Advanced Custom Fields (ACF) WordPress plugin with over 2 million installations announced the release of a security update, version 6.2.5 that patches a vulnerability, the severity of which is not known and only limited details were released about the vulnerability.

While it’s not known what kind of exploits are possible or the extent of damage that an attacker could cause, ACF did advise that the vulnerability requires a contributor level access or higher, which to a certain extent makes it more difficult to launch an attack.

ACF 6.2.5 May Introduce Breaking Changes

The security release announcement warned that the changes introduced by the update patch had the potential to cause websites to break and offered instructions on how to debug the changes.

The version 6.2.5 update introduces a significant change in how the ACF shortcode processes and outputs potentially unsafe HTML content. The output will now be escaped, a security process that typically removes unwanted HTML like malicious scripts or malformed HTML so that rendered HTML is secure.

However, this change, while enhancing security, might disrupt sites using the shortcode for rendering complex HTML elements like scripts or iframes.

Tags with a potential for misuse, such as <script> and <iframe>, will be automatically removed, though this is customizable according to specific site needs.

Unusual And Complex Security Release

This security update is unique because in most cases a security researcher confidentially alerts the WordPress plugin publisher of a vulnerability and the publisher quietly releases an update to address the problem. Typically the security researchers wait a few weeks before making a public announcement so that users have enough time to update their plugins before the vulnerability becomes widely known.

That’s not the case with this vulnerability because it’s complicated by the potential for breaking changes. So ACF is taking the step of announcing the security release and alerting users of potential issues caused by the fix, which can be mitigated but only with changes on the ACF user side.

6.2.7 Another Security Fix Scheduled For February 2024

The complexity of patching this vulnerability has led to the choice of introducing a second security release in February of this year, version 6.2.7. This will give plugin users extra time to prepare for and mitigate other potential breaking changes.

Version 6.2.7 will extend these security measures to additional ACF functions, including the_field() and the_sub_field(). Site administrators are cautioned about potential alterations in HTML output and are advised to review their site’s compatibility with these impending changes.

There is also a way to manually add in the changes that are coming to version 6.2.7.  ACF explains that if you’re not currently storing unsafe  HTML or you are storing the unsafe HTML but are already escaping the data, then it’s possible to opt-in to the new behavior of for stripping unsafe HTML and triggering an error report in the WordPress admin panel with the following filter:

acf/the_field/escape_html_optin

Description Of The Vulnerability

The necessity for this update stems from a discovered vulnerability allowing users with contributor roles, typically restricted from posting unfiltered HTML, to insert malicious code. This issue bypasses ACF’s standard sanitization protocols, creating a potential security risk.

To counteract this vulnerability, ACF 6.2.5 will detect and remove unsafe HTML from shortcode outputs. Affected fields will trigger error messages in the WordPress admin area, aiding site owners in identifying and addressing the errors.

Upcoming Changes to the_field() Function

The the_field() function will undergo security revisions in version 6.2.5 and and the_sub_field() function will change in version 6.2.7. These functions will then incorporate HTML safety measures by default, preventing the output of potentially harmful content.

According to the announcement:

“This release is a security fix release containing an important change you need to be aware of before you update, and prepares for a change to the output of the_field coming soon to ACF.

From ACF 6.2.5, use of the ACF Shortcode to output an ACF field will be escaped by the WordPress HTML escaping function wp_kses.

This has potential to be a breaking change if you’re using the shortcode () to output potentially unsafe HTML such as scripts or iframes for textarea or WYSIWYG fields.”

Regarding the upcoming changes to version 6.2.7, ACF version 6.2.5 will offer an alert if your site will be affected by the changes coming to version 6.2.7, allowing time to prepare in advance.

Guidance For Developers On Using ACF Securely

Developers are advised to approach HTML output with caution. In scenarios necessitating unfiltered HTML output, such as script tags, the use of ‘echo get_field()’ is recommended. For other cases, applying appropriate escaping functions, like ‘wp_kses_post’, a security function that sanitizes HTML output, is recommended.

According to the official WordPress security documentation page about the ‘wp_kses_post’ function:

“Sanitizes content for allowed HTML tags for post content.

Description

Post content refers to the page contents of the ‘post’ type and not $_POST data from forms.

This function expects unslashed data.”

ACF’s update also introduces modifications in field type handling, particularly for fields traditionally outputting HTML, such as oEmbed and WYSIWYG. These changes aim to balance the need for HTML output with security considerations.

ACF explains:

“To support this, we’ve added a way for field types to mark that they will handle the escaping of HTML when requested, via a new parameter $escape_html.

The new parameter is available on get_field and get_field_object, and is passed all the way through to the fields format_value method.

This means if the field type supports handling escaping itself, setting this to true will get that escaped value.

This argument should not be used by end users, as it additionally requires a check to make sure the field type has been updated to support escaping its own HTML. For every core ACF field other than WYSIWYG, this property will currently have no effect on the value.”

All ACF users are urged to update to version 6.2.5 immediately to mitigate the identified security risks. Additionally, those not utilizing the ACF Shortcode are advised to disable it entirely.

Read the official announcement:

ACF 6.2.5 Security Release

Featured Image by Shutterstock/Perfect_kebab