A WordPress plugin vulnerability patch for Advanced Custom Fields (ACF) has been released, however it may cause unintended modifications.
The WordPress plugin Advanced Custom Fields (ACF), which has over two million installations, announced the release of version 6.2.5 of a security update that addresses a vulnerability. The problem’s severity is unknown, and not much information has been made public about it.
The amount of harm an attacker may cause or the kind of exploits that could be feasible remains unknown, however, ACF did advise that access at the contributor level or higher is required to exploit the vulnerability, which makes it somewhat more difficult to begin an assault.
ACF 6.2.5 Could Bring About Revolutionary Changes
The security release notification provided guidance on how to troubleshoot the changes and cautioned that the latest patch’s modifications could break websites.
With the release of version 6.2.5, the ACF shortcode’s processing and output of potentially hazardous HTML text is significantly altered. Now that the output has been escaped, rendered HTML will be secure as it usually eliminates unnecessary HTML such as dangerous programs or faulty HTML.
Although this modification improves security, it may cause issues for websites that use the shortcode to render complicated HTML components like iframes or scripts.
Unusual And Difficult Security Patch
This security update is special because, in most instances, a WordPress plugin publisher is discreetly notified of a vulnerability by a security researcher, and the publisher then secretly provides an update to fix the issue. Before releasing a public statement, security experts usually wait a few weeks to give consumers ample opportunity to update their plugins before the vulnerability is publicly publicized.
This vulnerability, however, is complicated by the possibility of breaking changes, so that isn’t the case. Thus, ACF is taking the action of notifying users of the security release and warning them of any possible problems that may arise from the update; these problems can only be avoided by making adjustments on the part of ACF users.
6.2.7 An Additional Security Update Is Expected in February 2024
Due to the difficulty of fixing this vulnerability, version 6.2.7, the second security release, was decided to be issued in February of this year. Users of plugins will have more time to plan ahead and minimize any further potentially disruptive modifications thanks to this.
These security precautions will be extended to additional ACF functions, such as the_field() and the_sub_field(), in version 6.2.7. Site managers are urged to check whether their site is compatible with these upcoming changes and are cautioned about possible changes in HTML output.
The updates that will be included in version 6.2.7 can also be added manually. According to ACF, you can choose to accept the new behavior of stripping dangerous HTML and generating an error report in the WordPress admin panel by using the following filter if you’re not currently storing unsafe HTML or if you are storing unsafe HTML but are already escaping the data:
An explanation of the weakness
This upgrade is required due to a vulnerability that was found that permits people with contributor roles—who are normally prohibited from publishing unfiltered HTML—to introduce harmful code. Due to this problem, ACF’s regular sanitization procedures are circumvented, potentially posing a security risk.
ACF 6.2.5 will identify and eliminate dangerous HTML from shortcode outputs in order to mitigate this vulnerability. Error notifications will appear in the WordPress admin area for affected fields, assisting site owners in locating and fixing the problems.
Future Modifications to the_field() Function
Version 6.2.7 will provide changes to the_sub_field() function while version 6.2.5 will undergo security modifications to the the_field() function. After then, by default, these functions will include HTML safety precautions to stop potentially dangerous content from being output.
As stated in the announcement:
This release addresses security issues and prepares for an impending ACF change to the the_field’s output. Before updating, you should be aware of this significant change.
Beginning with ACF 6.2.5, the WordPress HTML escaping function wp_kses will escape ACF fields produced by the ACF Shortcode.
If you’re utilizing the shortcode() to generate potentially dangerous HTML, like scripts or iframes for textarea or WYSIWYG fields, this might be a game-changing update.
About the impending changes to version 6.2.7, ACF version 6.2.5 will notify you whether the changes will have an impact on your site so you can make the necessary preparations ahead of time.
Advice For Developers Regarding Secure Use of ACF
It is recommended that developers handle HTML output carefully. When situations arise when unfiltered HTML output is required, like script tags, ‘echo get_field()’ should be used. In other situations, it is advised to use suitable escape procedures, such as “wp_kses_post,” a security function that cleans HTML output.
The ‘wp_kses_post’ function is described on the official WordPress security documentation page as follows:
“Sanitizes text to remove any permitted HTML tags from post content.
Post content does not refer to $_POST data from forms; rather, it refers to the page contents of the ‘post’ type.
This feature anticipates unslashed data.
The ACF update also brings changes to the way that certain field types are handled, especially those that have historically produced HTML, such oEmbed and WYSIWYG. With these modifications, security concerns are intended to be balanced with the requirement for HTML output.
To facilitate this, we have introduced a new parameter called $escape_html, which allows field types to indicate that they will take care of HTML escaping upon request.
The new parameter is given all the way to the fields format_value method and is available on get_field and get_field_object.
This indicates that setting this to true will result in the escaped value if the field type can handle escaping on its own.
End users shouldn’t use this argument because it also necessitates verifying that the field type has been changed to support escaping its own HTML. This parameter will not affect the value for any core ACF field other than WYSIWYG at this time.
It is recommended that all ACF users update to version 6.2.5 right away in order to reduce the security concerns that have been found. It is also recommended that users who are not using the ACF Shortcode disable it completely.