This Month in WordPress: May Roundup

WordPress marked a huge milestone in May – its 20th anniversary! WordPress communities around the world were arranging Meetups events for the celebration.

But that didn’t make everyone in the WordPress ecosystem sit back and relax. In fact, we had two maintenance and security releases plus the WordPress 6.3 planning roundup. In addition, many popular plugins received important updates to fix vulnerability issues.

WordPress 20th Anniversary

WordPress communities all around the world were celebrating 20 years of WordPress. From in-person parties to interactive workshops, every community had its own way of commemorating the milestone.

Hostinger gave tribute to this milestone too. We did a Podcast with Tammie Lister, a prolific core contributor, to talk about Gutenberg’s evolution and how experimentation and feedback power WordPress development.

Watch the full podcast on our YouTube channel or read the summary blog post.

Another tribute we gave is the special edition Customer Spotlight blog post. We interviewed four our clients and discovered how they use WordPress to achieve online success:

• Lotte Johansen – a web accessibility advocate.
• Verônica Naka – the architect and CEO of Nakasa.
• Phoebe Poon – the CEO and co-founder of Liker Land and Web3Press plugin.
• Michelle Frechette – the marketer and podcaster of Audacity Marketing.

WordPress Updates

Interestingly, the month WordPress celebrates its anniversary turned out to be one of the busiest months for the core project. We had two new releases in just a span of four days.

WordPress 6.2.1 and 6.2.2

WordPress 6.2.1 and 6.2.2 was released on May 16, 2023, and May 20, 2023, respectively. So, what happened?

WordPress 6.2.1 fixed 20 core and 10 editor bugs. But most importantly, it addressed five security issues, including Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities, KSES sanitization bypass, and path traversal vulnerability.

However, there was still one security issue left due to the shortcode parsing in user-generated data in block themes. This means attackers could use user-generated content, like blog post comments, to execute shortcodes, resulting in exploitation risks.

The problem was that WordPress 6.2.1 fixed the issue simply by removing shortcode support from block templates. Unfortunately, this quick fix broke hundreds of websites that rely on block themes and shortcodes.

This is why WordPress 6.2.2 was released a few days after, with the sole purpose of resolving the shortcode vulnerability. In addition to restoring the shortcode support, this release also prevents the shortcode parsing that led to the vulnerability in the first place.

Gutenberg Updates

All of those WordPress core maintenance updates and release planning didn’t interrupt the Gutenberg release cycle, with two new versions launched this month. If you’re a block theme user, we recommend installing this plugin to have extensive features for the block editor.

Here are some of the highlighted features from the two Gutenberg versions released this month – 15.7 and 15.8:

Pages Menu on the Navigation Sidebar

Suppose you’re customizing your site with the site editor and need to edit a page. Instead of returning to the dashboard and opening the Pages panel, you can do it immediately from the site editor, thanks to the Pages menu on the left sidebar. It will display the 10 most recently updated pages to choose from.

Global Styles Revision UI.

Tracking revisions is one of the trickiest things to do in WordPress, but that’s improved with the revision UI for global styles. You can now revert to the past styles using the revision UI.

The revision tool is accessible through the ellipsis icon on the global styles panel. It will show you how many revisions are available, the time stamps, and the users who made the changes. To revert, select any of the versions and click Apply.

New Controls on the Block Settings Panel

Two blocks got new tools on their respective block settings panel to streamline the editing experience.

First, the site logo block now has the tool to add, replace, or reset the image. Although this functionality is the same as the block placeholder and the tool on the block toolbar, it still helps people who prefer to work on the block via the settings panel.

Second, the duotone control is now available on the block settings panel, specifically in the styles tab. Similar to the site logo block’s case, the functionality of this feature is the same as the duotone control on the toolbar. That said, having it on the block settings panel eliminates the need to go back and forth between those two areas to make the customization.

WordPress 6.3 Schedule

The next WordPress major release will be version 6.3, and the core team has finished the planning and schedule with the following dates:

• First beta version: June 27, 2023
• First release candidate: July 18, 2023
• WordPress 6.3 release: August 8, 2023

Testing the beta or release candidate versions can give you a sneak peek of the new features and test how your website will work with the upcoming release. Or, if you’re interested in contributing, report all bugs you’ve discovered in the WordPress forum.

WordPress Security News

Plugin developers were busy in May, as plenty of vulnerabilities were discovered. We ran through the Patchstack database and highlighted some popular plugins exposed to security risks.

But don’t worry. The developers have fixed the issues with the updates. All you have to do is check whether you run the latest version of the plugin and update it if necessary.

Easy Digital Downloads Privilege Escalation

CVSS Score: 9.8 (Critical Vulnerability)

In late April 2023, a privilege escalation vulnerability in the Easy Digital Downloads plugin was discovered that allows users – regardless of their roles – to run any function with the edd_ prefix.

Crucially, this prefix is used in the password reset function. Any malicious user can reset any user’s password, including the administrator, as long as they know the username and, thus, take over the website.

Given that Easy Digital Downloads is one of the most popular eCommerce plugins for selling digital goods, such vulnerabilities can cause a lot of damage.

Luckily, the patch to fix this issue – version 3.1.1.4.2, was released earlier this month. If you are still using the older version, we strongly advise updating it as soon as possible.

Essential Addons for Elementor Privilege Escalation

CVSS Score: 9.8 (Critical Vulnerability)

A similar privilege escalation vulnerability was also found in the Essential Addons for Elementor plugin. Due to the password reset function directly changing the user’s password instead of validating the reset key, it’s possible to reset any user’s password, given the attacker knows the username.

Like the Easy Digital Downloads vulnerability, an attacker can reset an administrator’s password and take over the website. The worse part is that over 1 million websites have this plugin installed on, and the Patchstack database shows that attackers have exploited this vulnerability.

The vulnerability affects versions 5.4.0 to 5.7.1. The patch for this issue is released in version 5.7.2, so if you use this plugin, be sure to have this version or higher installed.

LearnDash SQL Injection Vulnerability

CVSS Score: 8.5 (High Severity)

The popular WordPress LMS plugin – LearnDash, was exposed to SQL injection vulnerability. This type of security issue allows malicious users to access the database and sensitive information, including customer data.

Thus, such vulnerability can be extremely harmful to businesses, especially since LearnDash is most likely used by online course websites.

This issue affected LearnDash version 4.5.3 or lower. If you use LearnDash on your site, update to version 4.5.3.1 or higher to eliminate the risk.

Advanced Custom Fields XSS Vulnerability

CVSS Score: 7.1 (High Severity)

Advanced Custom Fields (ACF) free and premium versions were exposed to cross-site scripting (XSS) vulnerability. If you’re unfamiliar, XSS allows attackers to inject malicious code or script. It can result in a wide array of consequences.

The Patchstack report shows this vulnerability could lead to sensitive data theft and user privilege escalation. Although ACF is one of the most popular custom field plugins with over two million installations, Patchstack claims there are no exploitations detected.

The vulnerability affected version 6.1.5 or lower, and free and premium users are recommended to update to version 6.1.6.

Jetpack API Vulnerability

The Jetpack plugin’s team uncovered an API vulnerability during one of the internal security audits. The issue allows authors on the site to tweak any WordPress installation files – a privilege usually only available to administrators.

The API itself is available on Jetpack version 2.0 to 12.1. As a result, the Jetpack team release a patch for every version to fix this vulnerability, with the latest version being version 12.1.1.

Jetpack will force update the plugins on most websites with the vulnerable version. That said, we recommend you check your website if you use Jetpack and update it immediately if necessary.

What’s Coming In June

As we’ve mentioned, the beta testing phase for the next WordPress major release will start in June, and it’s always exciting to see the new features coming to the WordPress core.

However, there’s one more event that will delight the WordPress community even more.WordCamp Europe 2023 will take place on June 8-10, 2023, in Athens, Greece! We proudly support this event as a Super Admin sponsor and are excited to see you there. If you haven’t got your ticket already, it’s still available on the official WordCamp Europe website.