December 2022 closed out the year strong in the WordPress ecosystem. Major milestones included the release of Gutenberg 14.8, enhancements to Openverse, and the annual State of the Word presentation. However, the month was also marred by a wave of theme and plugin vulnerabilities, underscoring the importance of proactive security measures. With the ecosystem advancing Gutenberg and bolstering safety, WordPress positioned itself comfortably for 2023.
Mergers, Acquisitions, Investments
No widely reported mergers, acquisitions, or venture investments occurred in December within the core WordPress ecosystem. While commercial plugin businesses operate independently, the open-source nature of WordPress means significant corporate transactions are rare; December’s focus remained on community contributions, support, and feature development rather than consolidation.
WordPress Core Updates
December was quieter than usual for core releases, as the team prioritized polishing. Ongoing efforts included refining PHP 8 compatibility, performing accessibility improvements, and preparing documentation updates for the next major core release, WordPress 6.1, expected early 2023. Additionally, minor infrastructure work occurred on WordPress.org, updating the HelpHub documentation interface, preparing the Enterprise landing page, and refreshing the Mercantile store. These changes quietly enhance resource quality for users and developers alike.
Other WordPress News
State of the Word 2022 (Dec 15)
Hosted by Executive Director Josepha Haden Chomphosy, this annual keynote brought into focus:
- 1,399 unique contributors actively participated in the WordPress project throughout 2022
- Preparations ramped up for WordPress’s 20th anniversary in 2023
- The announcement of Phase 3 in Gutenberg’s roadmap is centered on collaboration, real-time co-editing, and performance optimization.
Openverse Growth
Openverse, the CC-licensed audio and image search engine built by WordPress, reached an impressive milestone: crossing 1 million audio files in its catalog, up from roughly 10,000 at the start of the year. This rapid growth significantly boosts creators’ media sourcing.
WordCamp Zaragoza Teasers
While December’s event announcements primarily focused on learning events, the community began preparing for WordCamp Zaragoza, scheduled for January 20–22, 2023, signaling continued in-person momentum.
Security Alerts & Plugin Vulnerabilities
December was marked by relentless scrutiny and patching of security issues.
Theme Vulnerabilities
- Workreap theme v2.6.4 plugged an IDOR deletion flaw (CVE‑2022‑4239), which allowed unauthorized content deletions.
- Superio theme v1.2.33 patched a stored XSS vulnerability (CVE‑2022‑4114) that affected input fields used in form submissions.
- Meanwhile, the Himer and Discy themes still displayed known vulnerabilities without December patches, flagging them as high-security risks.
Plugin Vulnerabilities
- Quick Event Manager (< 9.7.5) patched from a reflected XSS issue (CVE‑2023‑23491) affecting the ‘category’ parameter in the AJAX calendar.
- Login with Phone Number (< 1.4.2) addressed an XSS exploit in its AJAX endpoint (CVE‑2023‑23492).
- WP Helper Lite (< 4.3) resolved reflected XSS in form submissions (CVE‑2023‑0448).
- Meta Data and Taxonomies Filter (< 1.3.1) fixed reflected XSS in admin settings (CVE‑2023‑28664).
- Woo Bulk Price Update (< 2.2.2) and InPost Gallery (≤ 2.1.4.1) also had vulnerabilities. Frustratingly, InPost lacked immediate remediation.
- A critical SQL Injection was found in Paid Memberships Pro (< 2.9.8) (CVE‑2023‑23488), scoring 9.8, highlighting serious security gaps in REST API endpoints.
- Blog2Social (≤ 6.9.11) exhibited an authentication bypass that allowed low-permission users to modify plugin settings; fixed in v6.9.12.
Security Industry Response
- Patchstack reported 93% of WordPress security flaws originate in plugins, urging users to audit, auto-update, or remove unused plugins.
- Many hosting providers now integrate plugin vulnerability scanning (e.g., Patchstack), fortifying site defenses and streamlining emergency patching.
Industry Trends & Insights
- Abandoned Plugin Risk Crunch
A striking 26% of plugin vulnerabilities in 2022 lacked fixes a probable consequence of abandoned or under-maintained projects. - Third-Party Framework Supply-Chain Risk
Freemius and YITH were implicated in December’s vulnerabilities, highlighting hidden risks in popular monetization or premium plugin toolkits. - Host-Layer Security Adoption
Hosting providers (e.g., One.com and others) displayed increased commitment to auto-deploying plugin and theme patches, and many sites saw tens of thousands of fixes in December. - Block Editor Acceleration
With Gutenberg’s Block Editor nearing major milestones in usability and collaboration, designers and theme developers pivoted toward Full Site Editing (FSE) trends, preparing FSE-first themes ahead of 2023.
Theme of the Month
Superio earns the honor of December’s Theme of the Month, not for its vulnerability, but for developers’ swift response in releasing v1.2.33 to remediate a stored XSS critical flaw. The fast iteration underlines responsible theme development and user care.
Plugin of the Month
Quick Event Manager stands out in December. After Tenable disclosed a reflected XSS vulnerability (CVE-2023-23491), the plugin’s author issued v9.7.5 within weeks, exemplifying efficient security operations in action.
Agency of the Month
Seahawk Media earns December 2022’s spotlight for its impactful contributions to the WordPress ecosystem. From scaling global WordPress maintenance and white-label services to publishing valuable educational content on Gutenberg and security best practices, Seahawk stood out as a trusted partner for agencies and businesses. Their expanded collaborations with hosts like GoDaddy Pro and Cloudways further cemented their role as a go-to WordPress agency, driving quality, performance, and community engagement.
Host of the Month
https://www.one.com/en/One.com, among other hosting partners, operationalized Patchstack’s threat database, rolling out automated security updates and protection. These efforts dramatically reduced exposure time for vulnerable sites, showcasing the value of host-level defense.
Founder of the Month
Joshua Martinelle of Tenable is December’s founder spotlight. Credited with responsibly disclosing multiple zero-day XSS vulnerabilities, ranging from Quick Event Manager to MetaData Filter, his research triggered rapid patch releases, reinforcing the importance of ethical security research.
Looking Ahead to January 2023
- Gutenberg Phase 3 materializes: collaboration tools and co-editing will be tested in early plugin releases.
- Security vigilance continues: Expect additional advisories, plugin/theme patches, and PHP/REST endpoints tightening.
- Openverse advances: With the audio repository now at 1M+, expect new integrations within the Block Editor’s media settings.
- Early-year WordCamps (Zaragoza, Phoenix) may inspire localized innovation and plugin/theme previews.
In Summary
December 2022 was a pivotal month. Gutenberg 14.8’s enhancements elevated the Site Editor experience, State of the Word set a visionary course into 2023, Openverse celebrated a media milestone, and the security ecosystem rose to the challenge of repeated plugin/theme vulnerabilities. With proactive patching, host-layer interventions, and community resilience, WordPress enters the new year fortified and ready for innovation.