New WordPress Update Causes Various Websites To Break

profile picture of Waqar Hassan

Waqar Hassan

19 May, 2023

New WordPress Update Causes Various Websites To Break

In recent news, WordPress came out with a security update, which featured a number of security fixes. However, things did not go as per the plan.

Shortly after the update that was meant to fix things, various websites lost function. One developer was quite upset with what happened and called out WordPress for being chaotic.

Because of the new update, a key functionality feature was removed. This caused a number of plugins to stop working on websites, particularly those that use the blocks system of WordPress.

It has been revealed that the affected plugins included breadcrumbs, sliders, to forms.

New Update From WordPress

This new update 6.2.2 was put out late on Friday in order to address the issues that were being faced by people in version 6.2.1.

As per the announcement made, this was supposed to be a rapid response, as various businesses were facing regression on account of the security patch issue.

All the WordPress publishers who had been affected due to the shortcodes bug did not waste a single moment updating to the recent version. However, they were disappointed after the update.

Back when 6.2.1 was released, websites that supported automatic updates on the background automatically switched to it.

This change was primarily due to the fact that 6.2.1 was an official security and maintenance release.

According to the WordPress announcement made at the time, this update was supposed to solve a total of five security-related issues.

One of those issues was that of block themes breaking down shortcodes when users would input data. Another problem that various websites faced was that of CSRF.

Due to this problem, people reported that they were unable to attach thumbnails. This issue was directly escalated to the security team at WordPress.

Another concern that developers had was that XSS was permitted through an open embed. However, this issue only came to light when the security team started a security audit and hired a third party to do it.

The fourth issue, which 6.2.1 addressed, was that of circumventing KSES sanitization, limited in block attributes for users with low privileges. This problem was also discovered during the external audit.

Lastly, WordPress tried to solve the concern of path traversal, which was caused by translation files.

To an extent, 6.2.1 managed to solve various issues. However, the problem arose from its first security fix, which was supposed to affect shortcodes set in block themes.

Where shortcode is concerned, it is one line of code, which is used as a placeholder for the actual code that offers functionality. For example, a contact form.

This allows developers to use only one line of shortcode to embed any form, like a contact form on all of their pages. They do not have to write code repeatedly.

An announcement from WordPress, later on, warned people about unauthenticated attackers, who could execute shortcodes with the help of comments and other kinds of content.

Thus, developers were warned to ensure that they did not leave room that could allow hackers to exploit their vulnerabilities.