WordPress automatic updates may be a convenient feature for some, but the recent 4.2.3 security release is being reported as having broken thousands of production sites. The sites that have been reported as broken all have one thing in common, they are using plugins or themes that create and use shortcodes in a non-standard way. One that has been getting mentioned regularly is Toolset Types and Views. One commenter on a WP Tavern article reports that he uses this plugin on 100 sites and all of them broke with the 4.2.3 WordPress release.
The Issue
WordPress 4.2.3 includes a relatively large security fix that affects the Shortcode API. WordPress core contributor Robert Chapin said in this blog post:
Due to the nature of the fix – as is often the case with security fixes – we were unable to alert plugin authors ahead of time, however we did make efforts to scan the plugin directory for plugins that may have been affected.
As unfortunate as it is that plugin developers weren't notified in advance, this is a security fix and as such, it shouldn't be on the WordPress team to fix the problems that are being reported. Specifically, it appears that the plugins being affected use shortcodes to provide inline styles. The WordPress shortcode API rules should have been followed by the plugin authors. Of course if you decide to create your own programming rules, things are going to break when core functionality you depend upon is updated. So what can you do for the short term?
The Solution
Roll back to 4.2.2 and turn off auto-updates for now to fix the issue on the short term. Wait until your plugin's author issues a fix and then update WordPress manually to 4.2.3 or a later version. WordPress 4.3 is scheduled for release in August. Afterward, you can turn auto updates back on, if you choose to use the feature.
To completely disable all types of automatic updates, core or otherwise, add the following to your wp-config.php file:
define( 'AUTOMATIC_UPDATER_DISABLED', true );
Download WordPress 4.2.2 from here: https://wordpress.org/download/release-archive/
Leave a Reply