Advanced Custom Fields version 6.1.8 is now available.
This is a security fix release, solving a stored XSS vulnerability with labels on ACF Post Types and Taxonomies in admin screens.
👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.
Changelog
- Security Fix – This release resolves a stored XSS vulnerability in admin screens with ACF post type and taxonomy labels.
Affected Versions and Scope
This issue impacts ACF Free and PRO >=6.1.0, <=6.1.7.
Exploiting this issue requires administrator access to ACF’s admin screens to save a malicious Post Type or Taxonomy.
🙌 Thanks to Satoo Nakano and Ryotaro Imamura via JPCERT/CC for their responsible disclosure of this issue.
About the Author
Liam’s a veteran WordPress developer based in Bath, UK. He’s a fan of all things devops, gaming and coffee, but is still working on his espresso skills. Just don’t ask him to try latte art… the results are never good.