Earlier today, we released WordPress 4.2.3, which includes a relatively large security fix that affects the Shortcode A shortcode is a placeholder used within a WordPress post, page, or widget to insert a form or function generated by a plugin in a specific location on your site. API An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.. Due to the nature of the fix – as is often the case with security fixes – we were unable to alert plugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors ahead of time, however we did make efforts to scan the plugin directory for plugins that may have been affected.
With this change, every effort has been made to preserve all of the core Core is the set of software required to run WordPress. The Core Development Team builds WordPress. features of the Shortcode API. That said, there are some new limitations that affect some rare uses of shortcodes.
Reminder: Never, under any circumstances, should you hack core files. This includes downgrading specific files. Doing so could have unintended consequences on your WordPress installation, including major security implications.
Basic Shortcode Usage
A brief explanation on the original purpose of shortcodes will help to explain the change. In a basic post, like this example, shortcodes are used to insert dynamic code:
Here are my images. [gallery]
Here you can see that the shortcode stands on its own as a dynamic element within the blog (versus network, site) post content. This is the central premise of the Shortcode API: make it easy to insert blocks of dynamic code.
Shortcodes with Filtered Styles
In today’s release of WordPress 4.2.3, however, we’ve added some new limitations that affect some existing plugins. Take, for example, the following shortcode, which is no longer recognized:
<div style="background-image: url('[shortcode]');">
The shortcode in the example above appears in a context that is no longer supported. Further, this use of a shortcode stretches the imagination for how the Shortcode API was intended to be used. Fortunately, there are some workarounds still available, so that site administrators are not overly restricted in their use of HTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers..
The following example still functions as expected and is considered more acceptable:
Going forward, plugins implementing shortcodes for inline styles should output the entire
style attribute rather than a bare value. Keep in mind that this workaround – just as the original example above – is only available to administrators and editors (i.e. only roles with unfiltered_html). Less-privileged users are still prevented from using shortcodes to output whole attributes in this manner. If a plugin is intended to work with author and contributor roles, we recommend that the plugin output an entire
Shortcodes with Bad Quotes
The following example is also no longer allowed:
<a href="/[shortcode query="?ref="]">
In the above situation, the shortcode is now properly recognized as HTML and it is rejected by the API. Apart from the example being confusing, WordPress cannot parse that shortcode.
Instead, either of the following examples would be appropriate:
<a href="/[shortcode query='?ref=']">
<a href='/[shortcode query="?ref="]'>
Administrators as well as lesser-privileged authors can continue to use shortcodes in this way, as long is it conforms to the usual HTML filtering rules. However, as explained in the first example, administrators are now somewhat limited in this situation in one case: if the content in this
href attribute is generated by a shortcode that does not conform to the HTML filters, then the shortcode is rejected for all users.
We do not make this change lightly and understand that it may affect some usecases. The above examples and explanations should help plugin authors make the modifications needed to support the Shortcode API.