WordPress celebrated its 20th anniversary in May.WordPress communities around the world were gearing up meetup event To celebrate.
But that didn’t mean everyone in the WordPress ecosystem could sit back and relax. In fact, there were two maintenance releases and a security release, plus a wrap-up of the WordPress 6.3 plans. Additionally, many popular plugins have received critical updates to fix vulnerability issues.
WordPress 20th Anniversary
The WordPress community around the world celebrated the 20th anniversary of WordPress. From face-to-face parties to interactive workshops, each community commemorated the milestone in its own way.
Hostinger also paid tribute to this milestone. We did a podcast with her prolific core contributor, Tammie Lister, to talk about the evolution of Gutenberg and how experimentation and feedback are influencing WordPress development.
Watch the full podcast on our YouTube channel or read the overview blog post.
Subscribe for more educational videos!
Another tribute we provided was a special edition Customer Spotlight blog post. We interviewed four of her clients to discover how they use WordPress to achieve online success.
Interestingly, the month we celebrate WordPress’ anniversary turned out to be one of the busiest months for the core project. In just four days he had two new releases.
WordPress 6.2.1 and 6.2.2
WordPress 6.2.1 6.2.2 was released on May 16, 2023 and 6.2.2 was released on May 20, 2023 respectively. what happened?
WordPress 6.2.1 fixed 20 core and 10 editor bugs. But most importantly, we addressed five security issues, including Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities, KSES Sanitization Bypass, and Path Traversal vulnerabilities.
However, one security issue remained due to shortcode parsing of user-generated data in block themes. This means that an attacker could use user-generated content such as blog post comments to run shortcodes, which could pose a risk of exploitation.
The problem was that WordPress 6.2.1 solved the problem by simply removing shortcode support from the block template. Unfortunately, this simple fix broke hundreds of websites that depended on block themes and shortcodes.
this is the reason WordPress 6.2.2 was released a few days later with the sole purpose of resolving shortcode vulnerabilities. This release not only restores support for shortcodes, but also prevents parsing of the shortcodes that caused the vulnerability in the first place.
All of these WordPress core maintenance updates and release plans have released two new versions this month without breaking Gutenberg’s release cycle. For block theme users, we recommend installing this plugin so that you can take advantage of the extensive functionality of the block editor.
Page menu in the navigation sidebar
Let’s say you’ve customized your site using the site editor and need to edit a page. Instead of going back to your dashboard and opening the Pages panel, you can do it right from your site editor. page Menu in the left sidebar. The 10 most recently updated pages are displayed for you to choose from.
Global Style Revision UI.
Tracking revisions is one of the most difficult tasks to do in WordPress, but it’s improved with the global style revision UI. You can now revert to a previous style using the Revisions UI.
The revision tools are accessed from the ellipsis icon in the Global Styles panel. It shows the number of revisions available, the timestamp, and the user who made the change. To revert, select any version and click application.
New controls in block settings panel
Two blocks now have new tools in their respective block settings panels to streamline the editing experience.
First, the site’s logo block now has tools to add, replace, or reset images. This functionality is the same as the Block Placeholders and Blocks Toolbar tools, but is still useful for users who prefer to work with Blocks from the settings panel.
Duotone controls are then added to the Block Settings panel, specifically style tab. As with the site logo block, this feature works the same as the duotone control on the toolbar. Having said that, having it in the block settings panel means you don’t have to switch back and forth between these two areas to make your customizations.
WordPress 6.3 schedule
The next WordPress major releases are: Version 6.3the core team has completed planning and scheduling for the following dates.
- first beta: June 27, 2023
- First release candidate: July 18, 2023
- WordPress 6.3 release: August 8, 2023
Testing a beta or release candidate allows you to get an overview of new features and test how your website will behave in the next release. Or, if you’re interested in contributing, please report any bugs you find. WordPress forum.
WordPress security news
May was a busy month for plugin developers as many vulnerabilities were discovered. We examined the Patchstack database and highlighted some popular plugins that are exposed to security risks.
But don’t worry. The developer fixed the update issue. Simply check if you are running the latest version of the plugin and update if necessary.
Easy Digital Download Privilege Escalation
CVSS Score: 9.8 (Critical Vulnerability)
In late April 2023, Privilege escalation vulnerability The Easy Digital Downloads plugin was discovered to allow users to perform any function regardless of their role. edd_ prefix.
Importantly, this prefix is used by the password reset feature. A malicious user can reset the password of any user, including administrators, and take over the website if they know the username.
given that easy digital download is one of the most popular e-commerce plugins for selling digital goods, but vulnerabilities like this can cause a lot of damage.
Fortunately, a patch (version 220.127.116.11.2) was released earlier this month to fix this issue. If you are still using an older version, we strongly recommend updating as soon as possible.
Essential Add-on for Elementor Privilege Escalation
CVSS Score: 9.8 (Critical Vulnerability)
A similar Privilege escalation vulnerability also found in Required Addons for Elementor Plugins. Because the password reset feature changes the user’s password directly rather than validating the reset key, it is possible for an attacker to reset the password for any user if they know the username.
Similar to the Easy Digital Downloads vulnerability, attackers could reset administrator passwords and take over websites. To make matters worse, over 1 million of his websites have the plugin installed, and the Patchstack database shows that the attacker exploited this vulnerability.
This vulnerability affects versions 5.4.0 through 5.7.1. A patch for this issue was released in version 5.7.2, so be sure to install this version or later if you use this plugin.
LearnDash SQL Injection Vulnerability
CVSS Score: 8.5 (High Severity)
Popular WordPress LMS Plugins – learning dashwas exposed to SQL injection vulnerability. This type of security issue allows malicious users to access sensitive information such as databases and customer data.
Therefore, such a vulnerability could be very harmful to an enterprise, especially since LearnDash is likely to be used on online course websites.
This issue affects LearnDash versions 4.5.3 and below. If your site uses LearnDash, please update to version 18.104.22.168 or later to eliminate any risks.
Advanced Custom Field XSS Vulnerability
CVSS Score: 7.1 (High Severity)
Advanced custom fields (ACF) free and premium versions were at risk. Cross-site scripting (XSS) vulnerability. For those unfamiliar, XSS allows attackers to inject malicious code or scripts. It can have different results.
of patch stack report indicates that this vulnerability can lead to the theft of sensitive data and escalation of user privileges. ACF is one of the most popular custom field plugins with over 2 million installs, but Patchstack claims no exploits have been detected.
Free and Premium users are encouraged to update to version 6.1.6 as this vulnerability affects versions 6.1.5 and earlier.
Jetpack API vulnerabilities
of jet pack Found by the plugin team API vulnerabilities During internal security audits. This issue allows site authors to tweak their WordPress installation files. This privilege is normally given only to administrators.
The API itself is available for Jetpack versions 2.0-12.1. As a result, the Jetpack team has released patches for all versions to fix this vulnerability, with the latest version being version 12.1.1.
Jetpack forces plugins on most websites to be updated with vulnerable versions. However, if you’re using Jetpack, we recommend checking the website and updating it immediately if necessary.
Schedule for June
As I mentioned earlier, the beta testing phase of the next WordPress major release will start in June, and it’s always exciting to see new features added to WordPress core.
But there is one more event that will make the WordPress community even more happy. WordCamp Europe 2023 will be held in Athens, Greece from June 8-10, 2023. We are proud to support this event as Super Admin sponsors and look forward to meeting you all.If you haven’t got your tickets yet, you can buy them from the official website. WordCamp Europe website.