Advanced Custom Fields version 6.0.3 is now available! 🚀🎉
This release includes some additional enhancements and fixes to the new UI released in ACF 6.0, and some important security changes to where the ACF shortcode can be used, and introduces new settings and filters to control the ACF shortcode. Read on to find out how it might affect you.
The purpose of the ACF shortcode is to display ACF field data across your website. The ACF shortcode is often used by third-party page and theme builders, as their way to expose ACF fields in their template system.
Currently, the ACF shortcode ensures that the ACF data being accessed is valid data that has been entered into ACF fields, but depending on your site configuration, it may allow contributors to access data which isn’t intended, such as data stored in options pages – if they know (or guess) the ACF field name or key.
For the many developers who don’t use the ACF shortcode across their sites, we’ve added a new ACF setting which will disable the ACF shortcode altogether. We recommend users disable the ACF shortcode where possible using the following code in their themes. This will ensure your ACF data can only be output via your theme template code, rather than via content added in the editor or potentially via user submitted content:
add_action( 'acf/init', 'set_acf_settings' );
function set_acf_settings() {
acf_update_setting( 'enable_shortcode', false );
}
We recommend theme and plugin developers who rely on the ACF shortcode explicitly set this setting to true. We’ll be reaching out to the main page builder plugin developers to ask them to enable this setting too should they require it for their users to make sure there are no issues in the future if we change this setting by default.
To prevent contributors being able to view ACF data before publish, in ACF 6.0.3, only users with the publish_posts
capability will be able to view the results of an ACF shortcode while previewing a post – meaning that an editor must publish the post before the data can be viewed by users with lesser permissions. This mostly affects contributors, or custom roles without the publish_post
role.
For developers who trust their contributors, the default role can be changed from publish_posts
using the new acf/shortcode/preview_capability
filter:
add_filter(
'acf/shortcode/preview_capability',
function( $role ) {
return 'edit_posts';
}
);
The message shown to users affected by this change will default to “[ACF shortcode value disabled for preview]”, although it can be filtered with the new acf/shortcode/preview_capability_message
filter:
add_filter(
'acf/shortcode/preview_capability_message',
function( $message ) {
return 'The value of this ACF shortcode will be visible on publish.';
}
);
ACF 6.0.3 also limits the block types which are allowed to render the ACF shortcode. By default, only core blocks which render content using the the_content
filter will be allowed to display ACF shortcodes – this covers the shortcode block, and standard core paragraph blocks which are the two most common places the ACF shortcode is used.
This change only applies to block themes, and can be disabled using the new filter acf/shortcode/allow_in_block_themes_outside_content
as shown below, which will enable the ACF shortcode to be rendered in any block which allows shortcode rendering.
add_filter( 'acf/shortcode/allow_in_block_themes_outside_content', '__return_true' );
For those users holding off on upgrading to ACF 6, we’ve released ACF 5.12.4 which includes all the shortcode security changes listed above. Automatic upgrades to this version are not supported, it will need to be manually updated.
PRO customers can download it from their account, and users of the free plugin can download it from the WordPress plugin directory.
Once the 5.12.4 zip has been downloaded, you can update the plugin using your normal deployment system or manually on a site by logging into the site admin and navigating to ‘Plugins’ > ‘Add New’ > ‘Upload plugin’ then choosing the 5.12.4 zip file. WordPress will ask you if you want to overwrite the existing plugin version to upgrade.
h1
, h2
or h3
CSS classes outside of the ACF admin screensFor questions and help about this release, please contact our support team.
For plugin support, please contact our support team directly, as comments aren't actively monitored.