WordPress today released a critical security update to the current stable branch of WordPress to fix a cross-site scripting (XSS) vulnerability in how shortcodes are used in HTML attributes.
As a WP Engine customer, you’re covered. Our team is working to automatically patch and update all sites hosted with us to WordPress 4.2.3. You don’t have to take any action to leverage this security update.
Essentially, this security issue could enable specially crafted shortcodes to bypass kses protection by tricking it into thinking dangerous parts are part of valid HTML.
Once your site is updated, almost all shortcodes should work as expected, with the possible exception of shortcodes used inside tags (between < and >), but outside attributes.
More information regarding this security update is available in this blog post on WordPress.org.
Automatic security updates are just one of the many benefits you receive as a WP Engine customer. As always, thank you for trusting WP Engine with your WordPress sites and their security.