On October 3^rd, the ACF team announced ACF plugin updates will come directly from their website. Sites that followed the ACF team’s instructions on “How to update ACF” will continue to get updates directly from WP Engine.?On October 1^st, 2024, WP Engine also deployed its own solution for updates and installations for plugins and themes across their customers’ sites in place of?www.ads-software.com’s update service.

Sites that continue to use www.ads-software.com’s update service and have not chosen to switch to ACF updates from WP Engine can click to update to switch to Secure Custom Fields. Where sites have chosen to have plugin auto-updates from www.ads-software.com enabled, this update process will auto-switch them from Advanced Custom Fields to Secure Custom Fields.

This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.

Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.

WP Engine has posted instructions for how to use their version of Advanced Custom Fields that uses their own update server, so you have that option, though the WordPress Security Team does not recommend it until they fix the security issues. You can uninstall Advanced Custom Fields and activate Secure Custom Fields from the plugin directory and be just fine.

There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.

On WP Engine’s homepage, they promise “Unmatched performance, automated updates, and bulletproof security ensure your sites thrive.”

WP Engine was well aware that we could remove access when they chose to ignore our efforts to resolve our differences and enter into a commercial licensing agreement. Heather Brunner, Lee Wittlinger, and their Board chose to take this risk. WPE was also aware that they were placing this risk directly on WPE customers. You could assume that WPE has a workaround ready, or they were simply reckless in supporting their customers. Silver Lake and WP Engine put their customers at risk, not me.

We have lifted the blocks of their servers from accessing ours, until October 1, UTC 00:00. Hopefully this helps them spin up their mirrors of all of www.ads-software.com’s resources that they were using for free while not paying, and making legal threats against us.

WP Engine needs a trademark license, they don’t have one. I won’t bore you with the story of how WP Engine broke thousands of customer sites yesterday in their haphazard attempt to block our attempts to inform the wider WordPress community regarding their disabling and locking down a WordPress core feature in order to extract profit.

What I will tell you is that, pending their legal claims and litigation against www.ads-software.com, WP Engine no longer has free access to www.ads-software.com’s resources.

WP Engine wants to control your WordPress experience, they need to run their own user login system, update servers, plugin directory, theme directory, pattern directory, block directory, translations, photo directory, job board, meetups, conferences, bug tracker, forums, Slack, Ping-o-matic, and showcase. Their servers can no longer access our servers for free.

The reason WordPress sites don’t get hacked as much anymore is we work with hosts to block vulnerabilities at the network layer, WP Engine will need to replicate that security research on their own.

Why should www.ads-software.com provide these services to WP Engine for free, given their attacks on us?

WP Engine is free to offer their hacked up, bastardized simulacra of WordPress’s GPL code to their customers, and they can experience WordPress as WP Engine envisions it, with them getting all of the profits and providing all of the services.

If you want to experience WordPress, use any other host in the world besides WP Engine. WP Engine is not WordPress.

This release features three security fixes. Because this is a security release, it is recommended that you update your sites immediately. This minor release also includes 3 bug fixes in Core.

You can download WordPress 6.5.5 from www.ads-software.com, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

WordPress 6.5.5 is a short-cycle release. The next major release will be version 6.6 which is scheduled for July 16, 2024.

For more information on WordPress 6.5.5, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• A cross-site scripting (XSS) vulnerability affecting the HTML API reported by Dennis Snell of the WordPress Core Team, along with Alex Concha and Grzegorz (Greg) Zió?kowski of the WordPress security team.
• A cross-site scripting (XSS) vulnerability affecting the Template Part block reported independently by Rafie Muhammad of Patchstack and during a third party security audit.
• A path traversal issue affecting sites hosted on Windows reported independently by Rafie M & Edouard L of Patchstack, David Fifield, x89, apple502j, and mishre.

Thank you to these WordPress contributors

This release was led by Aaron Jorbin.

WordPress 6.5.5 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Alex Concha, Andrew Ozz, bernhard-reiter, Colin Stewart, David Baumwald, Dennis Snell, Grant M. Kinney, Greg Zió?kowski, Jb Audras, Jonathan Desrosiers, Matias Ventura, Miguel Fonseca, Peter Wilson, Rajin Sharwar, Scott Reilly, Tonya Mork

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core Slack channel. Need help? Check out the Core Contributor Handbook.

Already testing WordPress 6.6? The fourth beta is now available (zip) and it contains these security fixes. For more on 6.6, see the beta 3 announcement post. Learn more about testing WordPress 6.6 here.

Props to Paul Kevan, Ehtisham Siddiqui, Alex Concha, Tonya Mork, and Angela Jin for reviewing.

This security and maintenance release features 2 bug fixes on Core, 12 bug fixes for the Block Editor, and 1 security fix.

Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 6.0 and later.

You can download WordPress 6.5.2 from www.ads-software.com, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

WordPress 6.5.2 is a short-cycle release. The next major release will be version 6.6 and is currently planned for 16 July 2024.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• A cross-site scripting (XSS) vulnerability affecting the Avatar block type; reported by John Blackbourn of the WordPress security team. Many thanks to Mat Rollings for assisting with the research.

Thank you to these WordPress contributors

This release was led by John Blackbourn, Isabel Brison, and Aaron Jorbin.

WordPress 6.5.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Andrei Draganescu, Artemio Morales, Caleb Burks, colind, Daniel Richards, Dominik Schilling, Fabian K?gy, George Mamadashvili, Greg Zió?kowski, Isabel Brison, Jb Audras, Joe McGill, John Blackbourn, Jonathan Desrosiers, Lovekesh Kumar, Matias Benedetto, Mukesh Panchal, Pascal Birchler, Peter Wilson, Sean Fisher, Sergey Biryukov, Scott Reilly

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core channel. Need help? Check out the Core Contributor Handbook.

Thanks to John Blackbourn, Ehtisham S., Jb Audras, and Angela Jin for proofreading.

Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

You can download WordPress 6.4.3 from www.ads-software.com, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

WordPress 6.4.3 is a short-cycle release. The next major release will be version 6.5 planned for 26 March 2024. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. For further information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• m4tuto for finding a PHP File Upload bypass via Plugin Installer (requiring admin privileges).
• @_s_n_t of @pentestltd working with Trend Micro Zero Day Initiative for finding an RCE POP Chains vulnerability.

Thank you to these WordPress contributors

This release was led by Sarah Norris, Joe McGill, and Aaron Jorbin.

WordPress 6.4.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aki Hamano, Alex Concha, Alex Lende, Alex Stine, Andrea Fercia, Andrei Draganescu, Andrew Ozz, Andrew Serong, Andy Fragen, Ari Stathopoulos, Artemio Morales, ben, bobbingwide, Carlos Bravo, Carolina Nymark, ?eslav Przywara, Colin Stewart, Daniel K?fer, Daniel Richards, Dominik Schilling, Ella, Erik, George Mamadashvili, Greg Zió?kowski, Isabel Brison, Joen A., John Blackbourn, Jonathan Desrosiers, joppuyo, Lax Mariappan, luisherranz, Markus, Michal Czaplinski, Mukesh Panchal, Nik Tsekouras, Niluthpal Purkayastha, Noah Allen, Pascal Birchler, Peter Wilson, ramonopoly, Riad Benguella, Sergey Biryukov, Stephen Bernhardt, Teddy Patriarca, Tonya Mork

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-5-release-leads channels. Need help? Check out the Core Contributor Handbook.

As a final reminder, The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password. Please stay vigilant against phishing attacks.

Thanks to Angela Jin, Ehtisham S., Jb Audras, and Marius L. J. for proofreading.

This minor release features 7 bug fixes in Core. The fixes include a bug fix for an issue causing stylesheet and theme directories to sometimes return incorrect results.

This release also features one security fix. Because this is a security release, it is recommended that you update your sites immediately.

You can download WordPress 6.4.2 from www.ads-software.com, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

WordPress 6.4.2 is a short-cycle release. The next major release will be version 6.5 released in early 2024.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team addressed the following vulnerability in this release.

• A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.

To help the security team and WordPressers around the world, you are encouraged to responsibly report vulnerabilities. This allows vulnerabilities to be fixed in future releases.

Thank you to these WordPress contributors

This release was led by Aaron Jorbin.

WordPress 6.4.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Akira Tachibana, Alex Concha, Angela Jin, Anton Vlasenko, Barry, bernhard-reiter, Caleb Burks, Corey Worrell, crstauf, Darren Ethier (nerrad), David Baumwald, Dennis Snell, Dion Hulse, Erik, Fabian Todt, Felix Arntz, Héctor Prieto, ironprogrammer, Isabel Brison, Jb Audras, Jeffrey Paul, Jessica Lyschik, Joe McGill, John Blackbourn, Jonathan Desrosiers, Kharis Sulistiyono, Krupal Panchal, Kylen Downs, meta4, Mike Schroder, Mukesh Panchal, partyfrikadelle, Peter Wilson, Pieterjan Deneys, rawrly, rebasaurus, Sergey Biryukov, Tonya Mork, vortfu

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core. Need help? Check out the Core Contributor Handbook.

As a final reminder, The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password. Please stay vigilant against phishing attacks.

Thanks to @angelasjin and @desrosj for proofreading.

The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password.

If you receive an unsolicited email claiming to be from WordPress with instructions similar to those described above, please disregard the emails and indicate that the email is a scam to your email provider.

These emails link to a phishing site that appears to be the WordPress plugin repository on a domain that is not owned by WordPress or an associated entity. Both Patchstack and Wordfence have written articles that go in to further detail.

Official emails from the WordPress project will always:

• Come from a @www.ads-software.com or @wordpress.net domain.
• Should also say “Signed by: www.ads-software.com” in the email details section.

The WordPress Security Team will only communicate with WordPress users in the following locations:

• the Making WordPress Secure blog at make.www.ads-software.com/security
• the main WordPress News site at www.ads-software.com/news

The WordPress Plugin team will never communicate directly with a plugin’s users but may email plugin support staff, owners and contributors. These emails will be sent from [email protected] and be signed as indicated above.

The official WordPress plugin repository is located at www.ads-software.com/plugins with internationalized versions on subdomains, such as fr.www.ads-software.com/plugins, en-au.www.ads-software.com/plugins, etc. A subdomain may contain a hyphen, however a dot will always appear before www.ads-software.com.

A WordPress site’s administrators can also access the plugin repository via the plugins menu in the WordPress dashboard.

As WordPress is the most used CMS, these types of phishing scams will happen occasionally. Please be vigilant for unexpected emails asking you to install a theme, plugin or linking to a login form.

The Scamwatch website has some tips for identifying emails and text messages that are likely to be scams.

As always, if you believe that you have discovered a security vulnerability in WordPress, please follow the project’s Security policies by privately and responsibly disclosing the issue directly to the WordPress Security team through the project’s official HackerOne page.

Thank you Aaron Jorbin, Otto, Dion Hulse, Josepha Haden Chomphosy, and Jonathan Desrosiers for their collaboration on and review of this post.

WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

The next major release will be version 6.4 planned for 7 November 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.3.2 from www.ads-software.com, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
• Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
• Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
• Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
• John Blackbourn (WordPress Security Team), James Golovich, J.D Grimes, Numan Turle, WhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
• mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
• Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
• s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.

Thank you to these WordPress contributors

This release was led by Joe McGill, Aaron Jorbin and Jb Audras, with the help of David Baumwald on mission control.

WordPress 6.3.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Akihiro Harai, Alex Concha, Andrew Ozz, Andy Fragen, Anthony Burchell, Aurooba Ahmed, Ben Dwyer, Carolina Nymark, Colin Stewart, Corey Worrell, Damon Cook, David Biňovec, David E. Smith, Dean Sas, Dennis Snell, Dhruvi Shah, Dion Hulse, Ehtisham S., Felix Arntz, George Mamadashvili, Greg Zió?kowski, Huzaifa Al Mesbah, Isabel Brison, Jb Audras, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Jorge Costa, Justin Tadlock, K. Adam White, Kim Coleman, LarryWEB, Liam Gladdy, Mehedi Hassan, Miguel Fonseca, Mukesh Panchal, Nicole Furlan, Paul Biron, Paul Kevan, Peter Wilson, Pooja N Muchandikar, Rajin Sharwar, Ryan McCue, Sal Ferrarello, Sergey Biryukov, Shail Mehta, Stephen Bernhardt, Teddy Patriarca, Timothy Jacobs, Weston Ruter, Zunaid Amin, ahardyjpl, beryldlg, floydwilde, jastos, martin.krcho, masteradhoc, petitphp, ramonopoly, vortfu, zieladam

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-4-release-leads channels. Need help? Check out the Core Contributor Handbook.

Already testing WordPress 6.4? The fourth beta is now available (zip) and it contains these security fixes. For more on 6.4, see the beta 3 announcement post.

Thanks to @jeffpaul, @chanthaboune, @peterwilsoncc and @rawrly for proofreading.

The 6.2.2 minor release addresses 1 bug and 1 security issue. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.9 have also been updated.

WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1. The next major release will be version 6.3 planned for August 2023.

The update process will begin automatically if you have sites that support automatic background updates.

You can download WordPress 6.2.2 from www.ads-software.com or visit your WordPress Dashboard, click “Updates,” and click “Update Now.”

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities and allowing them to be fixed in this release. 

• Block themes parsing shortcodes in user-generated data; thanks to Liam Gladdy of WP Engine for reporting this issue.

The issue above was originally patched in the 6.2.1 release, but needed further hardening here in 6.2.2. The Core team is thankful for the community in their response to 6.2.1 and collaboration on finding the best path forward for proper resolution in 6.2.2. The folks who worked on 6.2.2 are especially appreciative for everyone’s understanding while they worked asynchronously to get this out the door as quickly as possible.

Thank you to these WordPress contributors

This release was led by Jonathan Desrosiers.

WordPress 6.2.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Alex Concha, Anthony Burchell, Chloé Bringmann, chriscct7, Daniel Richards, David Baumwald, Ehtisham S., Greg Zió?kowski, Héctor Prieto, Isabel Brison, Jb Audras, Jeffrey Paul, John Blackbourn, Jonathan Desrosiers, Josepha, Marius L. J., Matias Ventura, Mike Schroder, Peter Wilson, Riad Benguella, Robert Anderson, Ryan McCue, Samuel Wood (Otto), Scott Reilly, and Timothy Jacobs

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-3-release-leads channels. Need help? Check out the Core Contributor Handbook.

Thanks to @cbringmann, @davidbaumwald, @chanthaboune, @jeffpaul for proofreading.