WordPress Emoji Fix, Take 2
I got several responses to a note in the last issue about a WordPress patch delivered via “new emoji support.”
Josh Levinson pointed me to this article, which details the problem, and includes a video from LoopConf which discusses it.
In WordPress 4.2, approximately 1,000 lines of code were inserted into wpdb.php under the guise of emoji support, but were really for fixing this vulnerability.
Additionally, Automattic VP Paul Maiorana tweeted at me:
Squirrel Notes reader here. Re: the WordPress/emoji security fix, just wanted to confirm it was patched in the open source software (not http://WordPress.com ). That happened in version 4.2.
So, there you go.