NCPTT

Thanks, I had the same problem at https://ncptt.nps.gov/ with all posts/pages. I’ve disabled the plugin, which restores the_content. Thanks for your solution.

Generally, I agree with your assessment. People should not remain on 4.2.2 for long or use the earlier version of wp-includes/shortcodes.php. The choice for many was having their site crippled on 4.2.3 or functional on 4.2.2, hence the immediate workaround.

After reviewing the specific vulnerabilities fixed in 4.2.3 and mitigating the risks, for one project that uses ToolSet from wp-types.com I’ve decided to roll back to 4.2.2 temporarily until updates to plugins are addressed. That site does not use the roles subject to the XSS vulnerability. For this project, usability outweighs the risk from the vulnerabilities. Each admin will need to weigh those requirements for themselves.

For most site, which are stock blogs with few plugins and non-technical admins, automatic core updates are a good idea that keeps sites from being compromised.

However, I’ve disabled automatic updates on my production sites. It’s important to test core updates in a development environment before applying them to a production site. Yesterday many sites using wp-types.com ToolSet were crippled because they had automatic updates enabled.

Changes to the shortcodes API were not released with sufficient lead time, about a day, and while yes, it addressed a critical vulnerability, the normal release process was skipped. That shouldn’t happen. The fact that it did starkly illustrates the problem with automatic updates.

This is probably due to updates in 4.2.3 to wp-includes/shortcodes.php which change the way shortcodes are processed. You can either revert to your backup or, as a temporary workaround, replace that file with the version from 4.2.2

To turn off automatic core updates, add this line to wp-config.php:

define( ‘WP_AUTO_UPDATE_CORE’, false );

If you do that, after testing in your development environment that updates work with your suite of plugins and theme, be certain to keep on top of updates in your production environment.

You’re right, Alan. My temporary fix was to replace shortcodes.php, but I’m rolling back to 4.2.2 now. I’m checking other plugins on my development workstation under 4.2.3 to see what else is broken.

define( ‘WP_AUTO_UPDATE_CORE’, false ); disables all files since core updates are all-or-nothing. It’s normally a bad idea to mix and match core files from different versions as it can break things, but this case was one of those exceptions.

I think improved security was the rationale for this change to the way shortcodes are parsed. I’d be surprised if there wasn’t a 4.2.3.1 patch released soon. There’s also likely to be a quick update for the wp-types.com ToolSet suite of plugins.

Here’s the discussion thread about the problem as it pertains to ToolSet: https://wp-types.com/forums/topic/types-shortcode-breaks-after-wordpress-4-2-3-autoupgrade/

Note: You may need an account at wp-types.com to view that thread.

The problem you’re describing is due to a changes to the way shortcodes are parsed in wp-includes/shortcodes.php. Just saw alans0830’s reply and that indeed is the problem. Types/Views and other ToolSet plugins (indeed many other plugins) depend upon templates that mix HTML and shortcodes.

The workaround for me was to replace the 4.2.3 version of wp-includes/shortcodes.php with the one from 4.2.2 and to turn off automatic core updates in wp-config.php by adding the line define( ‘WP_AUTO_UPDATE_CORE’, false );