek of Securitum and during a third party security audit
- Bypassing of KSES sanitization in block attributes for low privileged users; discovered during a third party security audit.
- A path traversal issue via translation files; reported independently by Ramuel Gall and during a third party security audit.”
The problem arises from the first security fix, the one affecting shortcodes in block themes, that’s causing the problems.
A shortcode is a single line of code that acts like a stand-in or placeholder for code that provides functionality like a contact form.
So instead of configuring a contact form on every page the form appears on, one can simply put a single line called a shortcode which will then embed a contact form.
Unfortunately it was discovered that hackers could execute shortcodes within user generated content (like in blog comments), which could then lead to an exploit.
WordFence describes the vulnerability:
“WordPress Core processes shortcodes in user-generated content on block themes in versions up to, and including, 6.2.
This could allow unauthenticated attackers to execute shortcodes via submitting comments or other content, allowing them to exploit vulnerabilities that typically require Subscriber or Contributor-level permissions.”
WordFence goes on to explain that the vulnerability is like a flaw that can enable another more severe vulnerability.
The solution to the shortcode vulnerability was to entirely remove the shortcode functionality from WordPress block templates.
The official documentation for the vulnerability fix explained:
“Remove shortcode support from block templates.”
Someone created a workaround to restore the shortcode support in WordPress block templates.
But the workaround also restored the vulnerability:
“For those who want to stay on 6.2.1 and need to restore the support for shortcodes on templates, you can try this workaround.
…But be aware that support was removed for fixing a security issue, and restoring shortcode support you are probably bringing back the security issue.”
Disabling shortcode support actually caused some sites to become non-functional, to stop working altogether.
So adding the workaround until a more permanent solution was found made sense for many users.
WordPress Developers Call Fix “Insane” and “Dumb”
WordPress devs reported their frustration with the WordPress update:
One person wrote:
“…it’s absolutely insane to me that shortcodes have been removed by design!! Every single one of our agency’s FSE sites uses the shortcode block in templates for everything: filters, search, ACF & plugin integrations. This is chaos!!
The workaround doesn’t seem to work for me. Going to revert to a previous version and hope there is a fix.”
Another person posted:
“Yeah I don’t get the Gutenberg hate, but the very least they should have disallowed some blocks like Shortcode they were phasing out in the Full Site Editor.
That was dumb of the WP devs.
People are going to use the old ways unless you tell them otherwise or guide them to new stuff.
But as I said, what would have been better is to build a bridge via say, an official PHP block – or indeed listening to what users and devs want.”
One of the notable plugins that were affected was Rank Math. The breadcrumb functionality when present on block themes failed after the 6.2.1 update.
A Rank Math support page contained a request for a fix from a Rank Math plugin user.
Rank Math support recommended adding a workaround fix. Unfortunately, that workaround fix not only restores shortcode functionality, it also restores the vulnerability.
The update also blocked the functionality of the Smart Slider 3 plugin as well.
A support thread was opened at the Smart Slider 3 plugin page:
“Not totally your fault, but Automattic has decided to pull shortcodes from block templates. …claiming a ‘security issue’ but basically nuking two plugins I use, yours included.
That means your plugin just shows [smartslider3 slider=”6″] when used in a FSE template. But it shows fine in the FSE editor!
Just thought you might want to know, before the confused people that Automattic SHOULD have informed start blaming you. They shouldn’t just remove functionality like that – it’s like the bad old days all over again.
I now have to also work out how to plug in some form/PHP code to put category lists into search boxes. Grr.”
The Smart Slider 3 support team recommended adding the workaround fix.
Others in the WordPress.org support thread about the issue came up with solutions. If your site is affected then it may be helpful to read the discussion.
Read the WordPress Support Page About the Shortcodes Issue
Featured image by Shutterstock/ViChizh