WordPress Stealth Security Fix Via Emojis

By Deane Barker
Date
From
Issue #30

Tucked away in an article about emojis, I found a note claiming WordPress used an inventive strategy to patch a critical vulnerability without announcing it.

WordPress […] made a major update to their systems in 2015 under the guise of “enabling emoji support.” What they actually did was patch a critical security vulnerability that allowed cross-site scripting attacks in some multibyte character situations. In essence (and this is only a tiny exaggeration): a quarter of the internet was saved from hacking by adding emoji support.

This is the only place I’ve heard of it. I looked through all the changelogs for 2015 and couldn’t find any references to emoji support (though 4 of the 5 “fixed a cross-site scripting vulnerability”). This might have been for the commercial hosted version, rather than the open-source project.

Every day, between 7,000 and 10,000 unique visitors come to this website. I don't keep analytics, so I have no idea why you're here. Maybe get in touch with me and tell me why you visited today?