A recent security update for WordPress that features multiple security fixes is causing some sites to stop working, causing one developer to state, “This is a mess!!“
The update removed a core functionality that caused several plugins to stop working on a site that used the WordPress block system.
Additional components affected ranged from forms to sliders to bread crumbs.
WordPress 6.2.1 update
Sites that support automatic updates in the background automatically received the WordPress 6.2.1 update because it was a security release (officially it was a maintenance and security release).
According to the official WordPress release announcement, the update included five security fixes:
- Template templates that parse shortcodes in user-generated data; …
- CSRF issue updating attachment thumbnails; Reported by John Blackbourn of the WordPress Security Team
- a bug that allows XSS to auto-detect open embeds; Reported independently by Jakub Żoczek of Securitum and during a third party security audit
- bypass KSES sanitization in block attributes for low-privileged users; that were discovered during a third-party security audit.
- path traversal problem through subtitle files; Reported independently by Ramuel Gall and during a third party security audit.”
The problem arises from the first security fix, which affects shortcodes in block attributes, which causes problems.
A shortcode is a single line of code that acts as a repository or placeholder for code that provides functionality such as a contact form.
So instead of creating a contact form on every page where the form appears, one can simply put a single line called a shortcode which will then include a contact form.
Unfortunately, it has been discovered that hackers can execute short codes within user-generated content (such as in blog comments), which can then lead to an exploit.
WordFence describes the vulnerability:
WordPress Core handles shortcodes in user-generated content on block themes in versions up to 6.2.
This could allow unauthenticated attackers to execute short codes by sending comments or other content, allowing them to exploit vulnerabilities that would normally require subscriber or contributor level permissions.”
WordFence goes on to explain that the vulnerability is similar to a bug that can lead to another, more serious vulnerability.
The solution to the shortcode vulnerability was to completely remove the shortcode functionality from the WordPress theme templates.
The official documentation of the vulnerability fix explained:
“Remove shortcode support from block templates.”
Someone created a solution to restore shortcode support in WordPress theme templates.
But the solution also restored the vulnerability:
For those who want to stay on 6.2.1 and need to restore shortcodes support on themes, you can try this workaround.
…but be aware that support was removed to fix a security issue, and to restore shortcode support, you will likely bring back the security issue. “
Disabling shortcode support has actually caused some sites to become non-functional, to stop working entirely.
So adding the solution until a permanent solution is found makes sense for many users.
WordPress developers call fix ‘crazy’ and ‘stupid’
WordPress developers reported their frustration with the WordPress update:
one person wrote:
“…it’s absolutely insane that shortcodes have been removed by design!! Every one of our agency’s FSE sites use the shortcode block in templates for everything: filters, search, ACF integration, and plugins. This is a mess!!”
The workaround doesn’t seem to work for me. I will go back to the previous version and hopefully there will be a solution.
Someone else posted:
Yeah, I don’t understand the hatred of Gutenberg, but at the very least, they should have banned some blocks like Shortcode that they were phasing out in the full site editor.
This was stupid from the WP developers.
People will use the old ways unless you tell them otherwise or point them to new things.
But as I said, the best is to build a bridge across an official PHP block – or listen to what users and developers want.”
Rank Math was one notable plugin that was affected. Breadcrumb function failed when present in block attributes after update 6.2.1.
Rank Math’s support page contained a fix request from a Rank Math plugin user.
Rank Math support has recommended adding a workaround. Unfortunately, this workaround not only restores the functionality of the shortcode, but also the vulnerability.
The update also blocked the functionality of the Smart Slider 3 plugin as well.
A support thread opened on the Smart Slider 3 plugin page:
Not entirely your fault, but Automattic decided to pull the shortcodes out of the block templates. … claims a ‘security issue’ but two additional components are being used nuclear, including yours.
This means that only your plugin appears [smartslider3 slider=”6″] when used in the FSE form. But it shows fine in the FSE editor!
Just thought you might want to know, before the confused people I should report to Automattic start blaming you. They shouldn’t just remove jobs like this – it’s like the bad old days all over again.
I also now have to figure out how to wire some PHP templates/code to put category lists into search boxes. Grr. “
Smart Slider 3 support team has recommended adding a workaround.
Others at WordPress.org support thread on the issue have come up with solutions. If your site is affected, it might be worth reading the discussion.
Read the WordPress support page about the shortcode issue
WordPress v6.2.1 breaks shortcode block in templates
Featured image by Shutterstock / ViChizh