WordPress 6.2.2 Restores Shortcode Support in Block Templates, Fixes Security Issue

WordPress 6.2.2 was released early this morning as a rapid follow-up to 6.2.1, which introduced a bug that broke shortcode support in block templates. Version 6.2.1 was also an important security release, but due to the catastrophic breakage for those using shortcodes in block templates, some users were implementing insecure workarounds or simply downgrading to 6.2 to keep critical functionality working on their websites.

WordPress contributors worked quickly over the weekend to ensure that users can now update to 6.2.2 with their shortcodes intact. The release post identified the removal of shortcode support in the previous release as “a regression” and a bug. This is an important recognition, as shortcodes are still a tool that users frequently rely on to insert functionality from plugins that haven’t made it available as a block, as well as a necessity for things that won’t work without inline shortcodes.

Version 6.2.2 is also a security release, as core contributor Jonathan Desrosiers said that the issue patched in 6.2.1 “needed further hardening” in this update.

Users are advised to update immediately and automatic updates are rolling out. Many reported having turned automatic background updates off for core after 6.2.1 broke their websites. Users who did so will need to manually update as soon as possible.


9 responses to “WordPress 6.2.2 Restores Shortcode Support in Block Templates, Fixes Security Issue”

  1. 6.2.1 did not “introduced a bug”, it simply removed two lines for shortcode functionality from the code.

    6.2.2 is also no “further hardening” but a completely different way to approach the problem by re-adding and moving the shortcode functionality earlier in the process.

    The whole thing is a communication failure and also a code quality desaster, sorry to say this in these harsh words.

  2. Wow, I updated my WordPress websites BEFORE the WPTavern came out. I usually know about updates from WPTavern. This is a first.

    Anyways, I want to thank Sarah for the article.
    I also want to thank everyone that worked on 6.2.2.

    Now……….reasons like 6.2.1 is the reason I turned off automatic updates years ago.

    Yes, automatic updates CAN break WordPress. No matter how many times certain someone from WordPress forums says no they won’t. Think Reddit.

    Now, I am not attacking him, I think he is awesome.

    This is why you need to have a side version or local version of your site. Test updates there then go on your live site.


    • I agree with you. Thing is, I remember the bad old days – been with WordPress since 1.2. Pretty much every install of 1.2 or 1.5 was hacked cos of a security issue, even mine (thankfully they didn’t get admin, only into a contributor level so couldn’t do much damage).

      I have been surprised how WordPress upto now has kept things stable. But the communication on this was terrible, all they needed to do was put a message into the shortcode or admin to tell people it was disabled, I wasted hours thinking it was something else.

      Even as a zero-day, they should have waited and tested or come up with an alternative rather than just take the functionality out. That was like the old days.

      But given plugins, themes and WP auto-update has lead to a much more secure system, so hacks are not unknown but rare. So although I understand people disabling the auto-functions – fine if you do check your site every day – I’d urge caution against doing that. Otherwise hackers will be emboldened again.

      At very least make sure you have something like Wordfence installed, a firewall to stop attacks! But staying up to date is still the best option.

      And I was quoted on articles about this farrago, so I was affected too, and had to find workarounds. It was badly managed yes, but I’d not throw the baby out of the bathwater.

      • I had WP for 15+ years. I am subscribed to WPTavern newsletter, about 100 WordPress universes people, WordPress itself. So I know I don’t need to worry about delayed updates.
        I also use Wordfence that tells me if anything has an update.
        Also, I log in every day around 9am.

        I used to say that I would have no plugins that have not been updated a year or longer, now it’s 6 months. If it hasn’t been updated in 6 months or longer…I get a replacement.

        Unlike the average person, I do install plugins and go through the settings. I have 2fa. I change all my passwords around every 6 months. I don’t use admin. My password is a mix of upper and lower case letters with symbols. The password is over 25 characters. I have a password manager. I have 2fa on all my online accounts including hosting and domain registrar.

        Relying on auto-updates, makes people lazy. Look at this update, the previous one broke things for people.

        WordPress itself is not the issue, it’s crappy coded plugins. So many abandoned plugins, I think the oldest I have seen was 5-6 years since last update. There is no reason to have that on the repository.

        Heck, I am so good at updates that I updated to WordPress 6.2.2. BEFORE the WPTavern article came.

        Also, obviously if I have let’s say akismet on my main website, if I have let’s say 7 other websites and they have akismet, I will be updating those websites as well.

  3. And this is why I keep telling people to always keep regular “Full Site” backups.

    “Expect the Unexpected”

    I made it a habit years ago that even with a small update to a plugin, theme, and especially WordPress, to always make a backup before I click update. With this recent issue, I purposely did not update my Rough Pixels website to 6.1.1 until I decided to go for it–albeit, cautiously. I did this just a day before the problem came to light. Oddly, my site was OK. It’s on 6.2.2 now.

    As a side note: Worst-case scenario is that if you are on a good host, they should have backups to rollback your website.

  4. I have 6.2.1 with Sydney theme Elementor and wpforms and wpsmtp for some reason, anything captured on the contact forms does not send through to my email and this has been the case since 6.2 a fix I found was just turning off wpsmtp or any other smtp pluginm

  5. I apologize for any confusion, but as of my knowledge cutoff in September 2021, the latest version of WordPress is 5.8. However, I can provide you with some general information about WordPress shortcode support and security fixes.

    WordPress Shortcodes:
    WordPress shortcodes are small snippets of code enclosed in square brackets that allow you to add various dynamic features and functionality to your website. They enable you to embed content or execute specific actions without writing custom code.

    Block Templates:
    Block templates were introduced in WordPress 5.8 as a way to create predefined block layouts for specific sections of your website. These templates can be used to streamline the content creation process and ensure consistency across your site.

    Security Fixes:
    WordPress, like any other software, periodically releases updates to address security vulnerabilities and improve overall stability. These updates are crucial for maintaining the security of your WordPress website and protecting it from potential threats.

    It’s important to regularly update your WordPress installation, themes, and plugins to benefit from the latest bug fixes, feature enhancements, and security patches. WordPress updates can be done automatically or manually, depending on your configuration.

    Please note that the information provided is based on the WordPress version available up to September 2021. For the most accurate and up-to-date information on WordPress versions and features, I recommend visiting the official WordPress website or checking the release notes for the specific version you are interested in.

    download all theme and plugins from my website || https://insiderwp.com/


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: