WordPress Stealth Security Fix Via Emojis

This was sent in Issue #30 of Squirrel Notes on June 4, 2019.

Tucked away in an article about emojis, I found a note claiming WordPress used an inventive strategy to patch a critical vulnerability without announcing it.

WordPress [...] made a major update to their systems in 2015 under the guise of “enabling emoji support.” What they actually did was patch a critical security vulnerability that allowed cross-site scripting attacks in some multibyte character situations. In essence (and this is only a tiny exaggeration): a quarter of the internet was saved from hacking by adding emoji support.

This is the only place I’ve heard of it. I looked through all the changelogs for 2015 and couldn’t find any references to emoji support (though 4 of the 5 “fixed a cross-site scripting vulnerability”). This might have been for the commercial hosted version, rather than the open-source project.

This is item #148 in a sequence of 305 items.

You can use your left/right arrow keys or swipe left/right to navigate