WordPress 4.2.3 Security Release and the Shortcode API

This week the WordPress Security team push an automatic update patching a vulnerability found in the Shortcode API – kudos to the team for keeping us all safe! To fix the vulnerability adjustments had to be made to the fundamental behaviour of shortcodes – changing what is considered valid and invalid formats.

WordPress 4.3.2 limits all shortcodes used in HTML attributes, with those using them inside style attributes the hardest hit. It also affects shortcodes with user parameters inside any other HTML attributes.

Shortcodes with Bad Quotes

Previously, shortcodes could be placed inside double-quote-wrapped HTML attributes and include user-defined options which were also wrapped in double quotes. This is now considered invalid behaviour.

<a href="[shortcode query="value"]">Invalid</a>

The advised fix is to alternate the quotes, or you can remove them all together.

<a href="[shortcode query='value']">Valid</a>

<a href='[shortcode query="value"]'>Valid</a>

<a href="[shortcode query=value]">Valid</a>

Gravity PDF and WordPress 4.2.3

Users utilising the Gravity Forms Page Confirmation with Gravity PDF may be affected. Site owners should check their confirmation page conforms to the new Shortcode API standard. We’ve also updated our documentation to reflect this new change.