WordPress 6.2.1 update causes sites to break

A recent WordPress security update that includes several security fixes is also causing some sites to stop working, prompting one developer to exclaim, “This is chaos!!”

The update removed a key functionality that caused numerous plugins to stop working on the site that use the WordPress blog system.

The affected plugins ranged from forms to sliders to breadcrumbs.

WordPress 6.2.1 Update

Sites that support automatic updates in the background automatically received the WordPress 6.2.1 update because it was a security release (officially it was a maintenance and security release).

According to the official WordPress Release AnnouncementThe update contained five security fixes:

“Blocks themes by parsing shortcodes in user-generated data;… A CSRF issue updating attachment thumbnails; reported by John Blackbourn of the WordPress Security Team. A flaw that allows XSS via open embedding auto-detection, reported independently and during a third-party security audit by Jakub Żoczek of Securitum Bypassing KSES sanitization in block attributes for low-privileged users, discovered during a third-party security audit. A path traversal issue using translation files; independently reported by Ramuel Gall and during a third-party security audit.”

The problem stems from the first security fix, the one affecting shortcodes in blog themes, which is causing the problems.

A shortcode is a single line of code that acts as a placeholder or placeholder for code that provides functionality like a contact form.

So instead of setting up a contact form on every page where the form appears, just put a single line called a shortcode that will then embed a contact form.

Unfortunately, it was discovered that hackers could run shortcodes within user-generated content (such as blog comments), which could lead to an exploit.

WordFence describe the vulnerability:

“WordPress Core processes shortcodes in user-generated content on blog themes in versions up to and including 6.2.

This could allow unauthenticated attackers to execute shortcodes by submitting comments or other content, allowing them to exploit vulnerabilities that would normally require subscriber- or contributor-level permissions.”

WordFence goes on to explain that the vulnerability is like a flaw that can allow another, more serious vulnerability.

The solution to the shortcode vulnerability was to completely remove the shortcode functionality from WordPress blog templates.

The official documentation for the vulnerability patch explained:

“Remove shortcode support from blog templates.”

Someone created a solution to restore shortcode support in WordPress blog templates.

But also the solution Vulnerability restored:

“For those who want to stay on 6.2.1 and need to restore support for shortcodes in templates, you can try this workaround.

… But please note that support was removed to address a security issue, and to restore shortcode support, you’re probably restoring the security issue.”

Disabling shortcode support caused some sites to become non-functional and stop working altogether.

So adding the workaround until a more permanent fix was found made sense for many users.

WordPress Developers Call to Fix ‘Insane’ and ‘Dumb’

WordPress developers reported their frustration with the WordPress update:

A person he wrote:

“… It’s absolutely crazy to me that shortcodes have been removed by design!! All FSE sites in our agency use the shortcode block in templates for everything: filters, search, ACF and integrations plugins This is chaos!!

The solution doesn’t seem to work for me. I’ll roll back to an earlier version and hope there’s a fix.”

another person published:

“Yeah, I don’t understand the Gutenberg hate, but they should have at least rejected some blogs like Shortcode that they were phasing out in the Full Site Editor.

That was dumb from the WP developers.

People will use the old ways unless you tell them otherwise or guide them to new things.

But like I said, what would have been better is to build a bridge through, say, an official PHP blog, or actually listening to what users and developers want.”

One notable plugin that was affected was Rank Math. Navigation path functionality when present in blog themes failed after the 6.2.1 update.

A Rank Math support page contained a fix request from a user of the Rank Math plugin.

Mathematical support ranking recommend adding a workaround. Unfortunately, this workaround not only restores the functionality of the shortcode, but also restores the vulnerability.

The update also blocked the functionality of the Smart Slider 3 plugin.

A support wire opened to the Smart Slider 3 plugin page:

“It’s not your fault, but Automattic has decided to remove shortcodes from blog templates. …claiming a ‘security issue’, but essentially disabling two plugins I use, including yours.”

This means that your plugin is only displayed [smartslider3 slider=”6″] when used in an FSE template. But it looks good in the FSE editor!

Just thought you might want to know, before the confused people that Automattic SHOULD have informed start blaming you. They shouldn’t just remove such functionality, it’s just like the bad old days again.

Now I also need to figure out how to hook up some PHP form/code to put category lists in the search boxes. Grr.”

The Smart Slider 3 support team recommended adding the workaround.

Others in the WordPress.org support thread about the problem found solutions. If your site is affected, it may be helpful to read the discussion.