WordPress 6.2.1 Update Breaks Shortcode Support in Block Templates

WordPress 6.2.1 was released yesterday and rolled out to sites with automatic background updates enabled. The update included five important security fixes. Ordinarily, a maintenance and security release can be trusted not to break a website, but many users are struggling after 6.2.1 removed shortcode support from block templates. A support forum thread tracking the broken shortcodes issue shows that …

WordPress 6.2.1 Released with Fixes for 5 Security Vulnerabilities

WordPress 6.2.1 was released today. Those with automatic background updates enabled should see a notice in their email, as updates rolled out earlier today. This is a maintenance and security release that includes important fixes for five security vulnerabilities outlined by core contributor and release co-lead Jb Audras: Block themes parsing shortcodes in user generated data A CSRF issue updating …

ACF Plugin’s Reflected XSS Vulnerability Attracts Exploit Attempts Within 24 Hours of Public Announcement

On May 5, Patchstack published a security advisory about a high severity reflected cross-site scripting (XSS) vulnerability in ACF (Advanced Custom Fields), potentially affecting more than 4.5 million users. WP Engine patched the vulnerability on May 4, but the Akamai Security Intelligence Group (SIG)  is reporting that attackers began attempting to exploit it within 24 hours of Patchstack’s publication. “Once …

Themeum Acquires Kirki Customizer Framework Plugin

Themeum, a WordPress theme and plugin company founded in 2013, has acquired the Kirki Customizer Framework plugin from its former developer, David Vongries. In April 2023, Vongries announced he was sunsetting the product and discontinuing development. He put the plugin up for sale for $30K and sold it for just under the asking price. “I met the Themeum team at WordCamp Europe …

Essential Addons for Elementor Patches Critical Privilege Escalation Vulnerability

Essential Addons for Elementor, a plugin with more than a million active installs, has patched an unauthenticated privilege escalation vulnerability in version 5.7.2. The vulnerability was discovered on May 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Critical severity) CVSS 3.1 score and is not yet known to have been exploited. Muhammad outlined the vulnerability …

WordPress Community Team Evolves WordCamp Format to Promote Adoption, Training, and Networking for Professionals

WordPress’ Community Team hailed a new era of WordCamps in its recent announcement outlining a significant shift in the purpose for the events. In the past, WordCamps have had a mostly predictable format of presenting inspirational talks on exciting things people are doing with WordPress, business topics, and the latest trends, with short networking opportunities and a contributor day appended …

WordPress Contributors Discuss How Core Can Better Enable AI Innovation

As AI-powered technology is rapidly evolving to exponentially extend human capabilities, WordPress contributors do not want the platform to get left behind. AI-powered website creation could even become a threat to its existence, more than a competing CMS, if WordPress doesn’t ensure the platform is easily pluggable for AI-powered extensions. A new discussion on the Core developer’s blog asks what …

Advanced Custom Fields Plugin Patches Reflected XSS Vulnerability

Advanced Custom Fields (ACF) has patched a reflected XSS vulnerability that affects versions 6.1.5 and below of ACF and ACF Pro, potentially impacting more than 2+ million users. It was discovered by Patchstack researcher Rafie Muhammad in May 2, 2023, and patched by ACF developers in version 6.1.6 on May 5, 2023. Patchstack published a security bulletin and Muhammad described the …