Superior Customized Fields (ACF) WordPress plugin with over 2 million installations introduced the discharge of a safety replace, model 6.2.5 that patches a vulnerability, the severity of which isn’t recognized and solely restricted particulars have been launched in regards to the vulnerability.
Whereas it’s not recognized what sort of exploits are doable or the extent of harm that an attacker may trigger, ACF did advise that the vulnerability requires a contributor degree entry or increased, which to a sure extent makes it tougher to launch an assault.
ACF 6.2.5 Could Introduce Breaking Modifications
The safety launch announcement warned that the adjustments launched by the replace patch had the potential to trigger web sites to interrupt and provided directions on the way to debug the adjustments.
The model 6.2.5 replace introduces a big change in how the ACF shortcode processes and outputs probably unsafe HTML content material. The output will now be escaped, a safety course of that sometimes removes undesirable HTML like malicious scripts or malformed HTML in order that rendered HTML is safe.
Nevertheless, this variation, whereas enhancing safety, may disrupt websites utilizing the shortcode for rendering advanced HTML components like scripts or iframes.
Tags with a possible for misuse, corresponding to <script> and <iframe>, can be mechanically eliminated, although that is customizable in keeping with particular web site wants.
Uncommon And Advanced Safety Launch
This safety replace is exclusive as a result of most often a safety researcher confidentially alerts the WordPress plugin writer of a vulnerability and the writer quietly releases an replace to handle the issue. Usually the safety researchers wait a couple of weeks earlier than making a public announcement in order that customers have sufficient time to replace their plugins earlier than the vulnerability turns into broadly recognized.
That’s not the case with this vulnerability as a result of it’s sophisticated by the potential for breaking adjustments. So ACF is taking the step of asserting the safety launch and alerting customers of potential points brought on by the repair, which will be mitigated however solely with adjustments on the ACF consumer facet.
One other Safety Repair Scheduled For February 2024
The complexity of patching this vulnerability has led to the selection of introducing a second safety launch in February of this yr, model 6.2.7. This can give plugin customers additional time to arrange for and mitigate different potential breaking adjustments.
Model 6.2.7 will lengthen these safety measures to extra ACF capabilities, together with the_field() and the_sub_field(). Website directors are cautioned about potential alterations in HTML output and are suggested to evaluation their web site’s compatibility with these impending adjustments.
Description Of The Vulnerability
The need for this replace stems from a found vulnerability permitting customers with contributor roles, sometimes restricted from posting unfiltered HTML, to insert malicious code. This subject bypasses ACF’s customary sanitization protocols, creating a possible safety threat.
To counteract this vulnerability, ACF 6.2.5 will detect and take away unsafe HTML from shortcode outputs. Affected fields will set off error messages within the WordPress admin space, aiding web site house owners in figuring out and addressing the errors.
Upcoming Modifications to the_field() Perform
The the_field() perform will endure safety revisions in model 6.2.5 and and the_sub_field() perform will change in model 6.2.7. These capabilities will then incorporate HTML security measures by default, stopping the output of probably dangerous content material.
Based on the announcement:
“This launch is a safety repair launch containing an necessary change you want to pay attention to earlier than you replace, and prepares for a change to the output of the_field coming quickly to ACF.
From ACF 6.2.5, use of the ACF Shortcode to output an ACF area can be escaped by the WordPress HTML escaping perform wp_kses.
This has potential to be a breaking change for those who’re utilizing the shortcode () to output probably unsafe HTML corresponding to scripts or iframes for textarea or WYSIWYG fields.”
Concerning the upcoming adjustments to model 6.2.7, ACF model 6.2.5 will provide an alert in case your web site can be affected by the adjustments coming to model 6.2.7, permitting time to arrange prematurely.
Steerage For Builders On Utilizing ACF Securely
Builders are suggested to method HTML output with warning. In eventualities necessitating unfiltered HTML output, corresponding to script tags, the usage of ‘echo get_field()’ is advisable. For different circumstances, making use of acceptable escaping capabilities, like ‘wp_kses_post’, a safety perform that sanitizes HTML output, is advisable.
Based on the official WordPress safety documentation web page in regards to the ‘wp_kses_post’ perform:
“Sanitizes content material for allowed HTML tags for put up content material.
Description
Publish content material refers back to the web page contents of the ‘put up’ kind and never $_POST information from kinds.This perform expects unslashed information.”
ACF’s replace additionally introduces modifications in area kind dealing with, notably for fields historically outputting HTML, corresponding to oEmbed and WYSIWYG. These adjustments intention to stability the necessity for HTML output with safety concerns.
ACF explains:
“To help this, we’ve added a manner for area sorts to mark that they’ll deal with the escaping of HTML when requested, through a brand new parameter $escape_html.
The brand new parameter is out there on get_field and get_field_object, and is handed throughout to the fields format_value technique.
This implies if the sphere kind helps dealing with escaping itself, setting this to true will get that escaped worth.
This argument shouldn’t be utilized by finish customers, because it moreover requires a examine to verify the sphere kind has been up to date to help escaping its personal HTML. For each core ACF area aside from WYSIWYG, this property will presently don’t have any impact on the worth.”
All ACF customers are urged to replace to model 6.2.5 instantly to mitigate the recognized safety dangers. Moreover, these not using the ACF Shortcode are suggested to disable it solely.
Learn the official announcement:
