The changes described in this dev note sound like good ideas, but people should be sure to test mail sending and not assume it is going to work.

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar.

A switch like this would mean significantly change how brands drive visibility and traffic online.

About three weeks ago Automattic filed counter claims against WP Engine. WP Engine has asked the court to dismiss all of the counter claims. The WP Engine reasoning seems good. The hearing is scheduled for February 5th.

The Beaver Builder team worked with Amber Hinds to create a course about accessibility best practices. The course is free. About 3/4 of the course are general best practices and 1/4 about tips for accessibility and Beaver Builder.

WordPress 6.9 will include the Abilities API that looks to be a big feature for developers. This article by Roger Montti does a good job of explaining what it is and its advantages. It is worth a read even if you aren’t a developer as I imagine it will be widely implemented.

Many hosting platforms use Imunify360 AV. There is a critical vulnerability.

Etch has come a long way in just a little over a year. It is a code friendly builder that combines a visual building experience with code editors. The team is now moving from development builds working towards a version 1.

A big feature of Etch is the ability to have what you create in Etch be automatically converted to blocks in the Gutenberg editor. In the alpha builds these blocks were core blocks. People who create Gutenberg blocks are aware that core Gutenberg is finicky and the news about moving the Gutenberg editor to load in an iframe is an example of how it is still a moving target. I’ve seen a number of developers give up working in the Gutenberg space until is stabilizes … and many of them are still waiting. So, the Etch team decided that it would be safer, and long term it would be more flexible and reliable, to render what you create in Etch as custom blocks (rather than as core blocks).

I am glad to see that the team has affirmed a future commitment so that Etch blocks won’t require Etch to be installed. This opens some very interesting possibilities for developers and site builders.

There is a change coming in 6.9 and continuing in 7.0 which is going to impact block developers and people using older blocks that haven’t been updated. The Post Editor is going to be moved to fully be in an iframe. This will mean that block.json v.3 will be needed.