Vulnerable Plugins
Seven disclosures since last week, with four issues unfixed.
View this week's vulnerable plugins list.
Other WordPress News
Earlier this week, the WordPress core team announced the release date for WordPress version 5.0: November 19, 2018. This means the 4.9.9 release has been shelved unless the core team is unable to release 5.0 before the end of the year:
...the intention is to have 5.0 out (including some small fixes to ensure compatibility) before PHP 7.3 is released. If 5.0 delays significantly, then there will be a 4.9.9 release with just the PHP 7.3 compatibility fixes.
In addition, from the October 3rd Dev Chat, Matt Mullenweg indicated that he plans to continue releasing minor updates that includes new features/updates:
@matt: open to having 5.0.x releases that are like the 4.9.x releases that bring in some larger updates or improvements we push off (e.g., servehappy the WordPress PHP education initiative)
This leaves those of us who are under strict change management policies in a bit of a bind. It will very challenging to introduce Gutenberg to a large audience in an enterprise setting in six short weeks. You can certainly upgrade to 5.0 and install the classic editor but given Matt's statement above, it's very possible that additional Gutenberg-related features will be pushed out as minor updates (which fall under the default auto-update setting). Several have mentioned staying at 4.9.8 if you aren't ready to upgrade. However, many of us in Higher Education are required to stay on current supported branches of a product. WordPress' support policy states:
WordPress will be backported security updates when possible, but there are no guarantee and no timeframe for older releases. There are no fixed period of support nor Long Term Support (LTS) version such as Ubuntu's. None of these are safe to use, except the latest series, which is actively maintained.
Which means to be compliant, we have to upgrade to 5.0 or begin working on being granted an exception to the policy. For now, my suggestion would be to upgrade when it is released, install the classic editor plugin and disable auto-updates to prevent new, unverified features from being introduced into your system. This means you will need to subscribe to the core announcements so that you can apply any security-related updates, while simultaneously trying to get everyone in your organization up-to-speed on the new interface as quickly as possible.