Advanced Custom Fields version 6.2.7 is now available.
This release contains important security fixes, and enables the new the_field escaping behavior described in our release post for 6.2.5
It also contains a new filter to help you increase security when you use the ACF Shortcode by limiting the fields it can access, although we still recommend users who are not using the shortcode to disable it entirely as detailed below.
👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.
We take the security of ACF extremely seriously and are always working on protecting our users. If you have discovered a vulnerability in the code or have a security issue, please see our Security page for more information.
Escaping of the_field and the_sub_field
This release enables the automatic escaping of potentially unsafe HTML when using the_field and the_sub_field to output a field value following the addition of warnings for this in ACF 6.2.5.
For full details, information on the filters available to modify the behavior, and how to change your code if you do need to output potentially unsafe HTML, please see the release post for 6.2.5.
In ACF 6.2.7, the warning when we detect a change to a field’s output will occur has changed to an error stating the output has changed.
Additional Security Fixes
ACF 6.2.7 also includes two further security fixes, and a host of other security improvements. Specifically, two potential XSS vulnerabilities have been fixed, one affecting select2 field rendering where a value contains HTML, and another affecting field names or Flexible Content field layout names where unsafe HTML could be saved.
Additionally, we’ve made a sweep of all ACF’s own HTML output to ensure we escape any translated strings, or any other output of content in ACF’s admin screens to ensure it is escaped.
Security and the ACF Shortcode
The ACF shortcode is a legacy feature designed to allow your users to output ACF data stored anywhere in your database, on a post or a page.
In the past few years, we’ve made significant progress on improving the security of the ACF shortcode. In ACF 5.11.2, we prevented the shortcode from being able to access non-ACF post meta values, and in ACF 6.0.3 we introduced further changes to ensure only users who have the publish_posts permission are able to preview the ACF shortcode, meaning contributors are unable to use preview modes to view ACF data without authorisation, and we’ve even reported shortcode vulnerabilities in WordPress core which have been patched.
That said, the fundamental premise of the ACF shortcode is to allow users to access that data, should they know the ACF field name or key, and where the data is stored, whether that’s in posts (including private posts), users, terms or options pages.
This isn’t an issue if you trust all your users who have the publish_posts permission, however if you don’t – for example, you hide some option pages from users with that permission, and the user knows your field name or key, they could use the shortcode to publish a post which exposes that information.
For this reason, since ACF 6.0.3 we’ve recommended users disable the shortcode if they’re not using it.
Following a recent vulnerability report made to the ACF team, describing our documented behavior as a security vulnerability, we’ve decided to begin the process of disabling the ACF shortcode by default, for new installs of ACF after the release of ACF 6.3. Existing installs of ACF will not be affected by this change
From ACF 6.3 due for release later this year, if we detect your ACF was first installed after the release of ACF 6.3, the shortcode will be disabled by default, and require explicit opt-in to enable it, using the following code:
add_action( 'acf/init', 'enable_acf_shortcode' );
function enable_acf_shortcode() {
acf_update_setting( 'enable_shortcode', true );
}
In addition to this, ACF 6.2.7 contains a new filter which allows you to limit the values accessible to the ACF Shortcode.
This filter, acf/shortcode/prevent_access, allows you to return true to disallow access to that field type. For example, you could prevent access to any fields stored as options, or any field values on a user or on a post or page with private visibility.
For full information on the filter, along with example code for each of those examples, please view the filter documention
Changelog
- Security Fix –
the_fieldnow escapes potentially unsafe HTML as notified since ACF 6.2.5. For full information, please read the release blog post - Security Fix – Field and Layout names are now enforced to alphanumeric characters, resolving a potential XSS issue
- Security Fix – The default render template for select2 fields no longer allows HTML to be rendered resolving a potential XSS issue
- Security Enhancement – A
acf/shortcode/prevent_accessfilter is now available to limit what data the ACF shortcode is allowed to access - Security Enhancement – i18n translated strings are now escaped on output
- Enhancement – ACF now universally uses WordPress file system functions rather than native PHP functions
For questions and help about this release, please contact our support team.
About the Author
Liam’s a veteran WordPress developer based in Bath, UK. He’s a fan of all things devops, gaming and coffee, but is still working on his espresso skills. Just don’t ask him to try latte art… the results are never good.