Advanced Custom Fields version 6.4.3 is now available.

This release contains several security fixes for ACF and ACF PRO, including additional HTML escaping for field group labels, post titles, and Select2 elements to prevent JS vulnerabilities in the WordPress admin.

These vulnerabilities all required an ACF admin user to save malicious HTML. For this reason, it’s important to only ever import ACF JSON files from trusted sources.

This release also officially deprecates version 3 of the Select2 library in favor of Select2 v4 which has been default for many years now. An upcoming version of ACF will remove Select2 v3 completely and force the use of v4 for anyone still using the ACF setting to roll back to v3.

We recommend that all users of ACF and ACF PRO upgrade as soon as possible.

Wrap Up

👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.

We take the security of ACF extremely seriously and are always working on protecting our users. If you have discovered a vulnerability in the code or have a security issue, please see our Security page for more information.

Changelog

  • Security – Unsafe HTML in field group labels is now correctly escaped for conditionally loaded field groups, resolving a JS execution vulnerability in the classic editor
  • Security – HTML is now escaped from field group labels when output in the ACF admin
  • Security – Bidirectional and Conditional Logic Select2 elements no longer render HTML in field labels or post titles
  • Security – The acf.escHtml function now uses the third party DOMPurify library to ensure all unsafe HTML is removed. A new esc_html_dompurify_config JS filter can be used to modify the default behaviour
  • Security – Post titles are now correctly escaped whenever they are output by ACF code. Thanks to Shogo Kumamaru of LAC Co., Ltd. for the responsible disclosure
  • Security – An admin notice is now displayed when version 3 of the Select2 library is used, as it has now been deprecated in favor of version 4

For questions and help about this release, please contact our support team.