Security Fix in WordPress 6.2.1 breaks sites
Take action: A security fix which breaks too much of the application is the worst possible fix. People will either ignore the fix or will find a way to work around it, causing more vulnerabilities and risk.
Learn More
The recent WordPress security update 6.2.1 , which included multiple fixes, has caused some websites to malfunction, leading to frustration among developers.
The problem arose from a security fix to WordPress parsing shortcodes in user generated content.
A shortcode is a single line of code that acts like a stand-in or placeholder for a Wordpress functionality like a contact form. Instead of configuring a contact form on every page needed, the developer will put a single line called a shortcode which will then embed a contact form.
Unfortunately it was discovered that Wordpress also executes shortcodes within user generated content (like in blog comments), which could then lead to an exploit.
In the 6.2.1 version, WordPress decided to fix this by disabling shortcodes on entire types of WordPress themes, causing a huge amount of sites to break.
Developers expressed their massive dissatisfaction with the update, referring to it as "chaos" and criticizing the decision to remove shortcode support.
The update removed a key functionality related to shortcodes in block themes, causing various plugins, such as forms, sliders, and breadcrumbs, to stop working. Developers have found a workaround to restore shortcode support which also reintroduces the vulnerability. We are back at square one.
