WordPress 4.2.3 Fixes a Security Problem but Breaks Sites with Shortcodes

   Amir

July 23, 2015

The latest WordPress upgrade to 4.2.3 packed some last-minute changes related to a security hole on the shortcode parser. Unfortunately, these changes also break every shortcode that has HTML attributes. Many sites are affected by this change.

Changes were commited from 12 to 36 hours ago, depending on the release branch, and issued an update from all WordPress branches since 3.7 to 4.2.

One of the changes included, however, affects how some shortcodes are being expanded. It seems that shortcodes being used as HTML attributes are not being expanded properly, and if they also pack any kind of attribute, the shortcode string is being messed completely. The result is that shortcodes used as link attributes, or as background images, among others, are broken. Shortcodes used on their own seem to have no related problem.

There are several reports on the whole community of plugins using shortcodes:
https://wordpress.org/support/topic/wordpress-423-broke-my-code
https://wordpress.org/support/topic/no-buttons-to-see-after-update-wp-423
https://wordpress.org/support/topic/shortcodes-is-not-working-used-inside-tags-between

So, what to do?

All of us are a little between the hammer and the anvil. It’s either, run WordPress with a known exploit or have your site broken.

If your site appears fine, stay on WordPress 4.2.3. If there are cosmetic display problems, I’d also stay with WP 4.2.3. If your site is completely broken, maybe better to go temporarily back to 4.2.2 (insecure) and hope to get a better security patch very soon.If you have problems, get Views 1.9.1 and Types 1.7.8. See box below.

To expedite this fix, I suggest that you go to the announcement post on wptavern and sound your voice. The more problem reports, the more priority this issue will receive.

Fix Available to Download

A  fix is available. Please go to your Toolset account and click on Downloads. You will see Types 1.7.8 and Views 1.9.1 (or later versions). You can download and install them. Those updates should resolve everything related to the changes in WordPress 4.2.3.

 

Comments 26 Responses

  1. Hi Types. As much as i love you, i gotta admit this has given me a very bad reputation with my clients. I really hope this will be fixed ASAP as my clients are very mad at me and emails keep incoming…

    • Yes, this is a very inconvenient situation for us to be in. We were not involved in this security patch for WordPress and it came completely out of the blue. Normally, this is not how WordPress updates are released. We already started working with the WordPress core team on this, but it’s not entirely on our hands.

      Again, to expedite this, any vote in that wptavern post will help. The more reports there, the more attention this problem will have.

      BTW, this bug in WordPress affects ALL plugins and themes that have anything to do with custom shortcodes. Basically, this includes all other plugins for managing custom fields and many many themes.

      http://wptavern.com/wordpress-4-2-3-is-a-critical-security-release-fixes-an-xss-vulnerability

    • It’s worth noting that Types is NOT responsible for this breaking – WordPress changed how their core functionality works altogether, and it hit everyone with no warning. Lots and lots of themes and plugins are rushing to get this fixed ASAP but it’s kind of a big job to refactor code, particularly if it’s a complex shortcode integration.
      It may be worth explaining this to your clients, perhaps they will be more understanding knowing you are doing everything you can to take care of it quickly. 🙂

      • Jamie, thank you for your support.

        We have been blessed by having nice and understanding clients, like yourself. This situation causes a lot of stress to a lot of people. I’m sure that it was also stressful for the WordPress core team, who had to make tough decisions in short time.

        We appreciate the hard work of the WordPress development team and we remember that most are doing it as volunteers. Of course, we had our concerns with the communication coming from the WordPress dev team. I hope that the next updates will come with better communication to theme and plugin authors.

        Right now, most issues are resolved with the last betas for Types and Views. We’re in the final run to handle a few last corner cases (and cases involving other plugins and themes). I hope that this episode will be behind us soon and we can get back to more joyful development. We have a lot of things planned for Views and we’re eager to get back to them.

    • It looks like we can patch this on our side, in Views only. Views developers are working right now and it looks doable. Essentially, we will resolve all our shortcodes before passing the content to WordPress. Then, WordPress will see the final output of all shortcodes and not the shortcodes themselves.

      This can bring several other stability improvements to using shortcodes, so we’re doing this change gladly.

      We should have a beta version today, which people can use on sites that show problems. Depending on the size of the edit, we’ll see if we can push an update for everyone today, or wait for early next week. In any case, a beta version should be ready.

      Please note that this solution will only cover shortcodes parsed by Views. We also heard of problems for people using Types shortcodes in different ways (not in Views). Unfortunately, there is nothing that we can do to patch these issues, because we are not rendering the content.

      • Thank you Amir, really appreciated. In terms of release – the sooner the better. I have many websites affected and would gladly test a best as soon as it was available (middle of the night on Sunday, no problem 😉

      • Hi Amir

        Can you let us know where to post feedback when the views beta update is release please. Probably better to have a stick support ticket which everyone who wants to test the update can post to. My own site has lost much of its functionality so I’m up for doing to testing as soon as the beta update is available.

  2. @thomasS-11

    As @Amir said – this is a WordPress core fix, it’s not something that’s been done incorrectly in Toolset.

    Must admit I’m concerned that the core WordPress developers managed to let this one slip through.

    @Amir – thanks for pushing through this blog post as it’s an easy issue to miss.

    • The examples that you included in the comment got deleted (automatically by WordPress). If you want to share working examples, best to include links to the forum.

      In any case, we are releasing an update to Views which will make existing sites work, without any content changes. We realize that many of our clients run a lot of sites and nobody will be interested in updating content on all of them.

      We hope that have a beta version ready today and a final release early next week.

    • Shortcodes with Bad Quotes
      The following example is also no longer allowed:

      Workaround
      Instead, either of the following examples would be appropriate:

      Example 1:
      Example 2:

  3. I concur with all those who expressed their thanks for the quick response on this. Thanks Amir for being on top of things.

  4. Also getting a Javascript error, maybe this is related to the shortcode problem?

    Error: Syntax error, unrecognized expression: [name=Job+Type], [name=Job+Type\[\]]

    • If your JS is generated with PHP shortcodes, it may have errors, because the output is not what you would expect. I suggest to wait for tomorrow (Monday) afternoon. We should have another beta that addresses the remaining issues. Then, if errors still exist, best to report in our technical forum and include a link to that thread here. We’ll handle everything.

  5. Thanks for the quick fix. Latest beta fixed our site that caused errors with embedded tags in form checkboxes. We were on the verge of releasing the new site when it broke with the new WP upgrade so happy to have you guys on our side.

    • I’m very happy to hear this. Thanks for letting us know that it’s working for you.

  6. If a client’s subscription has expired, they can update Types, but not Views. Which doesn’t actually solve the issue. Is this a case where the client must re-purchase Toolset?

    • In order to receive updates for Toolset plugins, we require a valid account in wp-types.com. Types plugin is an exception, as it’s coming from wordpress.org and is the free component in Toolset. For all other Toolset plugins, download is possible only to people with valid accounts.

      You probably realize that maintaining plugins and providing support has a cost. The renewal fee for Toolset accounts allows us to provide this ongoing support and maintenance.