Superior Customized Fields (ACF) WordPress plugin with over 2 million installations introduced the discharge of a safety replace, model 6.2.5 that patches a vulnerability, the severity of which isn’t identified and solely restricted particulars have been launched concerning the vulnerability.
Whereas it’s not identified what sort of exploits are doable or the extent of injury that an attacker may trigger, ACF did advise that the vulnerability requires a contributor degree entry or greater, which to a sure extent makes it harder to launch an assault.
ACF 6.2.5 Might Introduce Breaking Modifications
The safety launch announcement warned that the modifications launched by the replace patch had the potential to trigger web sites to interrupt and supplied directions on easy methods to debug the modifications.
The model 6.2.5 replace introduces a major change in how the ACF shortcode processes and outputs probably unsafe HTML content material. The output will now be escaped, a safety course of that usually removes undesirable HTML like malicious scripts or malformed HTML in order that rendered HTML is safe.
Nonetheless, this alteration, whereas enhancing safety, may disrupt websites utilizing the shortcode for rendering complicated HTML components like scripts or iframes.
Tags with a possible for misuse, equivalent to <script> and <iframe>, might be mechanically eliminated, although that is customizable in line with particular web site wants.
Uncommon And Advanced Safety Launch
This safety replace is exclusive as a result of generally a safety researcher confidentially alerts the WordPress plugin writer of a vulnerability and the writer quietly releases an replace to handle the issue. Usually the safety researchers wait a number of weeks earlier than making a public announcement in order that customers have sufficient time to replace their plugins earlier than the vulnerability turns into broadly identified.
That’s not the case with this vulnerability as a result of it’s sophisticated by the potential for breaking modifications. So ACF is taking the step of saying the safety launch and alerting customers of potential points attributable to the repair, which might be mitigated however solely with modifications on the ACF person aspect.
One other Safety Repair Scheduled For February 2024
The complexity of patching this vulnerability has led to the selection of introducing a second safety launch in February of this yr, model 6.2.7. This can give plugin customers additional time to arrange for and mitigate different potential breaking modifications.
Model 6.2.7 will prolong these safety measures to further ACF features, together with the_field() and the_sub_field(). Website directors are cautioned about potential alterations in HTML output and are suggested to evaluation their web site’s compatibility with these impending modifications.
Description Of The Vulnerability
The need for this replace stems from a found vulnerability permitting customers with contributor roles, usually restricted from posting unfiltered HTML, to insert malicious code. This subject bypasses ACF’s customary sanitization protocols, creating a possible safety threat.
To counteract this vulnerability, ACF 6.2.5 will detect and take away unsafe HTML from shortcode outputs. Affected fields will set off error messages within the WordPress admin space, aiding web site house owners in figuring out and addressing the errors.
Upcoming Modifications to the_field() Perform
The the_field() perform will bear safety revisions in model 6.2.5 and and the_sub_field() perform will change in model 6.2.7. These features will then incorporate HTML security measures by default, stopping the output of doubtless dangerous content material.
In response to the announcement:
“This launch is a safety repair launch containing an essential change you want to pay attention to earlier than you replace, and prepares for a change to the output of the_field coming quickly to ACF.
From ACF 6.2.5, use of the ACF Shortcode to output an ACF discipline might be escaped by the WordPress HTML escaping perform wp_kses.
This has potential to be a breaking change should you’re utilizing the shortcode () to output probably unsafe HTML equivalent to scripts or iframes for textarea or WYSIWYG fields.”
Relating to the upcoming modifications to model 6.2.7, ACF model 6.2.5 will provide an alert in case your web site might be affected by the modifications coming to model 6.2.7, permitting time to arrange upfront.
Steering For Builders On Utilizing ACF Securely
Builders are suggested to strategy HTML output with warning. In situations necessitating unfiltered HTML output, equivalent to script tags, using ‘echo get_field()’ is beneficial. For different instances, making use of applicable escaping features, like ‘wp_kses_post’, a safety perform that sanitizes HTML output, is beneficial.
In response to the official WordPress security documentation web page concerning the ‘wp_kses_post’ perform:
“Sanitizes content material for allowed HTML tags for submit content material.
Submit content material refers back to the web page contents of the ‘submit’ kind and never $_POST information from types.
This perform expects unslashed information.”
ACF’s replace additionally introduces modifications in discipline kind dealing with, significantly for fields historically outputting HTML, equivalent to oEmbed and WYSIWYG. These modifications purpose to steadiness the necessity for HTML output with safety concerns.
“To help this, we’ve added a approach for discipline varieties to mark that they may deal with the escaping of HTML when requested, through a brand new parameter $escape_html.
The brand new parameter is out there on get_field and get_field_object, and is handed throughout to the fields format_value methodology.
This implies if the sphere kind helps dealing with escaping itself, setting this to true will get that escaped worth.
This argument shouldn’t be utilized by finish customers, because it moreover requires a examine to ensure the sphere kind has been up to date to help escaping its personal HTML. For each core ACF discipline apart from WYSIWYG, this property will at the moment don’t have any impact on the worth.”
All ACF customers are urged to replace to model 6.2.5 instantly to mitigate the recognized safety dangers. Moreover, these not using the ACF Shortcode are suggested to disable it totally.
Learn the official announcement: