Overview of WordPress v4.2.3 Shortcode Problem

The WordPress Shortcode API is a simple way for site owners to produce content in their Posts/Pages without needing to write any HTML or PHP code. For instance, WordPress itself makes it possible for you to insert an image gallery using: [gallery id="123" size="medium"] (a WordPress shortcode).

When WordPress v4.2.3 was released, the shortcodes for many WordPress plugins stopped working, including some of the s2Member shortcodes (depending on how they were used). Under the right circumstance, some of your WordPress shortcodes might not be evaluated (i.e., they may no longer produce what you expect), and instead, they only show the text of the shortcode itself. Not good! However, there are some easy ways to work around this WP v4.2.3 problem.

In a hurry? Skip to: What do I need to review exactly?

So is this a problem with WordPress? Or with s2Member?

The problem is with WordPress; i.e., a security issue. In the release of WordPress v4.2.3 (it was an automatic background update), they included a notable security fix that introduced changes to the WordPress Shortcode API. See: Changes to the Shortcode API. See also: this WordPress Trac Issue if you'd like to learn more. In short, these changes ended up breaking shortcodes in many WordPress plugins, thereby breaking many live WordPress sites. This can be evidenced by all of the reports posted by others in the WordPress community.

How widespread is this? Does it impact me?

All shortcodes in WordPress (regardless of theme/plugin) could be impacted the recent WordPress update in one way or another. It just depends on how you've implemented some of your WordPress shortcodes. In fact, what shines a light on this issue has very little to do with which themes/plugins you're using. It has everything to do with how you implement WordPress shortcodes in your Posts/Pages. In other words, don't expect to receive a quick update from theme/plugin developers that will resolve this. This is an issue that requires a review on your part.

What do I need to review exactly?

The question that you should ask is, "Do I have any shortcodes that produce raw HTML fragments or raw HTML attribute values?". For example, do any of your shortcodes produce URLs that go into href="" or src="" attributes in your HTML? Those are the most obvious problems. As noted in this article at WordPress.org, you will need to review all of your WordPress shortcodes and make changes to some of the quoted attributes that you've used whenever your shortcodes are mixed with raw HTML code.

Identifying problems in your WordPress Posts/Pages

For instance, in the s2Member plugin there is a shortcode that produces a protected file download URL. The [s2File /] shortcode produces a URL (just the URL itself). Therefore, this shortcode is commonly used together with an HTML anchor tag as seen in the following example:

This raw HTML mixed with a shortcode does NOT work any longer:

<a href="[s2File download="example-file.zip" /]">click here to download</a>

Why doesn't this work any longer? If you look carefully it's a mix of raw HTML, and the href="" attribute is encapsulated by the same double quotes that your shortcode uses. Starting w/ WordPress v4.2.3 this will no longer parse as you would normally expect it to.

However, you can make it work by using single quotes in the shortcode instead

<a href="[s2File download='example-file.zip' /]">click here to download</a>

Which s2Member shortcodes should I put my focus on?

There are a few s2Member shortcodes that, by design, produce output which leads site owners to use a mix of raw HTML. Therefore, there are certain s2Member shortcodes that are more likely to shine a light on this issue. You should review these more carefully than others.

  • [s2File /]
  • [s2Get /]
  • [s2Eot /]
  • [s2Key /]

Which s2Member shortcodes am I less likely to have a problem with?

These shortcodes are generally used on their own line in a Post/Page. They are less likely to have been used inside other raw HTML as a fragment. However, please note that you should still review ALL shortcodes—just to be safe.

  • [s2If /]
  • [s2Drip /]

  • [s2MOP /]

  • [s2MOPNotice /]

  • [s2Member-Login /]

  • [s2Member-Summary /]
  • [s2Member-Profile /]

  • [s2Member-Gift-Codes /]

  • [s2Member-Security-Badge /]

  • [s2Member-List /]

  • [s2Member-List-Search-Box /]

  • [s2Member-PayPal-Button /]

  • [s2Member-Pro-PayPal-Form /]
  • [s2Member-Pro-Stripe-Form /]
  • [s2Member-Pro-Authnet-Form /]
  • [s2Member-Pro-ClickBank-Button /]

Is there a quick way to search/replace and fix this?

I'm afraid not. This is an issue that requires a manual review on your part. However, the hardest part of this is finding Posts/Pages where you have used shortcodes. You can save a tremendous amount of time if you use the Search Regex plugin for WordPress.


Are there any other ways to work around this problem?

Well, you could revert to a previous release of WordPress (this problem does not exist in v4.2.2). However, WE DO NOT RECOMMEND THIS, because WordPress v4.2.3 was a security release. Thus, reverting back to WordPress v4.2.2 could expose your site to threats that will cause you problems that are far worse than a few shortcode attributes. Our suggestion is that you take some time to review your shortcodes. Follow the instructions above and you'll be fine. For most sites it should take just a few minutes.