Advanced Custom Fields version 6.8.5 is now available.

This release contains several security fixes for ACF and ACF PRO.

We recommend that all users of ACF and ACF PRO upgrade as soon as possible.

Wrap Up

👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.

We take the security of ACF extremely seriously and are always working on protecting our users. If you have discovered a vulnerability in the code or have a security issue, please see our Security page for more information.

Changelog

  • Security – ACF PRO’s save handler for WooCommerce order fields now verifies security nonces and only attaches on the order edit screen, preventing unauthenticated field value updates for stores utilizing HPOS
  • Security – The Flexible Content “Rename Layout” modal no longer allows for the execution of a potential stored XSS vulnerability
  • Security – A default limit of 1000 has been applied to user-contributed choices for Checkbox, Radio, and Select fields to improve security, with a new acf/fields/max_appended_choices filter available for customization
  • Security – Special characters within LIKE patterns are now fully escaped in wp_options queries via $wpdb->esc_like()

For questions and help about this release, please contact our support team.