Blog
twentieth Anniversary and Security Updates
Jun
WordPress marked an enormous milestone in May – its twentieth anniversary! WordPress communities world wide were arranging Meetups events for the celebration.
But that didn’t make everyone within the WordPress ecosystem sit back and loosen up. In reality, we had two maintenance and security releases plus the WordPress 6.3 planning roundup. As well as, many popular plugins received necessary updates to repair vulnerability issues.
WordPress twentieth Anniversary
WordPress communities all world wide were celebrating 20 years of WordPress. From in-person parties to interactive workshops, every community had its own way of commemorating the milestone.
Hostinger gave tribute to this milestone too. We did a Podcast with Tammie Lister, a prolific core contributor, to speak about Gutenberg’s evolution and the way experimentation and feedback power WordPress development.
Watch the total podcast on our YouTube channel or read the summary blog post.
Subscribe For more educational videos!
Hostinger Academy
One other tribute we gave is the special edition Customer Highlight blog post. We interviewed 4 our clients and discovered how they use WordPress to realize online success:
WordPress Updates
Interestingly, the month WordPress celebrates its anniversary turned out to be certainly one of the busiest months for the core project. We had two recent releases in only a span of 4 days.
WordPress 6.2.1 and 6.2.2
WordPress 6.2.1 and 6.2.2 was released on May 16, 2023, and May 20, 2023, respectively. So, what happened?
WordPress 6.2.1 fixed 20 core and 10 editor bugs. But most significantly, it addressed five security issues, including Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities, KSES sanitization bypass, and path traversal vulnerability.
Nonetheless, there was still one security issue left resulting from the shortcode parsing in user-generated data in block themes. This implies attackers could use user-generated content, like blog post comments, to execute shortcodes, leading to exploitation risks.
The issue was that WordPress 6.2.1 fixed the difficulty just by removing shortcode support from block templates. Unfortunately, this quick fix broke tons of of internet sites that depend on block themes and shortcodes.
This is the reason WordPress 6.2.2 was released a couple of days after, with the only purpose of resolving the shortcode vulnerability. Along with restoring the shortcode support, this release also prevents the shortcode parsing that led to the vulnerability in the primary place.
Gutenberg Updates
All of those WordPress core maintenance updates and release planning didn’t interrupt the Gutenberg release cycle, with two recent versions launched this month. For those who’re a block theme user, we recommend installing this plugin to have extensive features for the block editor.
Listed below are a few of the highlighted features from the 2 Gutenberg versions released this month – 15.7 and 15.8:
Pages Menu on the Navigation Sidebar
Suppose you’re customizing your site with the positioning editor and wish to edit a page. As a substitute of returning to the dashboard and opening the Pages panel, you’ll be able to do it immediately from the positioning editor, due to the Pages menu on the left sidebar. It should display the ten most recently updated pages to pick from.
Global Styles Revision UI.
Tracking revisions is certainly one of the trickiest things to do in WordPress, but that’s improved with the revision UI for global styles. You may now revert to the past styles using the revision UI.
The revision tool is accessible through the ellipsis icon on the worldwide styles panel. It should show you ways many revisions can be found, the time stamps, and the users who made the changes. To revert, select any of the versions and click on Apply.
Latest Controls on the Block Settings Panel
Two blocks got recent tools on their respective block settings panel to streamline the editing experience.
First, the positioning logo block now has the tool so as to add, replace, or reset the image. Although this functionality is identical because the block placeholder and the tool on the block toolbar, it still helps individuals who prefer to work on the block via the settings panel.
Second, the duotone control is now available on the block settings panel, specifically within the styles tab. Much like the positioning logo block’s case, the functionality of this feature is identical because the duotone control on the toolbar. That said, having it on the block settings panel eliminates the necessity to go backwards and forwards between those two areas to make the customization.
WordPress 6.3 Schedule
The subsequent WordPress major release shall be version 6.3, and the core team has finished the planning and schedule with the next dates:
- First beta version: June 27, 2023
- First release candidate: July 18, 2023
- WordPress 6.3 release: August 8, 2023
Testing the beta or release candidate versions can provide you with a sneak peek of the brand new features and test how your website will work with the upcoming release. Or, for those who’re concerned about contributing, report all bugs you’ve discovered within the WordPress forum.
WordPress Security News
Plugin developers were busy in May, as loads of vulnerabilities were discovered. We ran through the Patchstack database and highlighted some popular plugins exposed to security risks.
But don’t worry. The developers have fixed the problems with the updates. All you have got to do is check whether you run the most recent version of the plugin and update it if crucial.
Easy Digital Downloads Privilege Escalation
CVSS Rating: 9.8 (Critical Vulnerability)
In late April 2023, a privilege escalation vulnerability within the Easy Digital Downloads plugin was discovered that permits users – no matter their roles – to run any function with the edd_ prefix.
Crucially, this prefix is utilized in the password reset function. Any malicious user can reset any user’s password, including the administrator, so long as they know the username and, thus, take over the web site.
Provided that Easy Digital Downloads is probably the most popular eCommerce plugins for selling digital goods, such vulnerabilities could cause loads of damage.
Luckily, the patch to repair this issue – version 3.1.1.4.2, was released earlier this month. For those who are still using the older version, we strongly advise updating it as soon as possible.
Essential Addons for Elementor Privilege Escalation
CVSS Rating: 9.8 (Critical Vulnerability)
The same privilege escalation vulnerability was also present in the Essential Addons for Elementor plugin. Attributable to the password reset function directly changing the user’s password as a substitute of validating the reset key, it’s possible to reset any user’s password, given the attacker knows the username.
Just like the Easy Digital Downloads vulnerability, an attacker can reset an administrator’s password and take over the web site. The more severe part is that over 1 million web sites have this plugin installed on, and the Patchstack database shows that attackers have exploited this vulnerability.
The vulnerability affects versions 5.4.0 to five.7.1. The patch for this issue is released in version 5.7.2, so for those who use this plugin, you’ll want to have this version or higher installed.
LearnDash SQL Injection Vulnerability
CVSS Rating: 8.5 (High Severity)
The favored WordPress LMS plugin – LearnDash, was exposed to SQL injection vulnerability. This kind of security issue allows malicious users to access the database and sensitive information, including customer data.
Thus, such vulnerability will be extremely harmful to businesses, especially since LearnDash is almost definitely utilized by online course web sites.
This issue affected LearnDash version 4.5.3 or lower. For those who use LearnDash in your site, update to version 4.5.3.1 or higher to eliminate the chance.
Advanced Custom Fields XSS Vulnerability
CVSS Rating: 7.1 (High Severity)
Advanced Custom Fields (ACF) free and premium versions were exposed to cross-site scripting (XSS) vulnerability. For those who’re unfamiliar, XSS allows attackers to inject malicious code or script. It could actually end in a wide selection of consequences.
The Patchstack report shows this vulnerability may lead to sensitive data theft and user privilege escalation. Although ACF is probably the most popular custom field plugins with over two million installations, Patchstack claims there are not any exploitations detected.
The vulnerability affected version 6.1.5 or lower, and free and premium users are really useful to update to version 6.1.6.
Jetpack API Vulnerability
The Jetpack plugin’s team uncovered an API vulnerability during certainly one of the inner security audits. The problem allows authors on the positioning to tweak any WordPress installation files – a privilege normally only available to administrators.
The API itself is on the market on Jetpack version 2.0 to 12.1. Consequently, the Jetpack team release a patch for each version to repair this vulnerability, with the most recent version being version 12.1.1.
Jetpack will force update the plugins on most web sites with the vulnerable version. That said, we recommend you check your website for those who use Jetpack and update it immediately if crucial.
What’s Coming In June
As we’ve mentioned, the beta testing phase for the subsequent WordPress major release will start in June, and it’s all the time exciting to see the brand new features coming to the WordPress core.
Nonetheless, there’s yet another event that can delight the WordPress community much more.WordCamp Europe 2023 will happen on June 8-10, 2023, in Athens, Greece! We proudly support this event as a Super Admin sponsor and are excited to see you there. For those who haven’t got your ticket already, it’s still available on the official WordCamp Europe website.
