ACF 6.3.4

Advanced Custom Fields version 6.3.4 is now available.

This release contains improvements and refinements to block validation, and some further changes to the ACF Shortcode.

ACF Shortcode changes

The ACF shortcode has been disabled by default since ACF 6.3 for new installs. In this release, we’ve added a notice when the shortcode is disabled if you attempt to use it and preview a post.

We’ve also enabled by default a filter from the documentation, which prevents the shortcode from accessing fields on a non-public post. This only applies when you attempt to read ACF fields in the shortcode from a different post which is not public.

This new behavior is filterable by returning false on the new acf/shortcode/prevent_access_to_fields_on_non_public_posts filter, for example:

add_filter( 'acf/shortcode/prevent_access_to_fields_on_non_public_posts', '__return_false' );

We still recommend that all users using the ACF shortcode use the new filters added in ACF 6.2.7 to further limit its use to specific fields in specific places using the acf/shortcode/prevent_access filter. You can find out more about how to do this, with some examples, in the filter documentation

Wrap up

👨‍💻 Please find the release notes below. And for the latest ACF news, follow us on Twitter @wp_acf.

We take the security of ACF extremely seriously and are always working on protecting our users. If you have discovered a vulnerability in the code or have a security issue, please see our Security page for more information.

Changelog

• Security Fix – The ACF shortcode now prevents access to fields from different private posts by default.
• Fix – Users without the edit_posts capability but with custom capabilities for a editing a custom post type, can now correctly load field groups loaded via conditional location rules
• Fix – Block validation no longer validates a field’s sub fields on page load, only on edit. This resolves inconsistent validation errors on page load or when first adding a block
• Fix – Deactivating an ACF PRO license will now remove the license key even if the server call fails
• Fix – Field types returning objects no longer cause PHP warnings and errors when output via the_field, the_sub_field or the ACF shortcode, or when retrieved by a get_ function with the escape html parameter set
• Fix – Server side errors during block rendering now gracefully displays an error to the editor

For questions and help about this release, please contact our support team.

About the Author

Liam’s a veteran WordPress developer based in Bath, UK. He’s a fan of all things devops, gaming and coffee, but is still working on his espresso skills. Just don’t ask him to try latte art… the results are never good.

View other posts by Liam Gladdy