WordPress 6.2.1 Update Breaks Shortcode Support in Block … – WP Tavern

Sarah Gooding
WordPress 6.2.1 was released yesterday and rolled out to sites with automatic background updates enabled. The update included five important security fixes. Ordinarily, a maintenance and security release can be trusted not to break a website, but many users are struggling after 6.2.1 removed shortcode support from block templates.
A support forum thread tracking the broken shortcodes issue shows that this change impacts how plugins display things like breadcrumbs, newsletter signup forms, WPForms, Metaslider, bbPress content, and more. The problem affects template blocks, not sites that are using non-FSE themes.
“It’s absolutely insane to me that shortcodes have been removed by design!” @camknight said in the support forum discussion. “Every single one of our agency’s FSE sites uses the shortcode block in templates for everything: filters, search, ACF & plugin integrations. This is chaos!!”
Another user, @asjl, reports having this update break hundreds of pages.
“I’ve got the same problem on over 600 pages which use five or six different templates with shortcodes in each template on one site and similar things on several others,” @asjl said.
“I’m looking forward to editing each of those pages to get the shortcode back in place. Or backtracking to 6.2 and turning off updates.”
It’s not clear why shortcode blocks that are in block theme template parts still work, but this is one workaround that has been suggested to users. In a trac ticket for the issue others have suggested adding a PHP file for a plugin called “Shortcode Fix” to the plugins folder, but this workaround reintroduces the security issue.
Other users are being forced to revert to previous insecure versions of WordPress in order to keep critical functionality on their sites working. WordPress developer Oliver Campion commented on the Trac ticket with more details about how sites are currently using shortcodes in templates:
This update has been nothing short of a disaster. I cannot understand how there was no warning of such a destructive, automatic roll out!
We have managed to rollback affected sites to v6.2 and block automatic core updates until there is a suitable solution, which we hope is imminent due to the reported security issues!
Shortcode Blocks, in our opinion, are absolutely essential to the design process when using Block Themes.
We use them to inject classic menus that can have dynamic menu items (such as sign out), dynamic header content, specialized loops and footer content that’s as simple as showing the current year in the copyright statement to showing a contact form or other such dynamic content. And that’s just what I can think of from the top of my head.
An unfortunate consequence of this update is that it has destroyed many users’ confidence in WordPress’ automatic updates. This kind of breaking change should never happen in a release that auto installs overnight.
Even if it’s absolutely necessary to avoid a zero-day vulnerability on WordPress sites, discontinued shortcode support in block templates should have been accompanied with more information to help affected users find a solution.
The only communication users received about this was a short, inadequate note on the vulnerability in the 6.2.1 release post “Block themes parsing shortcodes in user generated data.”
Fixing all of these shortcode uses on websites that heavily rely on them would already have been a challenge for many, even with advance notice. Shipping this breaking change in an automatic update, without a proper explanation of how it impacts users, only served to twist the knife.
During today’s core dev meeting, WordPress 6.2.1 co-release lead Jb Audras said this issue may prompt a quick 6.2.2 release but the details are not yet available.
“As you may know, one security fix led to an important issue with shortcodes used in templates,” Audras said. “The issue is currently actively discussed in the Security Editor team, and some hypothesis have been made to sort this out in a quick follow-up release.
“No schedule available for now – it will depend on the follow-up patch currently discussed by the Editor team.”
In the meantime, those who cannot employ a workaround and are looking to rollback to 6.2 can can use the WP Downgrade plugin as a temporary fix, with the knowledge that this leaves the site vulnerable until a permanent solution can be put in place.
Perfect example to why you should be there doing the updates yourself instead of thinking automatic updates will do it for you and everything will be hunky dory. Also yes I know a tiny percentage for updates have wrecked things over the 20 years WordPress has been around.
The only automatic updates I have been willing to consider were WordPress itself and my security plug-in, Wordfence. I will now turn them both off and plan on at least a 24-hour delay to avoid problems. As something of a control freak, I kind of prefer to plan updates, anyway.
My custom block theme site seems to work ok at 6.2.1, and it employs a number of shortcodes. I was expecting it to break, so I’m a bit confused why…
I have shortcodes in my templates, template parts and as well in the content.
I checked my sites, and all look in order.
However, I’m not sure what a “shortcode in a block template” means exactly.
I don’t think I’ve used “block templates”, but I am not sure. I mostly use the Kadence theme and the Kadence blocks which are based on Gutenberg. I also use the Automattic Newspack theme and the Newspack blocks for one site.
I think it would be helpful if specific use cases were listed as to what this update really affects. For example a list of the actual block templates that are affected…
Finally, if a site rolls back to 6.2 how would they advance to 6.2.2?
This seems like a great example of the disconnect between how WordPress core imagines WordPress is used in the wild versus how many—typically agencies—actually use it. Ironically, I very seldom used shortcodes before working on FSE-based client sites but they quickly proved indispensable to manage essential content that either didn’t warrant building an entire block or could not be cleanly generated from within the block editor.
In general, I’m beginning to resent how much responsibility WordPress now assumes when creating a website based on the block editor. I have decades-old websites built on the classic editor that have never experienced an issue when updating WordPress core. Disappointed.
“This seems like a great example of the disconnect between how WordPress core imagines WordPress is used in the wild versus how many—typically agencies—actually use it.”
This! In my experience, while browsing the trac and the Gutenberg repo, I’ve noticed that no, or almost no, core devs do client-based work. Therefore, they are not familiar with typical WordPress use cases in business environments like the one you describe. And this poses a significant issue since they are neglecting a substantial portion of the WordPress community.
I’ve noticed that no, or almost no, core devs do client-based work. Therefore, they are not familiar with typical WordPress use cases in business environments
Not personally familiar. The Gutenberg issue backlog, the feedback on Make posts, the official WP.org annual survey, means their disregard is willful. 😔
Your assessment’s not wrong. An entire side-conversation split off during the core chat yesterday where the tone from one core dev pretty much sounded came across to me as “you shouldn’t be using shortcodes at all and if you do you’re a bad developer”. Maybe you personally dislike shortcodes for whatever reason, but basically looking down on anyone who uses them is pretty rude.
I work as a contractor for one of the biggest WordPress agencies in the world, have worked there for 8 years, which routinely leads WordPress releases. In the agency world usually you wait 1-2 years before embracing new stuff, like Gutenberg or FSE, mostly for this kind of reasons. WordPress.com lives and breathes with agency work, all the WordPress ecosystem revolves around agency work I would say, the complex thing to balance is exactly the opposite, not lagging behind because agency work needs stability: that’s why WordPress core is so behind in Headless
Thank you for this,
Just got to work and saw that theme that I have been working on had a broken shortcodes everywhere. I started debugging the block for ( Custom Form Block ) but in vein untill i noticed that in the post_content the block worked fine, just in the block template it had the issues.
What would be the work around this thing? How are plugins that depend on shortcodes would now be added to block templates?
Currently just reverting back to 6.1.1 for now.
Place your shortcodes in a Template Part, and then put that Template Part where the shortcode was inside the Template Block. It’s not a big deal, it will only take a few minutes, provided you don’t have too many templates that use too many shortcodes. No need to open your site to security risks…
It sounding like the same security risk may also exist in template parts and they just missed it, so make sure there’s no user-generated content in your template parts.
Thanks nick, will try that out and will see if it works
The broad-picture reason why we’re in this mess is that DX around the Gutenberg is so abysmal that people are still choosing to use shortcodes this many years into the project.
But instead of pushing off Phase 3 for even a single release to address the reason that (per this year’s official annual survey – with contributors and new users oversampled) most people find Gutenberg’s current implementation to be their biggest problem, WP leadership would rather push ahead sacrificing DX to ship no-code features faster, than spending a little effort on API parity, docs, and backwards-compatibility so they don’t need to break the internet in a patch to address a zero-day that has no reason but every justification for being a mainstream dev pattern in 2023 instead of an edge case.
by most people do you mean you and a few other devs? or did you actually ask the millions of WordPress users and devs around the world?
No, by most people I meant as I wrote “per this year’s official annual survey”.
Here’s the link so you don’t have to Google. https://wordpress.org/news/2023/05/2022-annual-survey-results-next-steps/
So the opinions of about 3,400…..is the opinions of the hundreds of thousands of people who use WordPress?
I don’t think the opinions of 3,400 people is what the entire community wants.
This is why I never update automatically and I always read release notes before updating. Also, never update on your production environment. Have at least a staging environment to test before rolling it out.
I think it’s foolish of WordPress to have implemented automatic updates. Updates can always break things, so creating the illusion of comfort, while you should never want that comfort, was a weird move, IMO.
This is unfortunate and some would say typical how some in the tech industry rush in and break things with messianic zeal. Though in this case it seems it was a rush to promptly fix security issues, a proper call out of what it would affect would have been welcome. Working with WordPress, beyond its blogging capabilities, to make sites with complex use cases, is quite tricky and many of the creative solutions are prone to breakage. I am wondering is it time for a new platform for all these use case that are not catered for in WordPress?
WordPress 6.2.1 co-release lead Jb Audras said this issue may prompt a quick 6.2.2
Can you please quote this statement of Jb here in the article? Reading Slack requires an account…
Our new site includes a block template, but fortunately all seems ok for now, v 6.2.1.
WP Show Posts shortcode broken for me on Customizr theme.
Odd, now it seems to be fine. WP Show Posts has not updated but the shortcode is working now.
If your wordpress site isn’t using a theme that is a block template than technically it should be fine from 6.2.1. My sites don’t use block template with its customized theme so none of them are affected with the update.
Wpengine has a good article about a block theme is if you don’t know. https://wpengine.com/builders/block-templates/.
It’s always a good idea to manually update your site’s core wordpress update and plugins. Since you can backup your site first in case something breaks and just rollback to the stable version.
This situation is pretty atrocious, but what it really points to for me is how misguided in general the “no code” PHP-averse approach to Full Site Editing is.
I fought using Gutenberg at all for 4 years, finally reluctantly embraced it last year, and have been trying all sorts of tricks to shoehorn PHP logic into my new base theme. (Fortunately, using shortcodes hadn’t occurred to me, so I had a weird hybrid of ACF Blocks [often with no custom fields] and Block Patterns [grossly misunderstanding how they work].)
Ironically, entirely unrelated to 6.2.1, yesterday I finally decided to give up and rework my theme to use PHP templates instead of pure HTML block templates. I was able to get rid of all of those dumb workarounds. Now I am even more glad that I did!
Site Editor (FSE) is not at all a useful tool for experienced coders, and it’s not suitable for end users of professional sites built on WordPress (users who shouldn’t be modifying the appearance of the site in the first place). It, or something like it, definitely has a place… but it’s not for the majority of people I know of, who are using WordPress in a professional, CMS-type capacity, and not “just as a blog.”
It’s ironic that the one feature that allowed some to start using block themes is now the feature what can break a block theme.
I use WordPress with Genesis Framework professional themes. All sites are intact with no issues. Auto updates happen without a hitch. I don’t use shortcodes (that I know of) or free/paid WordPress themes.
Yeah, it happened on one of my client sites. I also use shortcodes to insert standard classic menus in my templates, because, even though I really like the Block Editor and the FSE approach, one thing that totally doesn’t work for me is the menu paradigm there. Hence shortcodes to be able to use the good old menus (in precisely the way I want to use them). I figured out myself, that it must be the automatic update and downgraded the WP Version to fix it, but honestly: what a mess. Same learning from the issue like others here: no more automatic WP updates …
This is just another good showcase of how blind were WP overlords in their “no-code” approach. It is said regular Joe should be really welcoming FSE and blocks but in my experience with classic editor and Stackoverflow you can always find a solution to any problem with few lines of PHP while with blocks you’re in real trouble if you need something non-standard.
The great irony in all of this is that Gutenberg makes building very basic sites simpler for people who have no experience, but it makes it much, much harder to get into coding when the basics prove inadequate. I’ve been a professional web developer for 27 years, and a WordPress specialist for 10, but the radical shift in developer tools has knocked me back from an experienced expert to a rank novice. Things that used to be an absolute no-brainer in PHP now require a much more convoluted process, even if you’ve bothered to learn React (which I haven’t, and probably won’t).
I empathize with you. I find myself in a similar situation. Before Gutenberg, developing for WordPress was a joy, but now it has become a burdensome and time consuming task that has significantly impacted my mental health these last years. I’m yet to see what’s so great about working with JavaScript/React.
Still not a single word from WordPress Security/Editor teams, this is annoying.
We tested this where I work, and the problem seems to be specifically when you include a shortcode in a template of your block theme. Not a template part, or in the post/page content, but in a template.
It’s not great that we can’t include shortcodes in our template files, but there are ways to work around the issue for our purposes if we ever needed to, as far as I can tell. For example, we could make a new template part and include it on templates where we want breadcrumbs to show up.
I’m using the WordPress 2022 block theme. I have a few short code blocks, mostly to insert forms. On my development site, I updated to 6.2.1, and the short code blocks are working. But after reading this thread, I’m more than a bit nervous to update on my live sites. What would be the reason for some shortcode to be broken, but others to be working? Is it the way in which I’m using the shortcodes? I am inserting the shortcode block into the FSE. thanks!
I saw this quote posted elsewhere but I feel it really encapsulates the Core team’s approach to users and the whole process:
“There’s no point in acting surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for 50 of your Earth years, so you’ve had plenty of time to lodge any formal complaint and it’s far too late to start making a fuss about it now. … What do you mean you’ve never been to Alpha Centauri? Oh, for heaven’s sake, mankind, it’s only four light years away, you know. I’m sorry, but if you can’t be bothered to take an interest in local affairs, that’s your own lookout.”
Douglas Adams – The Hitchhiker’s Guide to the Galaxy
The pressure from Y”all worked 😎
WordPress 6.2.2 Restores Shortcode Support in Block Templates, Fixes Security Issue
Unfortunately the 6.2.2 fix does not work as expected 😞
1 minute Workaround *
My scenario is mini cart shortcode not rendered in FSE header template , while its working good in all other places in site.
-in site editor create new template part, choose general in the part type and name it , in my example I named it : mini cart icon.
-in the new template part insert your shortcode and save.
-go to the header template where the shortcode not renderd, remove short code, and insert template part element , choose the template part you just created in my case ” mini cart icon” , save.
-result: shortcode rendered in the frontend correctly .
Shortcodes will be around for a long time… As a WP dev wanting to make a feature compatible with EVERY site, it’s your ONLY option. Our choices are widgets, blocks or shortcodes. Shortcodes are the only thing that will work with block themes, non-block themes and ALL page builders.
Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Enter your email address to subscribe to this blog and receive notifications of new posts by email.

WordPress Tavern is a website about all things WordPress. We cover news and events, write plugin and theme reviews, and talk about key issues within the WordPress ecosystem…
© All Rights Reserved. Powered by WordPress, hosted by Pressable


Post Your Comment