SWFUpload Will Officially Be Removed From WordPress

SWFUpload is an open-source library that was used by WordPress in 2011 and earlier that allowed users to upload files. The library was abandoned and replaced with Plupload in WordPress 3.3, released in 2011. Despite being replaced, WordPress continued to bundle the library for plugins that didn’t migrate to Plupload. In 2013, the core team forked SWFUpload and maintained the project, applying security fixes submitted by contributors.

After six years of deprecation, the core team has announced that SWFUpload will officially be removed from WordPress core. The team searched the WordPress plugin directory and compiled a list of plugins that contain references to swfupload in their code. According to Weston Ruter, the list includes 128 themes and plugins.

Some of the most popular plugins include:

The team is working on a way to provide enough backwards compatibility to ensure there are no JavaScript errors and an upload form is displayed instead of embedded Flash. Andrew Ozz also apologized to plugin authors noting that the list likely contains some false positives. If you use one or more of the plugins mentioned above, please get in touch with the author and ask if it will function without SWFUpload in core.

11 Comments


  1. Nextgen Gallery is also on that list; with +1mio active installs it seems to be the “biggest” one on the list and one can only wonder why you don’t mention it in your article?

    Report


    1. NextGEN Gallery does not use SWFUpload anymore and hasn’t since 2012 when we switched to Plupload. (version 1.9.8) We even disable Plupload’s SWF support in version 2.2.12. We’re using Plupload’s BrowserPlus support, HTML5, Silverlight, then HTML4 for image uploads.

      Report


      1. When I search the NextGen plugin, I see swfupload in module.nextgen_settings.php, so it seems they are using it.

        Report


  2. What happened? Long time did not read, that something will be removed from WP.

    Also interesting to see how even popular plugins use something 6 years deprecated. Can imagine that mess in their code ;)

    Report


  3. Wow, popular plugins still use SWFupload, giving room for security exploitation.

    Report


  4. Whoa! Thanks for this info. Please WP All Import developers should take note of this. I have a site that uses the plugin.

    Report


  5. @Helen it’s not actually being used. It’s reference to legacy code that was left for backward compatibility and being removed soon. But it’s not actually in effect.

    Report


    1. @Scott thanks for clarification, much appreciated.

      Report


  6. The fact of the matter is that:

    You should test plugins on a clone of the site,
    to test if the update will go through.

    But I do realise that it doesn’t work for most people if they think that the plugin isn’t a major plugin that wraps around the entire website i.e. that if the plugin is deactivated that the site falls to smitherines.

    It’s good to know that there is a list of plugins that will be affected by the latest update, now that we’re seeing more Hosting providers enable automatic WordPress core updates by default.

    Not 100% sure that word would get around the world for all owners of the listed plugin.

    But do know that many developers will get to work!

    Kind regards,

    Report

Comments are closed.