Issue #218
Happy Friday! It's June 28 and I'm sick. Rather than attempt to write this week's newsletter in a fever dream, here's a briefer-than-usual look at the top stories of the week.

First time reading? Sign up here. Got an opinion? Send your thoughts, feelings and news tips to [email protected]

P.S. If you enjoy reading The Repository, the best thing you can do to support our work is share this issue with your friends and colleagues. The second best thing? Buy a classified ad.

Three big headlines

1. Supply-chain attack compromises WordPress.org plugins


Plugin authors are being urged to review the security of their committer accounts after five WordPress.org plugins were compromised in a supply-chain attack last weekend.

Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks were infected with malicious code after an attacker gained access to committer accounts. According to Awesome Motive-sponsored contributor Chris Christoff, the attacker used username and password combinations that had been previously compromised in data breaches on other websites.

"Even legitimate #WordPress plugins can be hijacked for malicious purposes. Be sure to read this update from @wordfence!" posted writer and developer Eric Karkovack, linking to Threat Intelligence Lead Chloe Chamberland's analysis on the Wordfence blog: Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins.

Writing for Mindsize, Jeff Chandler says if any of the impacted sites had auto-updates enabled for plugins, the malicious versions were installed without human intervention. "The WordPress plugin team forced a security update to address the malicious versions, but you can see how this underscores the risk involved with blindly applying software updates," he writes.

2. WordPress 6.6 release candidate and field guide now available


The first release candidate for WordPress 6.6 dropped this week and with it the WordPress 6.6 Field Guide. There's a lot to unpack. The guide outlines developer features and breaking changes to the Block Editor (including eight Gutenberg releases); updates to the Interactivity API, HTML API and Options API; PHP support, and internationalization improvements.

All up, WordPress 6.6 comprises 108 enhancements and feature requests, 171 bug fixes, and 10 other blessed tasks, totalling 300 Trac tickets.

For a deep dive into what's included in this release, get comfortable and read Anne McCarthy's WordPress 6.6 Source of Truth. The 8,000-word tome is the definitive guide to the next major version of WordPress, due out on July 16.

3. WordPress 6.5.5 fixes security flaws


WordPress 6.5.5 was released this week and patches three security vulnerabilities:
  • A cross-site scripting (XSS) vulnerability in the HTML API, discovered by Dennis Snell, Alex Concha and Greg Ziółkowski from the WordPress Security Team. This vulnerability allows attackers to inject harmful scripts into web pages viewed by others.
  • An XSS vulnerability in the Template Part Block, reported by Rafie Muhammad of Patchstack during a third-party security audit. This issue could let attackers execute arbitrary scripts in user sessions.
  • A path traversal issue affecting sites hosted on Windows, reported independently by Rafie Muhammad and Edouard L of Patchstack, David Fifield, x89, apple502j, and mishre. This flaw could permit unauthorized access to restricted server directories and files, risking data breaches.
Alex Thomas shares his technical analysis and overview of the vulnerabilities at Wordfence.

"WordPress 6.5.5 is now available. This release fixes three security vulnerabilities and I strongly encourage you to update as soon as you can," posted long-time core committer Aaron Jorbin, who led the release. It's the eighth straight minor release Jorbin has led or co-led, and he's looking for a company to sponsor his critical work.

The Cloud's the limit

Sponsor
Bluehost Cloud →
When performance is a priority try Bluehost Cloud! With 100% uptime, incredible load times, and 24/7 WordPress priority support, your sites can handle even the highest traffic spikes. Get started today.


In other news

> WPManageNinja owner Shahjahan Jewel has appealed to WordPress Europe 2025 organizers to change the event's dates. Next year's conference, scheduled for June 5-7, clashes with Eid al-Adha, an important religious holiday for Muslims. In an open letter, Jewel likens the date clash to planning a WordCamp on Christmas Day (Jewel)

> The WordPress Community Team wants to set up a new task force to help provide greater support to WordCamp organizers. Contributor Lucas Radke says the initiative would focus on streamlining sponsorship efforts, ensuring sustainability, and improving the overall sponsor experience (Make WordPress Community)

> The finalists for Uganda Website Projects Competition 2024 have been announced, showcasing innovative projects under the theme "Problem Solving With WordPress." Highlights include St. Mark's College Namagoma's "Provok" project, aimed at democratizing IT education, and CoU Anglican Luweero Diocese Education ICT's work empowering teachers using WordPress. Winners will be announced at the competition on July 5 at the National ICT Innovation Hub in Kampala (WordCamp Central)

> The WordPress Training Team is testing GatherPress to manage the current Learn WordPress Online WordPress event schedule. GatherPress, a community-led project, has been pegged as a future solution for organizing WordPress events, replacing Meetup.com (Make WordPress Training)

> Cory Miller and Katie Richards have joined A2 Hosting as the faces of the company's new Community Growth Team. Miller brings his long-time experience in the WordPress community, having founded iThemes and as the owner of Post Status, while Richards was previously Community Advocacy Manager at Pantheon (A2 Hosting)

> The ACF Annual Survey is now open. Senior Project Manager Iain Poulson says the results will guide future development of the popular plugin and help his team build a more accurate picture of ACF users (Advanced Custom Fields)

Classifieds

Want to hear WordPressers talk about their lives beyond WordPress in an unexpected conversation? Subscribe to Seriously, BUD? and get a fresh episode every week.

Help diverse voices in WordPress be heard! Support Inclusion in Tech removes barriers for speakers at WordCamps. Donate and empower SiNC.

Guildenberg helps WordPress-focused product companies grow through improving monetization, accelerating adoption, and standardizing compatibility. Let's build a better ecosystem.
Got a something to promote? Our classifieds are seen by our 1529 subscribers each week.
The Repository is a weekly email for the WordPress community by Rae Morey. Thanks to Kinsta, our hosting sponsor, and MailPoet, our email sponsor.

Send your feedback to [email protected] and help us provide high-quality news written entirely by humans that matters to the WordPress community.

Interested in reaching WordPress people like you? Become a Repository sponsor.