Superior Customized Fields (ACF) WordPress plugin with over 2 million installations introduced the discharge of a safety replace, model 6.2.5 that patches a vulnerability, the severity of which isn’t identified and solely restricted particulars had been launched concerning the vulnerability.
Whereas it’s not identified what sort of exploits are attainable or the extent of injury that an attacker may trigger, ACF did advise that the vulnerability requires a contributor degree entry or greater, which to a sure extent makes it tougher to launch an assault.
ACF 6.2.5 Might Introduce Breaking Modifications
The safety launch announcement warned that the modifications launched by the replace patch had the potential to trigger web sites to interrupt and supplied directions on the way to debug the modifications.
The model 6.2.5 replace introduces a major change in how the ACF shortcode processes and outputs probably unsafe HTML content material. The output will now be escaped, a safety course of that usually removes undesirable HTML like malicious scripts or malformed HTML in order that rendered HTML is safe.
Nonetheless, this modification, whereas enhancing safety, would possibly disrupt websites utilizing the shortcode for rendering complicated HTML parts like scripts or iframes.
Tags with a possible for misuse, equivalent to <script> and <iframe>, will probably be mechanically eliminated, although that is customizable in response to particular website wants.
Uncommon And Advanced Safety Launch
This safety replace is exclusive as a result of normally a safety researcher confidentially alerts the WordPress plugin writer of a vulnerability and the writer quietly releases an replace to deal with the issue. Usually the safety researchers wait just a few weeks earlier than making a public announcement in order that customers have sufficient time to replace their plugins earlier than the vulnerability turns into broadly identified.
That’s not the case with this vulnerability as a result of it’s difficult by the potential for breaking modifications. So ACF is taking the step of asserting the safety launch and alerting customers of potential points attributable to the repair, which could be mitigated however solely with modifications on the ACF person aspect.
6.2.7 One other Safety Repair Scheduled For February 2024
The complexity of patching this vulnerability has led to the selection of introducing a second safety launch in February of this yr, model 6.2.7. This can give plugin customers additional time to organize for and mitigate different potential breaking modifications.
Model 6.2.7 will prolong these safety measures to further ACF features, together with the_field() and the_sub_field(). Website directors are cautioned about potential alterations in HTML output and are suggested to assessment their website’s compatibility with these impending modifications.
There may be additionally a strategy to manually add within the modifications which can be coming to model 6.2.7. ACF explains that in case you’re not at present storing unsafe HTML or you might be storing the unsafe HTML however are already escaping the info, then it’s attainable to opt-in to the brand new habits of for stripping unsafe HTML and triggering an error report within the WordPress admin panel with the next filter:
acf/the_field/escape_html_optin
Description Of The Vulnerability
The need for this replace stems from a found vulnerability permitting customers with contributor roles, usually restricted from posting unfiltered HTML, to insert malicious code. This challenge bypasses ACF’s normal sanitization protocols, creating a possible safety threat.
To counteract this vulnerability, ACF 6.2.5 will detect and take away unsafe HTML from shortcode outputs. Affected fields will set off error messages within the WordPress admin space, aiding website homeowners in figuring out and addressing the errors.
Upcoming Modifications to the_field() Operate
The the_field() operate will bear safety revisions in model 6.2.5 and and the_sub_field() operate will change in model 6.2.7. These features will then incorporate HTML security measures by default, stopping the output of doubtless dangerous content material.
In accordance with the announcement:
“This launch is a safety repair launch containing an necessary change you want to pay attention to earlier than you replace, and prepares for a change to the output of the_field coming quickly to ACF.
From ACF 6.2.5, use of the ACF Shortcode to output an ACF subject will probably be escaped by the WordPress HTML escaping operate wp_kses.
This has potential to be a breaking change in case you’re utilizing the shortcode () to output probably unsafe HTML equivalent to scripts or iframes for textarea or WYSIWYG fields.”
Relating to the upcoming modifications to model 6.2.7, ACF model 6.2.5 will supply an alert in case your website will probably be affected by the modifications coming to model 6.2.7, permitting time to organize prematurely.
Steerage For Builders On Utilizing ACF Securely
Builders are suggested to strategy HTML output with warning. In situations necessitating unfiltered HTML output, equivalent to script tags, the usage of ‘echo get_field()’ is advisable. For different circumstances, making use of applicable escaping features, like ‘wp_kses_post’, a safety operate that sanitizes HTML output, is advisable.
In accordance with the official WordPress safety documentation web page concerning the ‘wp_kses_post’ operate:
“Sanitizes content material for allowed HTML tags for submit content material.
Description
Publish content material refers back to the web page contents of the ‘submit’ kind and never $_POST knowledge from kinds.This operate expects unslashed knowledge.”
ACF’s replace additionally introduces modifications in subject kind dealing with, notably for fields historically outputting HTML, equivalent to oEmbed and WYSIWYG. These modifications intention to stability the necessity for HTML output with safety issues.
ACF explains:
“To assist this, we’ve added a manner for subject varieties to mark that they are going to deal with the escaping of HTML when requested, by way of a brand new parameter $escape_html.
The brand new parameter is offered on get_field and get_field_object, and is handed all over to the fields format_value methodology.
This implies if the sphere kind helps dealing with escaping itself, setting this to true will get that escaped worth.
This argument shouldn’t be utilized by finish customers, because it moreover requires a examine to verify the sphere kind has been up to date to assist escaping its personal HTML. For each core ACF subject aside from WYSIWYG, this property will at present haven’t any impact on the worth.”
All ACF customers are urged to replace to model 6.2.5 instantly to mitigate the recognized safety dangers. Moreover, these not using the ACF Shortcode are suggested to disable it solely.
Learn the official announcement:
Featured Picture by Shutterstock/Perfect_kebab