Advanced Custom Fields version 6.3.2 is now available.
This release contains several miscellaneous security fixes found in a recently commissioned external security audit of ACF and ACF PRO’s codebase.
👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.
We take the security of ACF extremely seriously and are always working on protecting our users. If you have discovered a vulnerability in the code or have a security issue, please see our Security page for more information.
Changelog
- Security Fix – ACF now generates different nonces for each AJAX-enabled field, preventing subscribers or front-end form users from querying other field results
- Security Fix – ACF now correctly verifies permissions for certain editor only actions, preventing subscribers performing those actions
- Security Fix – Deprecated a legacy private internal field type (output) to prevent it being able to output unsafe HTML
- Security Fix – Improved handling of some SQL filters and other internal functions to ensure output is always correctly escaped
- Security Fix – ACF now includes blank index.php files in all folders to prevent directory listing of ACF plugin folders for incorrectly configured web servers
For questions and help about this release, please contact our support team.
About the Author
Liam’s a veteran WordPress developer based in Bath, UK. He’s a fan of all things devops, gaming and coffee, but is still working on his espresso skills. Just don’t ask him to try latte art… the results are never good.
