STAGING ENVIRONMENTDebug log is enabled by default for testing — PHP warning & notice errors will appear on the screen.

WordPress News Roundup November 2022: WordPress Bolsters Defenses and Creativity

By /
November 2022 Edition

WordPress continued its relentless evolution in November 2022. It focused on refining its core experience, empowering content creators with advanced Gutenberg capabilities, and significantly strengthening its security posture.

This month saw the release of Gutenberg 14.6, a sneak peek at 14.7, and the launch of a crucial user survey. Disclosures of high-severity vulnerabilities in popular plugins and themes indicated a proactive approach as the year came to a close.

A Community-Driven Landscape, Not Corporate Takeovers

No major mergers, acquisitions, or significant corporate investments were made in the WordPress ecosystem in November 2022, reflecting its open-source philosophy.

mergers, acquisitions, or significant corporate investments

Instead, the focus was on collaboration and improvement across the platform’s core, the Gutenberg editor, and essential community tools. This decentralized approach continues to be a hallmark of WordPress’s strength and resilience.

Under the Hood: Core Updates Lay a Strong Foundation

November was a month for foundational enhancements within WordPress:

Global Reach through Translation: The tireless efforts of the WordPress community continued to bridge language barriers. Thousands of contributors translate millions of strings annually, a crucial effort for WordPress’s global success.

Streamlining Older Versions: Behind the scenes, discussions and processes were underway to clean up older WordPress branches (like versions 3.7–4.0).

Proactive maintenance leads to a leaner, more efficient codebase, facilitating future innovations and the deprecation of outdated versions. Only WordPress versions 4.7 and above actively receive guaranteed security updates.

Shaping the Future with User Feedback: The 2022 WordPress user survey has officially launched, targeting site owners, developers, and contributors globally. This poll, available in multiple languages, aims to gather insights to guide WordPress’s development priorities for 2023. The team expects to release the results in early 2023.

Read More: The Month in WordPress: November 2022

Gutenberg Evolves: New Tools for Creative Freedom

The block editor, Gutenberg, received significant attention in November, empowering users with more intuitive content creation:

Gutenberg 14.6 Lands (November 23, 2022): This update brought tangible improvements for users. Key highlights included a new Group block variation picker, an improved Navigation block list view, and a keyboard shortcut to convert paragraphs into headings, enhancing the editing workflow.

Fostering Connection: Community & Support Enhancements

Community and Support

The spirit of collaboration extended to community and support initiatives:

  • Block Editor in Support Forums: The Block Editor empowered users seeking help by being piloted within WordPress.org support forums, allowing individuals to format their content and articulate issues more easily.
  • Showcasing Excellence: The team is actively redesigning the WordPress.org Showcase page to highlight exceptional websites that use block-based themes and full-site editing.
  • Sustaining the Global Community: Discussions began around a Global Community Sponsorship Program, a vital initiative designed to provide sustainable support for WordCamps and local meetups worldwide, ensuring the continued vibrancy of the WordPress community.
  • Full Site Editing Outreach: The Full Site Editing (FSE) Outreach Program actively called for volunteers through December 28, 2022. It leverages tools like Replay.io to meticulously test block-related workflows and gather invaluable feedback for the future of WordPress design.
  • Developer Resources Grow: To encourage the growing adoption of FSE, Learn WordPress has launched new developer-focused guides. Parts 1 and 2 provide detailed instructions for creating block themes.

Security Under the Microscope: A Wave of Vulnerability Alerts

In November 2022, researchers disclosed a series of high-severity vulnerabilities across the ecosystem, highlighting the critical importance of regular updates and vigilant security practices. These incidents served as a stark reminder of WordPress sites’ continuous threat landscape.

High-Risk Plugin Flaws:

  • WP Admin UI Customize <=1.5.13: An authenticated stored XSS vulnerability (CVE-2022-3824) was patched on November 28, 2022, urging users to update to version 1.5.13 or higher.
  • WP Affiliate Platform <=6.3.9: On November 8, 2022, a critical trio of vulnerabilities, including CSRF (CVE-2022-3898), reflected XSS (CVE-2022-3896), and stored XSS (CVE-2022-3897), were disclosed, necessitating an update to version 6.4.0.
  • LoginPress <1.6.2: A broken access control bug (CVE-2022-41839) that allowed unauthorized settings modifications was disclosed in October, with updates available to resolve the issue.
  • Easy WP SMTP <1.5.0: A serious PHP Object Injection vulnerability (CVE-2022-3334) was addressed with the release of version 1.5.0, following an early warning to security clients in October.
  • WP-Polls <2.77.0: A race condition privilege escalation issue (CVE-2022-40130) affecting subscriber-level users was publicly identified on November 20, 2022, and fixed in version 2.77.0.

Theme Vulnerabilities:

  • Betheme <=26.6.3: This widely used theme quickly released version 26.6.3 to address critical PHP Object Injection and Stored XSS vulnerabilities (CVE-2022-3861), demonstrating swift developer response.
  • Soledad <=8.2.5: A stored XSS vulnerability (CVE-2022-41788) affecting subscriber-level roles was found in versions up to 8.2.5, with a fix in 8.2.6.

Unpatched Concerns:

While many vulnerabilities saw swift resolution, some plugins, such as Popup Manager, Menu Item Visibility Control, and Polylang Translation Theme, were flagged for potential issues but reportedly remained unpatched in late November 2022. This served as a reminder of the ongoing risks posed by outdated or abandoned software within the ecosystem.

Expert Warnings:

The sheer volume and severity of these vulnerabilities, ranging from SQL injection and PHP object injection to CSRF and XSS, underscore the critical need for robust plugin and theme hygiene, routine security audits, and immediate updates to maintain site integrity.

Industry Insights: Proactive Security Takes Center Stage

  • The Plugin Paradox: Experts and community discussions consistently highlighted that outdated or abandoned plugins represented WordPress sites’ most significant security risk, emphasizing the user’s responsibility to maintain a secure environment.
  • Host-Level Shielding: The role of hosting providers became increasingly prominent, with services like Patchstack-integrated hosts automatically applying virtual patches to reduce exposure times and offer immediate protection against newly discovered flaws.
  • Incentivizing Security: Wordfence, a leading security provider, continued to promote its bug bounty program, offering financial incentives (such as bounties up to $1,600 for high-impact findings) to ethical researchers for the responsible disclosure of vulnerabilities. This initiative actively encourages a safer ecosystem.
  • Blocks Shape Support: The growing integration of Gutenberg’s features into WordPress support forums and educational resources reflected the platform’s unwavering commitment to a full-site editing future, ensuring that support keeps pace with innovation.

Spotlight on Excellence: November’s Top Contributors

Theme of the Month: Betheme

Betheme earned distinction for its rapid response in November, swiftly releasing version 26.6.3 to patch significant PHP Object Injection and stored XSS vulnerabilities (CVE-2022-3861). This decisive action exemplified developer responsibility and a strong commitment to user safety.

Plugin of the Month: Easy WP SMTP

Easy WP SMTP stood out for its proactive security approach. Its rapid update to version 1.5.0, addressing a serious PHP Object Injection flaw (CVE-2022-3334), showcased a conscientious dedication to user security.

Agency of the Month: Seahawk Media

Seahawk Media impressed with its targeted WordPress support and educational outreach throughout November. Their initiatives included producing valuable guides on plugin security, Gutenberg adoption, and site hardening, actively helping clients navigate the rising tide of vulnerabilities.

Host of the Month: DreamHost

DreamHost consistently stood out in November for its robust, built-in security features, providing a powerful shield for WordPress websites. Beyond offering free SSL certificates and automated daily backups, DreamHost demonstrated its commitment to site safety with proactive DDoS protection and continuous server monitoring.

Their commitment to providing comprehensive, accessible security without extra charges empowered countless site owners to focus on their content, confident that they could trust their digital presence to robust protection.

Founder of the Month: Josh Bailey

Trend Micro researcher Josh Bailey was instrumental in enhancing WordPress security in November. His crucial report on the Form Maker SQL Injection vulnerability (CVE-2022-3300) directly led to rapid plugin updates and heightened security awareness across the community.

Looking Ahead: December 2022 on the Horizon

As November closed, the WordPress community looked forward to a busy December:

  • Gutenberg 14.7 is set to roll out fully, bringing enhancements to the sidebar UX, block identifiers, and styling options.
  • Continued security vigilance was paramount, with expectations for more alerts and patches, especially for themes and plugins lagging in updates.
  • Contributors are finalizing FSE Outreach feedback and releasing new, comprehensive block theme guides.
  • The release of the 2022 WordPress user survey results will provide vital insights that will shape the project’s priorities for the upcoming year.

Scroll to Top