A recent WordPress security update, which included multiple security fixes, has led to some sites malfunctioning, prompting one developer to exclaim, "This is chaos!!"
The update removed a key functionality, causing numerous plugins utilizing the WordPress blocks system to stop working. Affected plugins ranged from forms to sliders to breadcrumbs.
WordPress released an update late on Friday to address the flawed security patch introduced in version 6.2.1.
The announcement stated:
"WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1."
WordPress publishers affected by the shortcodes bug introduced in the previous update may wish to consider updating to the latest version.
WordPress 6.2.1 Update
Sites that support automatic background updates automatically received the WordPress 6.2.1 update because it was a Security Release (officially it was a maintenance & security Release).
According to the official WordPress release announcement, the update contained five security fixes:
- Block themes parsing shortcodes in user-generated data.
- A CSRF issue updating attachment thumbnails; reported by John Blackbourn of the WordPress security team.
- A flaw allowing XSS via open embed auto discovery; reported independently by Jakub Żoczek of Securitum and during a third party security audit.
- Bypassing of KSES sanitization in block attributes for low privileged users; discovered during a third party security audit.
- A path traversal issue via translation files; reported independently by Ramuel Gall and during a third party security audit.
The problem arises from the first security fix, the one affecting shortcodes in block themes. This fix has caused significant issues.
A shortcode is a single line of code that acts like a stand-in or placeholder for code that provides functionality like a contact form. Instead of configuring a contact form on every page it appears, one can simply use a shortcode to embed the contact form.
Unfortunately, it was discovered that hackers could execute shortcodes within user-generated content (like in blog comments), which could then lead to an exploit.
WordFence describes the vulnerability:
"WordPress Core processes shortcodes in user-generated content on block themes in versions up to, and including, 6.2. This could allow unauthenticated attackers to execute shortcodes by submitting comments or other content, allowing them to exploit vulnerabilities that typically require Subscriber or Contributor-level permissions."
WordFence explains that the vulnerability is like a flaw that can enable another more severe vulnerability.
The solution to the shortcode vulnerability was to entirely remove the shortcode functionality from WordPress block templates. The official documentation for the vulnerability fix explained: "Remove shortcode support from block templates."
Someone created a workaround to restore the shortcode support in WordPress block templates. However, this workaround also restored the vulnerability.
"For those who want to stay on 6.2.1 and need to restore the support for shortcodes on templates, you can try this workaround. But be aware that support was removed for fixing a security issue, and restoring shortcode support you are probably bringing back the security issue."
Disabling shortcode support actually caused some sites to become non-functional. Adding the workaround until a more permanent solution was found made sense for many users.
WordPress Developers Call Fix “Insane” and “Dumb”
WordPress developers reported their frustration with the WordPress update:
One person wrote:
"…it’s absolutely insane to me that shortcodes have been removed by design!! Every single one of our agency’s FSE sites uses the shortcode block in templates for everything: filters, search, ACF & plugin integrations. This is chaos!! The workaround doesn’t seem to work for me. Going to revert to a previous version and hope there is a fix.”
Another person posted:
"Yeah I don’t get the Gutenberg hate, but the very least they should have disallowed some blocks like Shortcode they were phasing out in the Full Site Editor. That was dumb of the WP devs. People are going to use the old ways unless you tell them otherwise or guide them to new stuff. But as I said, what would have been better is to build a bridge via an official PHP block – or indeed listening to what users and devs want.”
One of the notable plugins affected was Rank Math. The breadcrumb functionality when present on block themes failed after the 6.2.1 update. A Rank Math support page contained a request for a fix from a Rank Math plugin user. Rank Math support recommended adding a workaround fix that not only restored shortcode functionality but also restored the vulnerability. The update also blocked the functionality of the Smart Slider 3 plugin as well.
A support thread was opened at the Smart Slider 3 plugin page with users expressing their frustration:
"Not totally your fault, but Automattic has decided to pull shortcodes from block templates. …claiming a ‘security issue’ but basically nuking two plugins I use, yours included. That means your plugin just shows [smartslider3 slider=”6″] when used in a FSE template. But it shows fine in the FSE editor! Just thought you might want to know, before the confused people that Automattic SHOULD have informed start blaming you. They shouldn’t just remove functionality like that – it’s like the bad old days all over again. I now have to also work out how to plug in some form/PHP code to put category lists into search boxes. Grr.”
The Smart Slider 3 support team recommended adding the workaround fix. Others in the WordPress.org support thread about the issue came up with solutions. If your site is affected, it may be helpful to read the discussion.
Read the WordPress Support Page About the Shortcodes Issue
WordPress v6.2.1 Breaks the Shortcode Block in Templates
Featured image by Shutterstock/ViChizh
