24 Jun

ACF 6.3.2 Security Release

By Liam Gladdy

Advanced Custom Fields version 6.3.2 is now available.

This release contains several miscellaneous security fixes found in a recently commissioned external security audit of ACF and ACF PRO’s codebase.

👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.

We take the security of ACF extremely seriously and are always working on protecting our users. If you have discovered a vulnerability in the code or have a security issue, please see our Security page for more information.


  • Security Fix – ACF now generates different nonces for each AJAX-enabled field, preventing subscribers or front-end form users from querying other field results
  • Security Fix – ACF now correctly verifies permissions for certain editor only actions, preventing subscribers performing those actions
  • Security Fix – Deprecated a legacy private internal field type (output) to prevent it being able to output unsafe HTML
  • Security Fix – Improved handling of some SQL filters and other internal functions to ensure output is always correctly escaped
  • Security Fix – ACF now includes blank index.php files in all folders to prevent directory listing of ACF plugin folders for incorrectly configured web servers

For questions and help about this release, please contact our support team.

About the Author