Advanced Custom Fields (ACF) WordPress plugin, with over 2 million installations, announced the release of a security update, version 6.2.5, which patches an unspecified vulnerability. Details about this vulnerability are limited.
Although the specifics of potential exploits and damage remain unclear, ACF noted that the vulnerability requires contributor-level access or higher, which somewhat mitigates the ease of an attack.
ACF 6.2.5 May Introduce Breaking Changes
The security release warning highlighted that the changes in the update patch might cause disruptions to websites and provided instructions for debugging these changes.
The 6.2.5 update significantly alters how the ACF shortcode processes and outputs potentially unsafe HTML content. The output will now be escaped, typically removing unwanted HTML, such as malicious scripts or malformed HTML, to ensure rendered HTML is secure.
However, this enhancement in security might disrupt sites using the shortcode for complex HTML elements like scripts or iframes. Tags with misuse potential, such as <script> and <iframe>, will be automatically removed, though customization is possible according to site-specific needs.
Unusual And Complex Security Release
This security update is unique as it deviates from the typical process where a security researcher confidentially informs the WordPress plugin publisher of a vulnerability, followed by a quiet update. Usually, security researchers delay public announcements to allow users time to update their plugins.
In this case, due to the potential for breaking changes, ACF chose to openly announce the security release and alert users of possible issues caused by the fix, which can be mitigated with adjustments from the ACF user side.
6.2.7 Another Security Fix Scheduled For February 2024
The complexity in patching this vulnerability has resulted in a second security release, version 6.2.7, scheduled for February 2024. This allows plugin users more time to prepare for and mitigate other potential breaking changes.
Version 6.2.7 will extend these security measures to additional ACF functions, including the_field() and the_sub_field(). Site administrators are cautioned about possible alterations in HTML output and are advised to review their site’s compatibility with these impending changes.
There is also a way to manually implement the changes expected in version 6.2.7. ACF details that if you’re not storing unsafe HTML or are already escaping the data, you can opt-in to the new behavior of stripping unsafe HTML and triggering an error report in the WordPress admin panel using the following filter:
acf/the_field/escape_html_optinDescription Of The Vulnerability
The need for this update arises from a vulnerability allowing users with contributor roles, usually restricted from posting unfiltered HTML, to insert malicious code, bypassing ACF’s standard sanitization protocols and creating a security risk.
To counteract this, ACF 6.2.5 will detect and remove unsafe HTML from shortcode outputs. Affected fields will trigger error messages in the WordPress admin area, helping site owners identify and address the issues.
Upcoming Changes to the_field() Function
The the_field() function will undergo security revisions in version 6.2.5, and the the_sub_field() function will change in version 6.2.7. These functions will then incorporate HTML safety measures by default, preventing the output of potentially harmful content.
According to the announcement:
“This release is a security fix release containing an important change you need to be aware of before you update, and prepares for a change to the output of the_field coming soon to ACF.
From ACF 6.2.5, use of the ACF Shortcode to output an ACF field will be escaped by the WordPress HTML escaping function wp_kses.
This has the potential to be a breaking change if you’re using the shortcode () to output potentially unsafe HTML such as scripts or iframes for textarea or WYSIWYG fields.”
Regarding the upcoming changes to version 6.2.7, ACF version 6.2.5 will offer an alert if your site will be affected by the changes coming to version 6.2.7, allowing time to prepare in advance.
Guidance For Developers On Using ACF Securely
Developers are advised to handle HTML output with caution. For scenarios requiring unfiltered HTML output, such as script tags, using echo get_field() is recommended. For other cases, applying appropriate escaping functions like wp_kses_post, which sanitizes HTML output, is advised.
According to the official WordPress security documentation on the wp_kses_post function:
“Sanitizes content for allowed HTML tags for post content.
Description
Post content refers to the page contents of the ‘post’ type and not $_POST data from forms.
This function expects unslashed data.”
ACF’s update also introduces changes in field type handling, especially for fields typically outputting HTML, such as oEmbed and WYSIWYG. These changes aim to balance HTML output needs with security considerations.
ACF explains:
“To support this, we’ve added a way for field types to mark that they will handle the escaping of HTML when requested, via a new parameter $escape_html.
The new parameter is available on get_field and get_field_object, and is passed all the way through to the field’s format_value method.
This means if the field type supports handling escaping itself, setting this to true will get that escaped value.
This argument should not be used by end users, as it additionally requires a check to ensure the field type has been updated to support escaping its own HTML. For every core ACF field other than WYSIWYG, this property will currently have no effect on the value.”
All ACF users are urged to update to version 6.2.5 immediately to mitigate the identified security risks. Those not utilizing the ACF Shortcode are advised to disable it entirely.
