4.2.3 Security Update created broken [types field] links

Special thanks to NCPTT! Marking resolved (for now). ??

Alan, this is not properly a solution. It’s a workaround. I suggest you to leave the thread as unresolved.

Ha. I did mention that I was a newb. How do I “unresolve”?

UPDATE: NM. I got it.

NM. Got it.

Old WordPress versions are at risk to what is now a partially publically disclosed security issue. Back converting makes your site immediately at risk. Copying old files from 4.2.2 into 4.2.3 makes your site immediately at risk. Disabling automatic updates makes your site at risk.

4.2.3 fixed among other things, a complicated issue with shortcodes. The few affected plugin authors will need to update their plugins per the make.www.ads-software.com post on the Shortcode API update.

Generally, I agree with your assessment. People should not remain on 4.2.2 for long or use the earlier version of wp-includes/shortcodes.php. The choice for many was having their site crippled on 4.2.3 or functional on 4.2.2, hence the immediate workaround.

After reviewing the specific vulnerabilities fixed in 4.2.3 and mitigating the risks, for one project that uses ToolSet from wp-types.com I’ve decided to roll back to 4.2.2 temporarily until updates to plugins are addressed. That site does not use the roles subject to the XSS vulnerability. For this project, usability outweighs the risk from the vulnerabilities. Each admin will need to weigh those requirements for themselves.

For most site, which are stock blogs with few plugins and non-technical admins, automatic core updates are a good idea that keeps sites from being compromised.

However, I’ve disabled automatic updates on my production sites. It’s important to test core updates in a development environment before applying them to a production site. Yesterday many sites using wp-types.com ToolSet were crippled because they had automatic updates enabled.

Changes to the shortcodes API were not released with sufficient lead time, about a day, and while yes, it addressed a critical vulnerability, the normal release process was skipped. That shouldn’t happen. The fact that it did starkly illustrates the problem with automatic updates.

Agreed.

chriscct7, I was a bit baffled with that comment. What you suggest is that everyone who’s clients/employers’ websites are crippled should just leave them that way until plugin updates are available. That’s just not realistic.

I am a newby too. I have the same problem with all my links being broken. Since I no longer have any site with 4.2.2, where can I get a copy of wp-includes/shortcodes.php from 4.2.2?

I do have a backup but made some significant changes last night before the update.

Thanks

Site is https://seniorsaversnetwork.org

I also found that when I searched for my site today, www was appended to it and this happened in Chrome and in Firefox. I understand Chrome had an update that may have caused this. Maybe this is related since the timing is the same, and it is happening in multiple browsers.