WordPress 4.2.3 Fixes a Security Problem but Breaks Sites with Shortcodes
The latest WordPress upgrade to 4.2.3 packed some last-minute changes related to a security hole on the shortcode parser. Unfortunately, these changes also break every shortcode that has HTML attributes. Many sites are affected by this change.
Changes were commited from 12 to 36 hours ago, depending on the release branch, and issued an update from all WordPress branches since 3.7 to 4.2.
One of the changes included, however, affects how some shortcodes are being expanded. It seems that shortcodes being used as HTML attributes are not being expanded properly, and if they also pack any kind of attribute, the shortcode string is being messed completely. The result is that shortcodes used as link attributes, or as background images, among others, are broken. Shortcodes used on their own seem to have no related problem.
There are several reports on the whole community of plugins using shortcodes:
So, what to do?
All of us are a little between the hammer and the anvil. It’s either, run WordPress with a known exploit or have your site broken.
If your site appears fine, stay on WordPress 4.2.3. If there are cosmetic display problems, I’d also stay with WP 4.2.3. If your site is completely broken, maybe better to go temporarily back to 4.2.2 (insecure) and hope to get a better security patch very soon. – If you have problems, get Views 1.9.1 and Types 1.7.8. See box below. To expedite this fix, I suggest that you go to the announcement post on wptavern and sound your voice. The more problem reports, the more priority this issue will receive.