As one of the largest plugins in the WordPress ecosystem, we take the security of ACF extremely seriously and we work hard to ensure the plugin is as safe as possible.

We are committed to patching security vulnerabilities in the plugin as they are reported to us, in a responsible and timely manner. We typically release minor versions of ACF and ACF PRO to patch security issues, and these releases normally are made up only of the security fix. We document the security releases in blog posts about each release, often with extended detail about any changes required after updating.

Security is paramount. No one wants to deal with a hacked site. However, in the attempt to make ACF as secure as possible, this does sometimes result in making changes that impact ACF field data. We do our best to avoid and mitigate breaking changes in that case.

We will backport security fixes to the previous major version for up to a year after the release of the current version. For example, patches to ACF 6.x will continue to be released until a year after the launch of ACF 7.

Plugin Security

Plugins in Scope

Reporting a Vulnerability

If you have found a security vulnerability or other security issue with the plugins please submit the vulnerability via our Vulnerability Disclosure Program.

Security Companies

If you are a security company and have had an ACF vulnerability reported to you, please contact the team directly with the report details –

Website Security

If you have found a vulnerability or security issue on the website please submit the vulnerability via our Vulnerability Disclosure Program.

Please ensure the website vulnerability meets the ‘In Scope’ requirements of our VDP program.