The Advanced Custom Fields (ACF) WordPress plugin with more than 2 million installations announced the release of a security update, version 6.2.5 that fixes a vulnerability, the severity of which is unknown and only limited details about the vulnerability were released.
While it’s not known what kind of exploits are possible or the extent of damage an attacker could cause, ACF did advise that the vulnerability requires contributor-level access or higher, which to some extent point makes it harder to launch an attack.
ACF 6.2.5 May introduce breaking changes
The security release announcement warned that the changes introduced by the update patch had the potential to cause websites to break and offered instructions on how to debug the changes.
The version 6.2.5 update introduces a significant change to the way the ACF shortcode processes and generates potentially unsafe HTML content. The output will now be escaped, a security process that typically removes unwanted HTML such as malicious scripts or malformed HTML, so that the rendered HTML is safe.
However, this change, while improving security, may break sites that use the shortcode to render complex HTML elements such as scripts or iframes.
Labels with the potential for misuse, such as