WordPress Stealth Security Fix Via Emojis
Tucked away in an article about emojis, I found a note claiming WordPress used an inventive strategy to patch a critical vulnerability without announcing it.
WordPress […] made a major update to their systems in 2015 under the guise of “enabling emoji support.” What they actually did was patch a critical security vulnerability that allowed cross-site scripting attacks in some multibyte character situations. In essence (and this is only a tiny exaggeration): a quarter of the internet was saved from hacking by adding emoji support.
This is the only place I’ve heard of it. I looked through all the changelogs for 2015 and couldn’t find any references to emoji support (though 4 of the 5 “fixed a cross-site scripting vulnerability”). This might have been for the commercial hosted version, rather than the open-source project.