18 Oct 22

ACF 6.0.3 Release – Security Changes to the ACF Shortcode and UI Improvements

By Liam Gladdy

Advanced Custom Fields version 6.0.3 is now available! 🚀🎉

This release includes some additional enhancements and fixes to the new UI released in ACF 6.0, and some important security changes to where the ACF shortcode can be used, and introduces new settings and filters to control the ACF shortcode. Read on to find out how it might affect you.

The ACF Shortcode

The purpose of the ACF shortcode is to display ACF field data across your website. The ACF shortcode is often used by third-party page and theme builders, as their way to expose ACF fields in their template system.

Currently, the ACF shortcode ensures that the ACF data being accessed is valid data that has been entered into ACF fields, but depending on your site configuration, it may allow contributors to access data which isn’t intended, such as data stored in options pages – if they know (or guess) the ACF field name or key.

Disabling the ACF shortcode altogether

For the many developers who don’t use the ACF shortcode across their sites, we’ve added a new ACF setting which will disable the ACF shortcode altogether. We recommend users disable the ACF shortcode where possible using the following code in their themes. This will ensure your ACF data can only be output via your theme template code, rather than via content added in the editor or potentially via user submitted content:

add_action( 'acf/init', 'set_acf_settings' );
function set_acf_settings() {
    acf_update_setting( 'enable_shortcode', false );
}

We recommend theme and plugin developers who rely on the ACF shortcode explicitly set this setting to true. We’ll be reaching out to the main page builder plugin developers to ask them to enable this setting too should they require it for their users to make sure there are no issues in the future if we change this setting by default.

Contributors

To prevent contributors being able to view ACF data before publish, in ACF 6.0.3, only users with the publish_posts capability will be able to view the results of an ACF shortcode while previewing a post – meaning that an editor must publish the post before the data can be viewed by users with lesser permissions. This mostly affects contributors, or custom roles without the publish_post role.

For developers who trust their contributors, the default role can be changed from publish_posts using the new acf/shortcode/preview_capability filter:

add_filter(
    'acf/shortcode/preview_capability',
    function( $role ) {
        return 'edit_posts';
    }
);

The message shown to users affected by this change will default to “[ACF shortcode value disabled for preview]”, although it can be filtered with the new acf/shortcode/preview_capability_message filter:

add_filter(
    'acf/shortcode/preview_capability_message',
    function( $message ) {
        return 'The value of this ACF shortcode will be visible on publish.';
    }
);

Block Themes

ACF 6.0.3 also limits the block types which are allowed to render the ACF shortcode. By default, only core blocks which render content using the the_content filter will be allowed to display ACF shortcodes – this covers the shortcode block, and standard core paragraph blocks which are the two most common places the ACF shortcode is used.

This change only applies to block themes, and can be disabled using the new filter acf/shortcode/allow_in_block_themes_outside_content as shown below, which will enable the ACF shortcode to be rendered in any block which allows shortcode rendering.

add_filter( 'acf/shortcode/allow_in_block_themes_outside_content', '__return_true' );

ACF v5 Users

For those users holding off on upgrading to ACF 6, we’ve released ACF 5.12.4 which includes all the shortcode security changes listed above. Automatic upgrades to this version are not supported, it will need to be manually updated.

PRO customers can download it from their account, and users of the free plugin can download it from the WordPress plugin directory.

Once the 5.12.4 zip has been downloaded, you can update the plugin using your normal deployment system or manually on a site by logging into the site admin and navigating to ‘Plugins’ > ‘Add New’ > ‘Upload plugin’ then choosing the 5.12.4 zip file. WordPress will ask you if you want to overwrite the existing plugin version to upgrade.

Changelog

  • Security Fix – ACF shortcode security fixes detailed here
  • Improvement – Field names and keys now copy to clipboard on click, and do not open a field
  • Fix – The field type input now has default focus when adding a new field
  • Fix – ACF no longer publishes h1, h2 or h3 CSS classes outside of the ACF admin screens
  • Fix – Conditional field settings now work correctly across different tabs
  • Fix – The field list for sub fields are now full width
  • Fix – ACF admin notices now display with correct margin
  • Fix – Admin CSS improvements when using ACF in an RTL language
  • Fix – Clone fields now have the presentation tab for setting wrapper properties when in group display mode
  • Fix – Appended labels on field settings will now be displayed in the correct place
  • Accessibility – The move field modal is now keyboard and screen reader accessible

For questions and help about this release, please contact our support team.

About the Author

For plugin support, please contact our support team directly, as comments aren't actively monitored.

  • Carl says:

    For those who installed 6.0.2 will they be able to go back to 5.12.x? I’m having a hard time with nested fields (Repeaters mostly) that when you modify or add a new field outside of it. It’s saving it inside the repeater instead. I’m guessing the drag & drop UI is messing this up on saving

    After that save, I need to go inside the repeater to select that field and drag it outside where it’s supposed to be.

    • Iain says:

      Hey Carl, that doesn’t sound good – could you send us a support ticket via https://www.advancedcustomfields.com/support/ so we can dig in further please

      • Carl says:

        Thanks it’s submitted and for the question I’m asking for weeks. Is it possible to overwrite the plugin with 5.12.x after insalling 6.0.2 or it’s not downgradable?

        • Iain says:

          If you aren’t using ACF Blocks, then yes it’s straightforward to downgrade the install without issues.

          If you are using ACF Blocks and not updated any pages with ACF blocks, or your ACF Block templates don’t rely on $block[‘id’] then it’s also fine to downgrade.

          If you have updated pages with ACF Blocks or using $block[‘id’] in your templates, then after upgrading you should fix any issues that by editing any pages with blocks.

  • Wayne Hooper says:

    I’ve logged into a few of my sites and some are showing 6.0.3 is available and others aren’t. Can it take a while for it to show?

    • Niels says:

      It can take a while indeed but you can also manually check for updates by clicking the ‘Check again’ link at the WordPress updates page at the top of the page.

  • Mark G - Reshift says:

    After the update to 6.0.3 displaying ACF with the /shortcode tag in WordPress with Twenty Twenty-two theme is no longer working. You mention enabling the scortcode function for ACF, but in which file to I place the code:

    add_action( ‘acf/init’, ‘set_acf_settings’ ); function set_acf_settings() { acf_update_setting( ‘enable_shortcode’, true ); }

    To enable ACF shortcodes again?

    Thanks Mark

  • Uditha Seo says:

    "Fix – Conditional field settings now work correctly across different tabs" What is this? Does this mean now can we add conditions across field group?

  • Christian Pucci says:

    On the other hand, I find it slower for us developers to insert voices. It takes me almost double the time and this is making me think. I think you need to fix this UI problem as soon as possible.