18 Nov

ACF 5.11.1 Release

By Iain Poulson

Advanced Custom Fields version 5.11.1 is now available. This release introduces an admin notification related to the security fixes introduced in ACF 5.11.

In versions of ACF prior to 5.11, functions like get_field() and the_field() could also be used to retrieve WordPress options values or post meta values. This was a possible security risk so in ACF 5.11 we updated these functions. Using them to retrieve options or post meta data is no longer possible, and will return null instead.

Additionally, any fields registered using the acf_add_local_field_group() and acf_add_local_field()PHP functions must be registered before get_field() is used. We recommend registering these fields on the acf/init action hook or directly in your theme’s functions.php file.

This affected more people than we initially thought, and we didn’t communicate the impact of the change well enough. In an effort to help folks get ahead of problems on their sites, this update introduces a WordPress admin notice that will warn you if it detects that get_field is being used on fields not registered in PHP correctly.

More information about this can be found in the Updates to ACF Field Functions in 5.11 guide.

👨‍💻 Please find the release notes below. For the latest ACF news, follow us on Twitter @wp_acf.

Update

ACF 5.11.2 is now available and makes some changes to the details in the original post below. Now, only the ACF shortcode implements the previously implemented data access changes detailed below, whilst get_field() and the_field() will prevent access to non-ACF options only. You can read more about this on the acf field functions documentation.

Changelog

  • Enhancement – Added “acf/admin/license_key_constant_message” filter to allow changing of the “Your license key is defined in wp-config.php” message
  • Fix – Added warning for when get_field() or similar functions are called before ACF has initialized
  • Fix – Fixed fields not appearing on user REST API endpoints if their field group location was set to a user form other than “all”
  • Fix – Fixed warning in REST API if a custom field type did not have the “show_in_rest” property
  • Fix – Fixed an error that could occur if value of WYSIWYG field was not a string

 

🙌 Thanks to everyone who helped make this release possible.

About the Author