A recent WordPress security update with several security fixes also causes some websites to stop working, prompting one developer to exclaim: “This is mayhem!!”
The update removed a key feature that caused numerous plugins to stop working on sites using the WordPress block system.
The affected plugins ranged from forms to sliders to breadcrumbs.
WordPress 6.2.1 update
Sites that support automatic background updates automatically received the WordPress 6.2.1 update since it was a security release (officially it was a maintenance and security release).
According to the official WordPress release announcement, the update included five security fixes:
- “Block topics parsing shortcodes in user-generated data;…
- A CSRF issue when updating attachment thumbnails; reported by John Blackbourn of the WordPress security team
- A bug that allows XSS via open-embed auto-detection; reported independently by Jakub Żoczek of Securitum and as part of a third-party security audit
- Bypass KSES sanitization in block attributes for low-privilege users; discovered during a third-party security check.
- A path traversal issue across translation files; independently of Ramuel Gall and reported as part of a third party security clearance.”
The problem arises from the first security update affecting shortcodes in block themes causing the problems.
A shortcode is a single line of code that acts as a replacement or placeholder for code that provides functionality like a contact form.
So instead of configuring a contact form on every page where the form appears, you can just add a single line called shortcode, which will then embed a contact form.
Unfortunately, it was found that hackers could run shortcodes in user-generated content (e.g. blog comments), which could then lead to an exploit.
WordFence describes the vulnerability:
“WordPress Core handles shortcodes in user-generated content on block themes in versions up to and including 6.2.
This could allow unauthenticated attackers to execute shortcodes by sending comments or other content, thereby exploiting vulnerabilities that typically require subscriber or contributor level permissions.”
WordFence goes on to explain that the vulnerability is a bug that can allow another more serious vulnerability.
The solution to the shortcode vulnerability was to completely remove the shortcode functionality from the WordPress block templates.
The official documentation for fixing the vulnerability states:
“Remove shortcode support from block templates.”
Someone created a workaround to restore shortcode support in WordPress block templates.
But the workaround also fixed the vulnerability:
“For those who want to stay with 6.2.1 and need to restore support for shortcodes in templates, you can try this workaround.
… Note, however, that support has been removed to fix a security issue, and restoring shortcode support will likely bring the security issue back.”
Disabling shortcode support actually caused some websites to stop working or stop working at all.
So it made sense for many users to add the workaround until a more permanent solution was found.
WordPress Developers Call Fix ‘Crazy’ and ‘Stupid’
WordPress developers reported their frustration with the WordPress update:
One person wrote:
“… it absolutely blows my mind that shortcodes were removed on purpose!! Every single FSE site of our agency uses the shortcode block in templates for everything: filters, search, ACF and plugin integrations. This is mayhem!!
The workaround doesn’t seem to work for me. I will revert to a previous version and hope there is a fix.”
Another person posted:
“Yeah, I don’t understand the Gutenberg hate, but at least they should have banned some blocks like shortcode that they phased out in the full site editor.
That was stupid of the WP developers.
People will use the old ways unless you tell them otherwise or lead them to new things.
But as I said, it would have been better to build a bridge, for example via an official PHP block – or actually listen to what users and developers want.”
One of the notable plugins that was affected was Rank Math. Breadcrumb functionality, if present on block themes, failed after the 6.2.1 update.
A Rank Math support page contained a request for a fix from a Rank Math plugin user.
Rank Math support recommended adding a workaround fix. Unfortunately, this workaround fix not only restores the shortcode functionality but also fixes the vulnerability.
The update also blocked the functionality of the Smart Slider 3 plugin.
A support thread has been opened on the Smart Slider 3 plugin page:
“It’s not entirely your fault, but Automattic decided to pull shortcodes from block templates. …claims a “security issue” but basically breaks two plugins I use, including yours.
This means that your plugin will only show (smartslider3 slider=”6″) when used in an FSE template. But in the FSE editor it is displayed fine!
Just thought you might want to know before the confused folks who should have informed Automattic start blaming you. You shouldn’t just remove such features – it’s just like the bad old days.
I also now need to figure out how to embed a form/PHP code to include category lists in search fields. Grr.”
The Smart Slider 3 support team recommended adding the workaround fix.
Others on the WordPress.org support thread on this issue have found solutions. If your site is affected, reading the discussion may help.
Read the WordPress support page on shortcodes
WordPress v6.2.1 breaks shortcode block in templates
Featured image from Shutterstock/ViChizh