A recent WordPress security update that features several security fixes is also causing some sites to stop working, prompting one developer to say:This is chaos!!“
The update removed a key feature that caused many plugins to stop working on sites using the WordPress blocks system.
Affected plugins range from forms to sliders to breadcrumbs.
Update WordPress 6.2.1
Sites that support automatic background updates automatically received the WordPress 6.2.1 update for the security release (since it was an official maintenance and security release).
According to the official WordPress release announcementThe update contains five security fixes:
- “Block features that parse shortcodes in user-generated data; …
- CSRF problem updating attachment thumbnails; Reported by John Blackburn of the WordPress security team
- A flaw in open autodiscover XSS allows; It was personally reported by Jakub Żczek at Securitum and during a third-party security audit
- Passing KSES clearance for low-privileged users; Discovered during a third-party security audit.
- Path traversal through translation files; Reported during independent Ramel Gal and third party security audits.
The problem stems from an initial security fix, which affects shortcodes in block themes, that is causing problems.
A shortcode is a single line of code that acts as a stand-in or placeholder for a contact form.
So instead of configuring a contact form on every page the form appears on, it simply puts a single line called a shortcode and then embeds the contact form.
Unfortunately, it has been discovered that hackers can execute shortcodes in user-generated content (such as blog comments), which can lead to exploitation.
WordFence It describes the vulnerability:
“WordPress Core will enable shortcodes in user-generated content on block themes up to version 6.2.
This allows unauthenticated attackers to execute shortcodes by inserting comments or other content, which would allow them to exploit vulnerabilities that would normally require subscriber or contributor status.
WordFence explains that the vulnerability is vulnerable to other serious vulnerabilities.
The solution to the shortcode vulnerability was to completely remove the shortcode functionality from WordPress block templates.
of Official documents Exposure adjustment explained:
“Remove shortcode support from blocking templates.”
Someone created a solution to restore shortcode support in WordPress blocking templates.
But so is the solution He regained his vulnerability:
“For those who want to stay on 6.2.1 and restore support for shortcodes on the template, you can try this workaround.
Note, however, that support was removed to fix a security issue, and restoring shortcode support may restore the security issue.
Disabling shortcode support has caused some sites to become inoperable, or stop working altogether.
So adding a solution until a more permanent solution is available makes sense for many users.
WordPress developers call the patch “crazy” and “stupid”.
WordPress devs report their frustrations with WordPress updates:
a person He wrote:
“…it’s crazy to me that cross-codes were removed by design!! Each of our agency’s FSE websites uses a shortcode block as a template for everything: filters, search, ACF and plugin integrations. This is chaos!!
The solution doesn’t seem to work for me. I hope to roll back to the previous version and see if there is a fix.
another person Posted:
“Yeah, I don’t understand the Gutenberg hate, but at least they should have broken blocks like shortcodes in the whole site editor.
That WP Davis was dumb.
Unless you tell them otherwise or lead them to something new, people are going to use the old ways.
But like I said, it might be better to build a bridge with an official PHP block – or really listen to what users and devs want.
One of the popular plugins affected is Level Math. After the 6.2.1 update, the breadcrumbs function failed when found on block themes.
The Rank Account Support page contains a request for user modification of the Rank Account plugin.
Level accounting support It is recommended to add solutions. Unfortunately, that solution doesn’t just restore the shortcode’s functionality, it also restores the vulnerability.
The update also disables the functionality of the Smart Slider 3 plugin.
A Support thread Opened on the Smart Slider 3 plugin page:
It’s not entirely your fault, but Automate decided to pull shortcodes from the template. …claiming a ‘security issue’, but essentially knocking two plugins I use, yours included.
That means your plugin will now show [smartslider3 slider=”6″] When used in the FSE template. But it shows well in the FSE editor!
Automattic informed, thinking that confused people might want to know before they start blaming you. Such activities should not be avoided – it’s like the bad old days again.
Now I need to work out how to plug in some form/PHP code to put category lists into search boxes. awesome
SmartSlider 3 support team recommends adding solutions.
Others in the WordPress.org support thread came up with workarounds for the issue. If your site is affected, it might be worth reading the discussion.
Read the WordPress support page about shortcodes
WordPress v6.2.1 breaks shortcode restriction in templates.
Featured image by Shutterstock/ViChizh
We offer you some site tools and assistance to get the best result in daily life by taking advantage of simple experiences