28 Aug

ACF 6.3.6 Security Release

By Liam Gladdy

Advanced Custom Fields version 6.3.6 is now available.

This release contains important security fixes, along with other bug fixes and a new field setting to mark fields as accessible to content editors via Block Bindings or the ACF Shortcode.

Field Value Access in the Content Editor

The ACF shortcode is a way for content editors to access ACF field values when creating and displaying post content. Recent releases of ACF have made significant improvements to the security of the ACF Shortcode, and to further this the ACF Shortcode is disabled by default for new installs of ACF 6.3.0 and later. However, allowing site users to access field data in the editor requires trust and will always have an inherent security risk. That is also more of an issue with recent WordPress features like Block Bindings and Bits (which is coming soon).

In order to support these new features securely, and improve the level of security for the existing ACF Shortcode, ACF 6.3.6 introduces a new field level setting, Allow Access to Value in Editor UI. This setting marks a field as allowable for editors to access and use the field value inside content.

For example, this means developers can allow certain fields to be accessed by the ACF shortcode without allowing content editors to access fields used on internal Options Pages that only site admins should access.

The field setting can be accessed by editing the field and navigating to the ‘Presentation’ tab:

An example screenshot showing the new setting for exposing fields in editor UI features

For any fields created prior to ACF 6.3.6 the setting is enabled by default matching the existing behavior, but for all new fields added after, it will be disabled. This means that when creating fields, you’ll need to explicitly opt-in to allowing content editors to access the field. This will not impact any code-based accessing of values, such as the_field,get_field, or get_post_meta, and only applies to any existing or upcoming methods for accessing field values in the content editor.

We recommend that after upgrading to 6.3.6, ACF users revisit their field groups and fields and toggle the setting to ‘off’ for any fields which contain sensitive information, especially for those fields attached to Options Pages or users.

Wrap Up

👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.

We take the security of ACF extremely seriously and are always working on protecting our users. If you have discovered a vulnerability in the code or have a security issue, please see our Security page for more information.

Changelog

  • Security – Newly added fields now have to be explicitly set to allow access in the content editor (when using the ACF shortcode or Block Bindings) to increase the security around field permissions
  • Security Fix – Field labels are now correctly escaped when rendered in the Field Group editor, to prevent a potential XSS issue. Thanks to Ryo Sotoyama of Mitsui Bussan Secure Directions, Inc. for the responsible disclosure
  • Fix – Validation and Block AJAX requests nonces will no longer be overridden by third party plugins
  • Fix – Detection of third party select2 libraries will now default to v4 rather than v3
  • Fix – Block previews will now display an error if the render template PHP file is not found

For questions and help about this release, please contact our support team.

About the Author