Advanced Custom Fields version 5.7.8 is now available. This is an update for both our ACF and ACF PRO plugins, and we encourage you to update your sites as soon as possible.
This release contains a fix to a recently reported XSS vunerability. This report showed it was possible for a logged in author to save unfiltered HTML within a custom field value. This is something that should not be possible without the unfiltered_html capability. As a result of our fix, when logged in with an author role, all values will be filtered via the wp_kses_post_deep() function to strip out restricted HTML.
We have also included a small fix to address the “All field groups appear as empty metaboxes in Gutenberg” issue mentioned in our latest blog post.
You can view the full changelog is below.
*Release Date - 7 December 2018* * Fix - Fixed vulnerability allowing author role to save unfiltered HTML values. * Fix - Fixed all metaboxes appearing when editing a post in WP 5.0. * i18n - Updated Polish translation thanks to Dariusz Zielonka. * i18n - Updated Czech translation thanks to Veronika Hanzlíková. * i18n - Update Turkish translation thanks to Emre Erkan. * i18n - Updated Portuguese language thanks to Pedro Mendonça.
You can expect to start seeing more Gutenberg related items in our changelog over the coming months 👍.