Total 5.4.1 was updated to include an extra security check when using callback functions within shortcodes to prevent potential exploits from the core wp_ajax_parse_media_shortcode WordPress function.
Previously you could enter the name of any function within a shortcode “Callback Function” field and it would run, but now that function name must also be defined as a whitelisted function. This article will explain how you can whitelist custom functions for use in various theme element fields.
Whitelisting Query Callback Functions for the Post Cards Element
For the Post Cards element you can use the dedicated wpex_post_cards_query_callback_choices hook to add new function options to the list.
add_filter( 'wpex_post_cards_query_callback_choices', function( $choices ): array {
$choices['my_custom_function_name_1'] = 'Function 1 Label';
$choices['my_custom_function_name_2'] = 'Function 2 Label';
return $choices;
} );Whitelisting Functions for Other Fields
In order to white list general functions for use in theme elements you need to define the “VCEX_CALLBACK_FUNCTION_WHITELIST” constant via your child theme or using the Code Snippets plugin and it should return an array of functions that can be used on the site. Example:
/*
* White list functions for use in Total Theme Core shortcodes.
*/
define( 'VCEX_CALLBACK_FUNCTION_WHITELIST', [
'my_custom_function_name_1',
'my_custom_function_name_2',
'my_custom_function_name_3',
] );