EDITS.WS

Author: Sarah Gooding

  • WordPress 6.3 Beta 3 Released, Introduces UI Changes to Pattern Management

    WordPress contributors are onto another round of testing, as 6.3 Beta 3 was released this week. RC 1 is expected on July 18, and a live product demo is anticipated to be broadcast on Thursday, July 20, 2023 at 16:00 UTC. These demos have become a more regular part of the release process and allow viewers to familiarize themselves with important new features and updates coming in the release.

    Beta 3 includes approximately 34 updates to the Site Editor since the previous beta release, and more than 40 updates coming from Trac.

    A last-minute PR has renamed Library to Patterns in the Site Editor and was cherry-picked to get it included in Beta 3. Automattic-sponsored Gutenberg contributor Aaron Robertshaw cited three reasons for the renaming:

    • Discovery: this is an opportunity to make patterns front and center as we are introducing the ability to save custom patterns. They should be front and center in the “Design” tab.
    • Clarity: library can be obscure and overlaps with other terminology (like Media Library). We didn’t get to add font library management in this round, but it would have made things more confusing (would a user expect to see their font library under “Styles” or an item called “Library”?). Calling it patterns removes that ambiguity.
    • Presence: patterns is a unique name that has been established in the WP branding parlance for a bit and deserves more clear placement.

    This video from the PR gives a quick overview of the changes testers should see in the Patterns UI as of Beta 3:

    Gutenberg PR: Patterns: Rename Library to Patterns #52102

    Beta 3 introduces a new lock icon to designate theme patterns as unable to be edited or modified. It also adds a sync status details section within the pattern sidebar navigation screen.

    image credit: Gutenberg PR #51990

    There are a significant number of new things being introduced after Beta 1, which seems usual. Major features like the pattern creation and the Patterns section made their debut in Gutenberg 16.1 but had very little testing before being rolled into the upcoming WordPress 6.3 release. This is likely why UI changes are being introduced after Beta 1 has already shipped.

    Check out the Beta 3 release post for more information on how to test. A Beta 4 is anticipated the week of July 11, followed by RC 1 on July 18. The general release is scheduled for August 8, 2023.

  • WordCamp Dhaka 2023 Cancelled Due to Concerns of Corporate Influence on Community Decision-Making

    WordCamp Dhaka (Bangladesh) 2023 has been cancelled by The WordPress Community Team due to concerns of corporate influence on the community decision-making process. The camp was scheduled for August 5, and organizers had already secured a venue and progressed on moving the camp forward.

    The Community Team published a statement on the event’s website, which cited the interference of corporate interests:

    The WordPress Community Team’s primary goal is to support and nurture the WordPress community by enabling organizers to create amazing events that celebrate WordPress, its community, and globally shared values. The Community team cannot support the event if a WordCamp is not aligned with these values.

    WordPress events benefit the WordPress community as a whole, not specific businesses or individuals. The Community Team expects that WordCamps decisions should be guided by the community’s collective wisdom and not influenced by any one company’s interests. When companies attempt to exert influence on the planning process, the Community Team must step in to mediate. In this instance, we have decided to cancel WordCamp Dhaka 2023.

    The Community Team urged the Dhaka community to focus on collaborative organization, companies uplifting the community, and greater diversity in participation.

    In an equally vague incident report on WordPress.org, which doesn’t even identify the WordCamp that was cancelled, Community Team contributor Sam Suresh called it “an unfortunate but necessary decision.” He summarized the team’s reasons for the decision:

    The decision to cancel the event was not a result of inadequate planning or insufficient effort on the part of the organizing team. Instead, there were observable actions from local community members to influence decisions that would benefit specific individuals or companies. When this influence did not immediately lead to their desired results, the individuals aimed to undermine the organizing process and event success. While the Community Team took steps to mediate, the inappropriate behavior and actions we saw necessitated the cancelation. This is a rare and extreme decision and underscores the severity of the situation.

    Suresh said the issues applied to the local meetup group as well, and that all co-organizers and event organizers were removed from their roles and required to repeat their orientation to gain access again. A community deputy and a mentor were also removed from their roles in the project and the companies involved in the infractions were banned from sponsoring WordPress events for a year.

    “In times of challenges like these, it is important to remember that anyone can organize WordPress events regardless of who they work for and that WordPress community events are for the benefit of everyone, not any one business or individual,” Suresh said. “As a community, we will not tolerate harassment or influencing unacceptable behaviors.”

    Shortly after publishing, several community members commented with objections to the level of secrecy around the issues at hand and the people and companies involved. The Community Team’s nebulous posts on the matter seem to have further scandalized the situation, instead of offering clarity and transparency.

    “This post definitely abides by the ongoing policy of not letting the community know who is being censured by the Community Services team, even in cases of egregious action,” WordPress marketing and meta contributor Sé Reed commented.

    “I’ve seen multiple cases of people filing harassment reports and various Code of Conduct violations, and that person/people have had various consequences, including being removed from organizing teams. However, those people then cite various reasons for leaving the team, often outright lying. But because of the secrecy around these cases, no one says otherwise and those people can and often do continue to operate in the community without any repercussions beyond secretly losing their ‘official’ role(s).”

    Reed highlighted the damaging effects of the secrecy surrounding these incidents, most notably that explaining the situation often falls to those who filed the report, as the Community Team abdicates any further responsibility after validating the report.

    “This action is damaging to the community as a whole, as we do not have a full picture of who we are working with and we continue to unknowingly support and empower people who have not honored their community commitments,” Reed said.

    Not all participants in the discussion were in favor of The Community Team identifying the individuals involved, but in this situation they demand to know the companies that were banned from sponsoring WordPress events.

    “I’m on the fence about knowing peoples’ names here, but I think people definitely need to know the companies involved; actively trying to sabotage a WordPress WordCamp is a serious breach of trust for the community,” WebDevStudios Director of Engineering Mitch Cantor said. “Especially when they may turn around and then make money from that said community they tried to sabotage.”

    Dealing with these types of sensitive situations is not an enviable task, but the community, for whom these decisions are designed to serve, is calling for a greater level of transparency regarding those who act in ways that are not aligned with WordPress’ globally shared values.

    “One way or the other, protecting folks who have violated the Community Code of Conduct is a policy that very clearly needs to be revisited,” Reed said.

  • Ultimate Member 2.6.7 Patches Privilege Escalation Vulnerability

    Authors of the Ultimate Member plugin have released version 2.6.7 with a patch for a privilege escalation vulnerability. Last week WPScan reported that Ultimate Member had still not fully patched the vulnerability after multiple inadequate attempts. There was evidence that it was being actively exploited in the wild.

    Working through the complexities of this security issue, WPScan researcher Marc Montpas opened a ticket on WordPress trac, identifying an issue with the meta key field in the usermeta table using accent insensitive collations:

    Looking at the latest string of vulnerability issues that came up related to the Ultimate Member plugin I discovered that the usermeta table has an accent insensitive collation for the meta_key field. This results in queries for wp_cãpăbilitiës to return the actual wp_capabilities row! See update_metadata() function in wp-includes/meta.php

    Imagine the attack surface this brings. In fact, don’t imagine, just look at the recent attacks in the wild.

    This particular issue made it more difficult to fully patch the vulnerability in question. Ultimate Member released version 2.6.7 on July 1, 2023, which whitelists for metakeys the plugin stores while sending forms. The plugin’s security advisory details a few other changes that may affect third-party developers:

    2.6.7 also separates form settings data and submitted data and operates them in 2 different variables.

    [It] includes some significant changes to how forms submissions are handled. This may cause 3rd-party modifications to stop working. For Third-party developers, please update your customizations to support the new changes in the latest version

    Ultimate Member recommends users review and delete any unknown administrator accounts, reset all user passwords including the admin, enable SSL and backups, and send any advisories to site members and/or customers about the incident. The plugin’s developers are working on releasing a feature inside the plugin that will enable the website admin to reset passwords for all users, but it is still being finalized:

    The reason for this is a site using our plugin may have been hacked or injected with malware that sniffs login inputs, because this vulnerability issue is prone to these attacks, we recommend to reset passwords after updating with a security patch. This is to ensure the best protection for your website user’s passwords.

    All Ultimate Member users should update to the latest available version, 2.6.7, which has the patch for the vulnerability. The plugin’s developers are awaiting more feedback from WPScan and are evaluating all their extensions to ensure they are secure.

  • WordPress Plugin Review Team Adds 6 New Sponsored Volunteers, Opens Applications 

    A new era has begun for WordPress.org’s Plugin Review Team. Mika Epstein, who has served for the past decade, is stepping down, but not before launching a new crew of volunteers.

    The team is responsible for approving newly submitted plugins, maintaining the Plugin Reviewer Handbook, as well as investigating any reported security issues and guideline violations.

    Historically, the Plugin Review team has had very little turnover, but a new crop of six sponsored volunteers will be contributing an estimated 50+ hours per week. The new members include David Pérez, Evan Herman, Francisco Torres, Luke Carbis, Marta Torre, and Paco Marchante. Their efforts are already in demand as they work to tackle a large backlog of plugins.

    “Given the nature of the work the team does, joining this team is a little different than some of the others: each new member will go through a vetting process by current team members before being selected,” Epstein said. “Some of the things the team is looking for are: a solid track record as a plugin developer; the ability to communicate clearly, kindly and constructively – both with other developers and users; interest in improving tools and processes; and excellent collaborative and conflict-management skills.” 

    Epstein is encouraging more volunteers to apply, if they have at least five hours per week to devote to the team, as they could still use more help. Prospective team members can submit an application, which will be evaluated by current team members. Applicants will be required to send examples of plugins they have coded to demonstrate their experience, provide references, and detail some of their contributions to the project.

  • WP Feature Notifications Contributors Seek Feedback on Admin Notices with Community Survey

    The WP Feature Notifications project has launched a community survey to get feedback on the current system of notices in the WordPress admin. The project aims to create a better way to manage and deliver notifications in the admin, and the survey is intended to further refine this work.

    A few months ago, the project released version 0.2.0 of the feature plugin in which contributors implemented a more robust JavaScript-based system for standardizing how notifications appear in the admin. This is a proof of concept plugin that uses demo data only. They are working towards an MVP for 0.3.0, which will remove the demo content and provide a functional notification system. Contributors have also put together an updated design based on the idea of working within WordPress’ existing design system.

    “The team has recently made some solid progress on things like database storage and REST API endpoints,” WordPress core contributor Joe Bailey-Roberts said. “However this is slightly paused for now so we can revise things if necessary, based on the survey results. We also have an updated design for the admin notices UI that we’ll shortly be showcasing, which came out of the WCEU Contributor Day.”

    Anyone who uses WordPress is welcome to take the survey – it’s for developers and users alike. It takes just a few minutes and may help shape the direction of the WP Feature Notifications project in the future.

  • Gutenberg 16.1 Introduces Pattern Creation and Library, Adds Distraction Free Mode to Site Editor

    Gutenberg 16.1 was released this week, debuting of the Pattern Library, which coincides with reusable blocks getting renamed to synced patterns. Users can now create and manage their own patterns that will also show up in the block inserter. Custom patterns are saved to the new Library alongside custom template parts.

    This release also adds a new Distraction Free mode to the Site Editor, which removes all controls and menus, functioning in a similar way to the mode added to the content editor in October 2022. The mode can be accessed under the more menu of the Site Editor.

    Automattic-sponsored engineer Andrei Draganescu submitted the PR for the feature and cited three reasons why the Site Editor could benefit from a Distraction Free mode:

    • Because distraction free work is a good environment to cultivate
    • Because the command center makes full chrome UI useless for power users
    • Because it enables a really 1:1 preview – while maintaining everything editable

    Draganescu published a video of the Distraction Free mode working in concert with the new Command Palette:

    Another new feature in this release is automated footnotes.* Users can add them by highlighting the text and selecting Footnote from the formatting menu. This will automatically insert the note and create a Footnote block at the bottom of the content. (This block can be moved.)

    1. This is an example of a footnote. ↩︎

    Footnotes can be added inside paragraph, heading, and list blocks, and are saved as post meta. The Footnote block doesn’t seem to be accessible in the block inserter. It is automatically created and inserted with the first footnote.

    A few other notable features in this release include the following:

    • Live block theme previewing in the Site Editor moved out of experimental stage, available for block themes under Appearance > Themes
    • Site Editor sidebar now displays template and settings configuration details for the home and index templates
    • Aspect ratio controls added to Image block

    Gutenberg 16.1 is included in the upcoming WordPress 6.3 release, but if you want to take advantage of these features before August, you will need to be using the plugin or test 6.3 Beta 2. Check out the release post for the full changelog that includes all the latest enhancements, bug fixes, and performance and accessibility improvements.

  • Hackers Actively Exploiting Unpatched Privilege Escalation Vulnerability in Ultimate Member Plugin

    WPScan is reporting a hacking campaign actively exploiting an unpatched vulnerability in the Ultimate Member plugin, which allows unauthenticated attackers to create new user accounts with administrative privileges and take over the site. The vulnerability has been assigned a CVSSv3.1 (Common Vulnerability Scoring System) score of 9.8 (Critical).

    Automattic’s WP.cloud and Pressable.com hosting platforms picked up on a trend in compromised sites where each had rogue new administrators popping up. After further investigation they found a discussion on the WordPress.org support forums about a potential Privilege Escalation vulnerability in the plugin, as well as indications that it was already being actively exploited.

    Ultimate Member, which is active on more than 200,000 WordPress sites, patched the plugin, but WPScan reports that it wasn’t sufficient.

    “In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem,” WPScan security researcher Marc Montpas said. “However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable.

    “Adding to the urgency of the situation, a look at our monitoring systems also confirmed attacks using this vulnerability were indeed happening in the wild.”

    WPScan has identified more than a dozen IP addresses from which exploits are originating, common usernames for malicious accounts, and other indicators of compromise, such as malicious plugins, themes, and code. Check the security advisory if you believe you have been compromised.

    Version 2.6.6 is the latest release from the Ultimate Member plugin but it is still believed to be vulnerable. WPScan recommends users disable the plugin until it has been adequately patched.

  • WordPress 6.3 Beta 2 Released, Ready for Testing

    WordPress 6.3 hit a major milestone today with the release of Beta 2. The release leads opted to skip Beta 1, which was delayed yesterday after some technical issues with packaging the release, and have moved straight on to Beta 2.

    As WordPress 6.3 is set to be the last major release of the Gutenberg project’s Phase 2 focus on customization, it ties up many loose ends related to the Site Editor and usability in general. It rolls in the ten most recent releases of the Gutenberg plugin – versions 15.2 through 16.1.

    Major interface enhancements in this release, as outlined by the comprehensive 6.3 testing guide, include the following:

    Patterns are also getting a big boost in this release, as reusable blocks have been renamed to “synced patterns.” Pattern creation is now available to users and a new pattern library will be located inside the editor for saving and managing both synced and unsynced patterns. Theme authors now have the capability to register custom patterns to templates, so they appear in the start modal to speed up page building.

    WordPress 6.3 will introduce three new blocks, including details, time-to-read, and footnotes, along with many improvements to existing blocks.

    This release comes with significant performance updates, most notably the addition of defer and async support to the WP Scripts API and fetchpriority support for images. Support for PHP versions 8.0+ has been improved, along with block template resolution, image lazy loading, and the emoji loader.

    In the rare event that the manual update of a theme or plugin fails, auto-rollback is available as of WordPress 6.3.

    Beta 2 testers are encouraged to file bug reports on WordPress Trac. During beta testing until the last RC, the WordPress project will also be doubling its monetary reward for any new, unreleased security issues that are uncovered. The vulnerabilities must be found in new code in order to qualify for the doubled reward.

    Check out the Beta 2 release post for more information on new features, accessibility improvements, and instructions on how to test. WordPress 6.3 is scheduled for release on August 8, 2023.

  • WordCamp Asia 2024 Scheduled for March 7-9 in Taipei

    WordCamp Asia has announced its dates for 2024. The flagship event is now officially scheduled for March 7-9, in Taipei, Taiwan. Organizers have secured the Taipei International Convention Center (TICC) venue to host the event, which is located in the business district not far from Taipei 101, formerly known as the Taipei World Financial Center, a skyscraper that is the city’s most visible landmark. TICC has a capacity of more than 3,000 people.

    “The local community is massive and I’ve been told that WordCamp Taiwan (this October) alone would boast of at least 500 attendees,” organizer John Ang said after visiting Taipei with his team to sign the venue. “While we were on the same trip, we were lucky to be able to celebrate  the 20th Anniversary of WordPress with the Taiwanese community.

    “There’s also active work bringing in government support and other open source communities across the region (e.g. Hong Kong) to WordCamp Asia next year.” 

    photo credit: Preparations have started for WordCamp Asia 2024

    WordCamp Asia attendees can expect 3-5 tracks of sessions featuring diverse presentations across a range of topics for beginners and seasoned WordPress professionals alike. The venue also offers ample common areas for networking.

    More details on the event and calls for speakers and sponsors should be coming soon. Those who are hopeful to attend can subscribe to updates on the event’s website or follow @WordCampAsia on Twitter.

  • WordPress 6.3 Will Introduce A Command Palette

    Last week Gutenberg contributors were engaged in a spirited debate regarding a proposal to rename the new Command Center to Wayfinder. The feature, designed to be an extensible quick search and command execution tool, will land in WordPress 6.3.

    The majority of participants in the discussion were strongly against calling it Wayfinder, as the term doesn’t translate well, nor does it make the feature’s benefits easy to understand. Wayfinder was proposed as a unique name that “has the potential to evoke a sense of curiosity, exploration, and discovery.” There were several attempts to wrap up the discussion with notes on alternatives even when it was apparent that the general consensus was unequivocally not in favor of the term Wayfinder.

    Automattic-sponsored Gutenberg contributor Anne McCarthy commented on the issue with the decision, which she said was reached after consulting project leadership and reading through the comments:

    Let’s move forward with Command Palette.

    Reasoning: easier to translate, consistent across other tooling outside of WordPress, matches current functionality, eases discoverability/understanding of value, and leans generic which matches the concerns raised here.

    Ultimately, we can always discuss renaming if the feature reaches a point of evolution outside of this initial name. As raised above, that would be more worth risking a unique name for than something that exists in other products and that ultimately we want people to quickly understand/find value in. Plus if we hold off on that name for the future, it can create a nice marketing push for something truly unique when/if the time comes. If folks have additional specific concerns around this naming, please speak up sooner rather than later.

    McCarthy also requested other contributors ensure the re-naming is updated throughout the interface for the upcoming release.

    This was an important decision that needed to be made ahead of WordPress 6.3 Beta 1, which was supposed to be released today but was delayed to Wednesday, June 28, due to an unrelated issue. The Command Palette will likely be introduced in blog posts, the 6.3 About page, and countless third-party resources so the proposal urgently needed a conclusion.

    It’s also to the team’s credit that they didn’t force a fancy marketing name and instead landed on the side of the majority of contributors who were in favor of using clear language. The API for the Command Palette is now public and ready for developers to create their own custom commands. Using a term that is easy to understand and translate will engender more global community buy-in, as 52% of WordPress users run the software in a language other than English.