WordPress 6.2.1 was released yesterday and rolled out to sites with automatic background updates enabled. The update included five important security fixes. Ordinarily, a maintenance and security release can be trusted not to break a website, but many users are struggling after 6.2.1 removed shortcode support from block templates.
A support forum thread tracking the broken shortcodes issue shows that this change impacts how plugins display things like breadcrumbs, newsletter signup forms, WPForms, Metaslider, bbPress content, and more. The problem affects template blocks, not sites that are using non-FSE themes.
“It’s absolutely insane to me that shortcodes have been removed by design!” @camknight said in the support forum discussion. “Every single one of our agency’s FSE sites uses the shortcode block in templates for everything: filters, search, ACF & plugin integrations. This is chaos!!”
Another user, @asjl, reports having this update break hundreds of pages.
“I’ve got the same problem on over 600 pages which use five or six different templates with shortcodes in each template on one site and similar things on several others,” @asjl said.
“I’m looking forward to editing each of those pages to get the shortcode back in place. Or backtracking to 6.2 and turning off updates.”
It’s not clear why shortcode blocks that are in block theme template parts still work, but this is one workaround that has been suggested to users. In a trac ticket for the issue others have suggested adding a PHP file for a plugin called “Shortcode Fix” to the plugins folder, but this workaround reintroduces the security issue.
Other users are being forced to revert to previous insecure versions of WordPress in order to keep critical functionality on their sites working. WordPress developer Oliver Campion commented on the Trac ticket with more details about how sites are currently using shortcodes in templates:
This update has been nothing short of a disaster. I cannot understand how there was no warning of such a destructive, automatic roll out!
We have managed to rollback affected sites to v6.2 and block automatic core updates until there is a suitable solution, which we hope is imminent due to the reported security issues!
Shortcode Blocks, in our opinion, are absolutely essential to the design process when using Block Themes.
We use them to inject classic menus that can have dynamic menu items (such as sign out), dynamic header content, specialized loops and footer content that’s as simple as showing the current year in the copyright statement to showing a contact form or other such dynamic content. And that’s just what I can think of from the top of my head.
An unfortunate consequence of this update is that it has destroyed many users’ confidence in WordPress’ automatic updates. This kind of breaking change should never happen in a release that auto installs overnight.
Even if it’s absolutely necessary to avoid a zero-day vulnerability on WordPress sites, discontinued shortcode support in block templates should have been accompanied with more information to help affected users find a solution.
The only communication users received about this was a short, inadequate note on the vulnerability in the 6.2.1 release post “Block themes parsing shortcodes in user generated data.”
Fixing all of these shortcode uses on websites that heavily rely on them would already have been a challenge for many, even with advance notice. Shipping this breaking change in an automatic update, without a proper explanation of how it impacts users, only served to twist the knife.
During today’s core dev meeting, WordPress 6.2.1 co-release lead Jb Audras said this issue may prompt a quick 6.2.2 release but the details are not yet available.
“As you may know, one security fix led to an important issue with shortcodes used in templates,” Audras said. “The issue is currently actively discussed in the Security Editor team, and some hypothesis have been made to sort this out in a quick follow-up release.
“No schedule available for now – it will depend on the follow-up patch currently discussed by the Editor team.”
In the meantime, those who cannot employ a workaround and are looking to rollback to 6.2 can can use the WP Downgrade plugin as a temporary fix, with the knowledge that this leaves the site vulnerable until a permanent solution can be put in place.
Perfect example to why you should be there doing the updates yourself instead of thinking automatic updates will do it for you and everything will be hunky dory. Also yes I know a tiny percentage for updates have wrecked things over the 20 years WordPress has been around.