The Advanced Custom Fields (ACF) plugin for WordPress has released an update, version 6.2.5, which is primarily focused on enhancing security. This update introduces a significant change in how the ACF Shortcode outputs content, ensuring that any HTML generated by the shortcode is properly escaped using WordPress’s wp_kses function. This is a preventive measure against potential security vulnerabilities, particularly in scenarios where users without the unfiltered_html capability (typically anyone below an Administrator role) might inject harmful HTML or scripts into posts or pages via ACF fields.
Starting from version 6.2.5, if you’ve been using the ACF Shortcode to display content that includes HTML elements like scripts or iframes, you might notice that this content is now being “escaped” – meaning, it might not display as intended because the HTML tags are being converted to safe characters. This is done to prevent any malicious code from being executed on your site.
To assist website administrators in identifying which fields might be affected by this update, ACF will display a notice within the WordPress admin area if any content has been escaped due to this new security measure.
Looking ahead, ACF plans to extend this security feature to other functions, such as the_field() and the_sub_field(), starting from version 6.2.7, expected in February 2024. This means that similar escaping will apply to these functions as well, further securing the output of ACF fields across your site.
The update is a response to a vulnerability identified by Francesco Carlucci and the Wordfence team, specifically related to the ACF Shortcode. The ACF team has taken this opportunity to not only address the immediate vulnerability but also to implement broader security enhancements to ensure the safety of content output via ACF fields.
For developers and site owners, this update may require some adjustments to your site’s custom code or ACF field configurations, especially if you rely on ACF to output HTML elements that are now being escaped. ACF provides documentation and support to help you navigate these changes and ensure your site remains functional and secure.
To help you navigate these changes and ensure your WordPress site remains secure and functional, Muze Web Development Partners is here to assist. Whether it’s updating your custom code to align with ACF’s new security protocols or optimizing your site’s use of ACF fields, our team has the expertise to keep your site running smoothly.
Don’t let these updates slow you down. Contact Muze Web Development Partners today by clicking here or calling us at (281) 772-8320. Let us help you adapt to these changes with ease and ensure your website remains secure and efficient.