WordPress today released a critical security update to the current stable branch of WordPress to fix a cross-site scripting (XSS) vulnerability in how shortcodes are used in HTML attributes.

As a WP Engine customer, you’re covered. Our team is working to automatically patch and update all sites hosted with us to WordPress 4.2.3. You don’t have to take any action to leverage this security update.

Essentially, this security issue could enable specially crafted shortcodes to bypass kses protection by tricking it into thinking dangerous parts are part of valid HTML.

This vulnerability may allow users without the unfiltered_html capability, but with publishing rights, to run JavaScript code on the front end of the website. This security update ensures all shortcodes inside attributes are evaluated and then run both through kses separately and escaped for use in attributes.

Once your site is updated, almost all shortcodes should work as expected, with the possible exception of shortcodes used inside tags (between < and >), but outside attributes.

More information regarding this security update is available in this blog post on WordPress.org.

Automatic security updates are just one of the many benefits you receive as a WP Engine customer. As always, thank you for trusting WP Engine with your WordPress sites and their security.