Shortcode Security Updates

Since version 6.4.8, some security fixes were implemented that runs the wp_kses() function on any shortcode supplying format, format_header and format_footer parameters. This was due to a vulnerability report we received from the WordFence security team.

Am I Affected?

If you use shortcodes with formatting, or if you allow users to submit publishable content (which may contain our shortcodes), then you may be affected by these changes, from both a security and presentation standpoint.

What Happened?

Whilst doing so, we also stopped entity-decoding content supplied within shortcode, like this: [shortcode]content[/shortcode], and in some cases users have started seeing raw HTML in their page output rather than expected formatting.

The reason for this is actually due to incorrect use of shortcode according to WordPress itself, and the incorrect decoding of this content by Events Manager. This was unintended, but ultimately also necessary since It’s a security risk and therefore this functionality had to be addressed.

The side-effects of this move became apparent to us as users started upgrading. This ‘unintended’ behaviour was not one that was tested since our intention was only to decode content supplied via the format parameters in the shortcode. The general practice nowadays is to include correctly format around and within a shortcode.

In the upcoming update 6.4.11, we have added some options that will mitigate this side-effect, and allow for some transitionary period until we ultimately remove the ability to use format style parameters in shortcode.

We have also created a documentation page which covers shortcode security in more detail.

Transition period

You can already upgrade to Dev Version 6.4.10.2 which contains this setting.

Events Manager 6.4.11 will include some options within Settings > General > Admin Tools that will allow enabling/disabling these settings.

Updated plugins will have the following behaviour as per these settings:

  • Shortcodes will allow the format-style parameters and will decode/sanitize this content.
  • Enclosed formats within the shortcode will not be decoded, unless updating from versions earlier than 6.4.8, in which case shortcode content will also be sanitized via wp_kses.

New plugin installs will not allow for `format`-style parameters, and shortcode content will not be entity-decoded.

Finalizing the transition

In the future, we will disable this ability entirely, and remove these transitionary options too. Ultimately, this is unsafe behaviour and whilst we sanitize the output content to mitigate the risk, this is not ideal as sanitizing content during output this way is not optimal performance-wise.

For those that understand the risks, we have provided a PHP snippet for you to use on your site if you would always like this behaviour to continue, covered in the documentation page.