Advanced Custom Fields version 6.3.10 is now available.
This release contains important security fixes, an improvement to the user experience of adding fields to a field group, and a bug fix for exporting post types and taxonomies.
Add Fields, Quicker
ACF 6.0 introduced the new UI for the ACF admin screens, especially for the field group editor to improve the user experience for adding fields. However, the ability to add lots of fields in a field group one after the other was still a task that wasn’t as easy as it should be and required a number of clicks.
ACF 6.3.10 introduces a small but powerful change to the workflow of creating fields. The field drawer now contains a ‘Close and Add Field’ button which allows you to easily close the existing field and add a new field underneath, with just one click:
This also allows you to add a field after another field, rather than adding the field at the bottom of the list and then having to manually reorder it to the specific spot.
Custom Post Type & Taxonomy Metabox Callbacks
Our last few releases have made changes for security to the way metabox callbacks for custom post types and taxonomies registered with ACF work. By their nature, they’re designed to allow users to execute a specific function when a post for the custom post type is rendered.
If an attacker was aware of a function available in the codebase of a site that was exploitable, they could trigger that function to be called by another user, or admin.
ACF 6.3.7, 6.3.8 and 6.3.9 made improvements to reduce that risk, especially around vulnerable functions that exist in WordPress core, and ACF 6.3.10 makes a further change to restrict setting a callback to admins for single sites, or super admins in multisite installs.
By default from ACF 6.3.10 only admins will be able to set or change a callback for a custom post type or taxonomy.
This behavior is configurable with the new acf/settings/enable_meta_box_cb_edit filter.
Returning ‘false’ on that filter will disable the metabox callback entirely, alternatively you may wish to add some custom logic based on the current user to only enable (or only disable) the option to specific groups by returning true or false in a custom function attached to that filter.
Upgrading
If you are using the free ACF plugin, to receive the latest update please make sure you have updated to ACF 6.3.7 or later following these steps.
If your sites are running ACF PRO and have a valid license activated, you will see the update available as normal.
Wrap Up
👨💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.
We take the security of ACF extremely seriously and are always working on protecting our users. If you have discovered a vulnerability in the code or have a security issue, please see our Security page for more information.
Changelog
- Security – Setting a metabox callback for custom post types and taxonomies now requires being an admin, or super admin for multisite installs
- Security – Field specific ACF nonces are now prefixed, resolving an issue where third party nonces could be treated as valid for AJAX calls
- Enhancement – A new “Close and Add Field” option is now available when editing a field group, inserting a new field inline after the field being edited
- Enhancement – ACF and ACF PRO now share the same plugin updater for improved reliability and performance
- Fix – Exporting post types and taxonomies containing metabox callbacks now correctly exports the user defined callback
For questions and help about this release, please contact our support team.
About the Author
Liam’s a veteran WordPress developer based in Bath, UK. He’s a fan of all things devops, gaming and coffee, but is still working on his espresso skills. Just don’t ask him to try latte art… the results are never good.
