ACF has made a routine update to patch a recently identified issue. Updates for WP Engine hosting customers, ACF PRO users, and those free users who have already updated manually from our download site are working as normal.
For those ACF users still relying on WordPress.org, we invite you to use our solution to ensure you receive updates going forward. Learn how to manually update to the latest version of ACF: please follow this process.
We have made a copy of the update available to the WordPress.org Security team, who have posted it to the plugin repository (see ACF 6.3.6.1). To ensure we are able to ship future versions to you without interruption, we recommend you download a new version of ACF directly.
This latest release contains a security fix for Post Type and Taxonomy metabox callbacks. The vulnerability addresses the unlikely scenario where one user with ACF admin permissions attacks a different admin user with permissions to create or modify posts, or in a Multisite configuration where a single site admin attempts to exploit a super admin to modify or add a new post.
We recommend upgrading to ACF version 6.3.8 as WP Engine remains blocked from accessing .org. Following this process can ensure that you are getting updates as new features are shipped as well as security patches.
ACF PRO customers will be automatically updated to 6.3.8 as normal.
WP Engine’s robust security program ensures that our plugin’s development and delivery are as safe as possible.
Our team worked to ensure that a fix was shipped as soon as possible, and well before the normal 90-day timeline typical for a vulnerability of this nature, and we will continue to work to ensure that you have the best possible experience with ACF.
For questions and help about this release, please contact our support team.