October 2022 proved to be a pivotal month in the WordPress world. This dynamic period saw significant advancements, including the highly anticipated release of Gutenberg 14.4, intense core development in preparation for the upcoming WordPress 6.1, robust community testing efforts, and the disclosure of several high-severity plugin vulnerabilities. Let’s delve into the ecosystem’s evolution, highlighting the progress and persistent security challenges faced throughout October 2022.
October 2022: Community & Collaboration
On October 25, 2022, the TaxoPress team (part of PublishPress) officially acquired the Tag Groups plugin, a popular tool for organizing tags and taxonomies created by Christoph Amthor. The integration brought Tag Groups under the TaxoPress umbrella, consolidating taxonomy management tools and unifying support and development.
Core Updates & WordPress 6.1 Prep in October 2022
WordPress core contributors were laser-focused throughout October 2022, tirelessly preparing for WordPress 6.1, codenamed “Misha.” This major release was slated to ship on November 1st. Their dedication led to several key achievements:
- Global Accessibility Efforts Flourish: The immense and ongoing commitment of the WordPress community to internationalization continued to bridge language barriers. While precise counts for October 2022 aren’t always isolated, thousands of contributors consistently translate millions of strings annually. This vital effort underpins WordPress’s global reach and inclusivity.
- Streamlining Older Versions: Behind the scenes, efforts were underway to clean up older WordPress branches, specifically versions 3.7 to 4.0. This proactive maintenance aimed to facilitate future development and reduce technical debt. It’s a reminder that while older versions might exist, WordPress generally ensures security updates only for version 4.7 and above.
- Shaping the Future with User Feedback: While the official WordPress User Survey for 2022 would launch in early December, the planning and anticipation were incredibly high throughout October 2022. This crucial annual survey was designed to gather vital data from site owners, developers, and contributors across seven languages to help shape the project’s priorities and strategies for 2023.
- Steady Development Progress: Indicators of robust development were clear. “The Week in Core” review on October 17 noted 73 commits, 141 contributors, and 67 tickets created. These numbers showcase the progress made towards the impending WordPress 6.1 release.
Other WordPress News from October 2022
Gutenberg Evolves: New Tools for Creative Freedom in October 2022
The block editor, Gutenberg, received significant attention in October 2022, empowering users with more intuitive content creation tools.
- Gutenberg 14.4 Lands (October 26, 2022): This update brought tangible improvements for users. Key highlights included the introduction of Distraction-Free Mode, a highly anticipated feature that cleverly hides toolbars and sidebars for a focused, clean writing environment. The update also boasted an enhanced Pattern Inserter UI, refined Fluid Typography for better responsive design, repositioned caption tools for images directly in the toolbar, and the ability to lock the Navigation block to restrict accidental edits.
- A Glimpse into Gutenberg 14.5: Previewed later in October 2022 (officially released on November 9, 2022), Gutenberg 14.5 offered a sneak peek at future capabilities. Notable additions included a new Document Overview panel (combining List View and Details) for better content context, expanded margin/padding support for more precise layout control, and improved editable spacing visualizers for intuitive design adjustments.
Learn More: The Month in WordPress: October 2022
Full-Site Editing Outreach Continues Strong in October 2022
The FSE Outreach Program remained a cornerstone of full-site editing development throughout October 2022. Its 17th test round ran in mid-October, guiding contributors through Gutenberg gallery workflows and actively gathering UI feedback via Slack and blog posts. This truly demonstrates a community-driven approach to shaping the future of WordPress design.
Block Theme Innovation Thrives
GeneratePress, an incredibly popular and performant theme, significantly advanced its alignment with Full Site Editing around October 21. While not a complete “conversion” to a traditional block theme, its core plugin, GenerateBlocks, received enhancements to its Global Styles and Pattern Library. This powerful update underscored the broader theme ecosystem’s accelerating drive toward Full Site Editing compatibility and modern block-based layout capabilities.
Community & Events in October 2022
The WooSesh virtual conference ran from October 11 to 13, 2022, providing invaluable insights and support for WooCommerce developers and store builders.
Across the “Make WordPress” project, various test teams continued their vital work, actively calling for contributors via “Week in Test” posts. These efforts emphasized the community’s essential role in quality assurance and development.
Security Alerts: Plugin Vulnerabilities in October 2022
October 2022 saw a surge in critical security advisories, a stark reminder to the WordPress community of the constant need for vigilance and timely updates. These incidents underscored the persistent threat landscape facing WordPress sites.
High-Risk Plugin Flaws from October 2022
- WordPress Performance Lab / Performance Team plugin (<= 2.2.0): A Cross-Site Request Forgery (CSRF) flaw (CVE-2022-47174) was identified, and its fix was released in version 2.3.0. While publicly disclosed later, the vulnerability was a recognized issue around this time.
- PublishPress Capabilities (< 2.5.2): An authenticated PHP Object Injection vulnerability (CVE-2022-3366) was flagged by Patchstack on October 10, 2022, swiftly addressed with the release of version 2.5.2.
- Welcart e-Commerce (<= 2.7.7): This e-commerce plugin was found vulnerable to an unauthenticated directory traversal (CVE-2022-41840), potentially allowing unauthorized file access. A patch was provided in version 2.7.8.
- Wordfence Security Plugin (<= 7.6.1): A stored Cross-Site Scripting (XSS) vulnerability (CVE-2022-3144) on its settings page allowed authenticated administrators to inject malicious scripts. This was a notable discovery by security researchers.
- WP 2FA plugin (< 2.3.0): A timing logic issue (CVE-2022-44595) was discovered, potentially leading to authentication bypass or information leaks. The problem was addressed in version 2.3.0.
Theme Vulnerabilities in October 2022
While October 2022 logged numerous plugin-level security issues, popular themes generally faced fewer high-severity exposures this month. This was a positive sign for the theme ecosystem’s overall security posture.
Expert Warnings Highlight Vigilance
The sheer volume and severity of these vulnerabilities, ranging from CSRF and PHP Object Injection to directory traversal and XSS, reaffirmed a consistent message from security experts: the absolute necessity of diligent plugin and theme hygiene, regular security audits, and immediate application of patches to safeguard WordPress sites.
Industry Trends & Insights from October 2022
- The “Lumper Effect” in Plugins: Data, notably from companies like SolidWP (formerly iThemes), continued to reinforce a concerning trend: a tiny percentage of plugins (as low as 2%) disproportionately accounted for a vast majority (up to 99%) of all WordPress plugin vulnerabilities. This “lumper effect” underscores the importance of carefully scrutinizing popular or long-unused extensions.
- Accelerated Host-Level Protection: The growing adoption of intelligent systems, like those powered by Patchstack, proved to be a game-changer. These systems enabled hosting providers to automatically deploy critical updates and virtual patches, significantly shortening the window of vulnerability and enhancing site security at the server level.
- Bug Bounty Momentum: Wordfence, a leading security provider, actively promoted its bug bounty program. They fueled responsible disclosures by offering financial incentives (such as bounties up to $1,600, or more for critical findings). They incentivized the ethical identification of flaws, further bolstering the overall security of the WordPress ecosystem.
- Block-First Trajectory: The consistent stream of Gutenberg updates, coupled with its increasing integration into support forums and the theme development landscape, clearly demonstrates WordPress’s firm trajectory toward a block-first future, where full-site editing and block-based content creation are becoming the standard.
October 2022‘s Top WordPress Contributors.
Theme of the Month: GeneratePress
GeneratePress earns this honor not for a security fix but its significant stride in October 2022 by enhancing its Full Site Editing-compatible block theme capabilities via GenerateBlocks. This transition, announced around October 21, signaled a substantial commitment to modern layout features and perfectly aligned with WordPress’s block-first ecosystem, offering users cutting-edge design flexibility.
Plugin of the Month: WordPress Performance Lab
Despite its CSRF patch, the WordPress Performance Lab plugin stands out for October 2022. Originating from the Core team, this proactive plugin emphasizes forward compatibility with block and performance features, showcasing the core team’s dedication to optimizing WordPress for speed and efficiency as the platform evolves.
Agency of the Month: Seahawk Media
Seahawk Media led the pack in October 2022, demonstrating comprehensive support for the WordPress community. They produced hands-on guides for block editing, essential plugin security hardening, and eCommerce optimization. Furthermore, they actively hosted contributors for FSE testing and content workshops, fostering collaboration amidst the ongoing Gutenberg changes.
Host of the Month: Bluehost
Bluehost earns the spotlight for October 2022 due to its continued support for WordPress users through performance enhancements, managed hosting innovations, and beginner-friendly tools. As an officially recommended WordPress hosting provider, Bluehost expanded its onboarding tools this month and optimized its infrastructure for Full Site Editing and block-based themes. Their commitment to accessible site creation, robust uptime, and security measures made Bluehost a standout hosting partner during a month of rapid ecosystem evolution.
Founder of the Month: Rodrigo Escobar
Rodrigo Escobar, Research Manager at Sucuri, maintained his stellar reputation throughout October 2022. His consistent weekly vulnerability roundups meticulously documented critical plugin vulnerabilities and advised on patch paths, playing a vital role in helping countless administrators stay ahead of emerging threats.
Looking Ahead: November 2022 on the Horizon
As October 2022 concluded, the WordPress community eagerly anticipated a dynamic November:
- The highly awaited WordPress 6.1 (“Misha”) release is on November 1st, followed by the 6.1.1 mid-November maintenance release.
- The full rollout of Gutenberg 14.5, quickly followed by Gutenberg 14.6 in November, promises to finalize writing and typography tools.
- Continued FSE testing rounds to refine the Site Editor workflows further.
- Security teams were expected to spotlight emergent SQL injection and object injection flaws, necessitating rapid patches and ongoing vigilance.
Summary
In October 2022, WordPress significantly strengthened its foundations. Gutenberg ushered in new, distraction-free workflows, core contributors finalized near-final code for the next major release, and both the plugin and hosting communities doubled down on security. The ecosystem’s trajectory pointed strongly toward block-first innovation and fortified defenses heading into November.