{"id":20350,"date":"2024-01-17T10:34:23","date_gmt":"2024-01-17T10:34:23","guid":{"rendered":"https:\/\/afreeurl.com\/?p=20350"},"modified":"2024-01-17T10:34:26","modified_gmt":"2024-01-17T10:34:26","slug":"the-wordpress-acf-plugin-vulnerability-affects-up-to-more-than-2-million-sites","status":"publish","type":"post","link":"https:\/\/afreeurl.com\/?p=20350","title":{"rendered":"The WordPress ACF plugin vulnerability affects up to more than 2 million sites"},"content":{"rendered":"<p><\/p>\n<p>The Advanced Custom Fields (ACF) WordPress plugin with more than 2 million installations announced the release of a security update, version 6.2.5 that fixes a vulnerability, the severity of which is unknown and only limited details about the vulnerability were released.<\/p>\n<p>While it&#8217;s not known what kind of exploits are possible or the extent of damage an attacker could cause, ACF did advise that the vulnerability requires contributor-level access or higher, which to some extent point makes it harder to launch an attack.<\/p>\n<h2>ACF 6.2.5 May introduce breaking changes<\/h2>\n<p>The security release announcement warned that the changes introduced by the update patch had the potential to cause websites to break and offered instructions on how to debug the changes.<\/p>\n<p>The version 6.2.5 update introduces a significant change to the way the ACF shortcode processes and generates potentially unsafe HTML content.  The output will now be escaped, a security process that typically removes unwanted HTML such as malicious scripts or malformed HTML, so that the rendered HTML is safe.<\/p>\n<p>However, this change, while improving security, may break sites that use the shortcode to render complex HTML elements such as scripts or iframes.<\/p>\n<p>Labels with the potential for misuse, such as <script> i <iframe>it will be removed automatically, although it can be customized according to the specific needs of the site.<\/p>\n<h2>Unusual and complex security release<\/h2>\n<p>This security update is unique because, in most cases, a security researcher confidentially alerts the WordPress plugin publisher of a vulnerability, and the publisher quietly releases an update to fix the problem.  Typically, security researchers wait a few weeks before making a public announcement to give users enough time to update their plugins before the vulnerability becomes widely known.<\/p>\n<p>This is not the case with this vulnerability because it is complicated by the possibility of breaking changes.  So ACF is taking the step of announcing the security release and alerting users to potential issues caused by the fix, which can be mitigated, but only with changes on the ACF user side.<\/p>\n<h2>Another security fix scheduled for February 2024<\/h2>\n<p>The complexity of fixing this vulnerability has led to the choice of introducing a second security release in February this year, version 6.2.7.  This will give plugin users more time to prepare and mitigate other potential changes.<\/p>\n<p>Version 6.2.7 will extend these security measures to additional ACF functions such as the_field() and the_sub_field().  Site administrators are warned of potential changes to HTML output and are encouraged to review their site's compatibility with these impending changes.<\/p>\n<h2>Description of the vulnerability<\/h2>\n<p>The need for this update stems from a discovered vulnerability that allows users with contributor roles, normally restricted to publish unfiltered HTML, to inject malicious code.  This issue bypasses ACF's standard disinfection protocols, creating a potential security risk.<\/p>\n<p>To counter this vulnerability, ACF 6.2.5 will detect and remove unsafe HTML from shortcode outputs.  Affected fields will trigger error messages in the WordPress admin area, helping site owners identify and fix errors.<\/p>\n<h2>Upcoming changes to the_field() function.<\/h2>\n<p>The_field() function will undergo security revisions in version 6.2.5 and the_sub_field() function will change in version 6.2.7.  These functions will incorporate HTML security measures by default, preventing the output of potentially harmful content.<\/p>\n<p><strong>According to the ad:<\/strong><\/p>\n<p>\"This release is a security fix release that contains an important change that you should be aware of before upgrading and prepares for a change to the_field output coming soon to ACF.<\/p>\n<p>As of ACF 6.2.5, the WordPress wp_kses HTML escape function will escape the use of the ACF shortcode to generate an ACF field.<\/p>\n<p>This can be a breaking change if you use the shortcode() to produce potentially unsafe HTML, such as scripts or iframes for textarea or WYSIWYG fields.\"<\/p>\n<p>Regarding upcoming changes in version 6.2.7, ACF version 6.2.5 will provide an alert if your site will be affected by changes in version 6.2.7, giving you time to prepare in advance.<\/p>\n<h2>Guidance for developers on using ACF securely<\/h2>\n<p>Developers are advised to approach HTML output with caution.  In scenarios that require unfiltered HTML output, such as script tags, the use of \"echo get_field()\" is recommended.  For other cases, it is recommended to apply appropriate escape functions, such as 'wp_kses_post', a security function that sanitizes HTML output.<\/p>\n<p><strong>According to the official <a href=\"https:\/\/developer.wordpress.org\/reference\/functions\/wp_kses_post\/\" target=\"_blank\" rel=\"noopener\">WordPress security documentation<\/a> page about 'wp_kses_post' function:<\/strong><\/p>\n<p>\" Sanitize content for HTML tags allowed for post content.<\/p>\n<p>Description<br \/>The content of the post refers to the content of the page of type \"post\" and not the $_POST data of the forms.<\/p>\n<p>This function expects data without bars.\"<\/p>\n<p>The ACF update also introduces changes to field type handling, especially for fields that traditionally generate HTML, such as oEmbed and WYSIWYG.  These changes are intended to balance the need for HTML output with security considerations.<\/p>\n<p><strong>ACF explains:<\/strong><\/p>\n<p>\u201cTo support this, we've added a way for field types to flag that they will handle HTML escaping when prompted, via a new $escape_html parameter.<\/p>\n<p>The new parameter is available in get_field and get_field_object, and is passed to the fields format_value method.<\/p>\n<p>This means that if the field type supports escaping itself, setting this to true will get that value escaped.<\/p>\n<p>This argument should not be used by end users, as it also requires a check to ensure that the field type has been updated to allow escaping its own HTML.  For each basic ACF field that is not WYSIWYG, this property will currently have no effect on the value.<\/p>\n<p>All ACF users are urged to immediately upgrade to version 6.2.5 to mitigate the security risks identified.  Additionally, those who do not use the ACF shortcode are advised to disable it entirely.<\/p>\n<p><strong>Read the official announcement:<\/strong><\/p>\n<p><a href=\"https:\/\/www.advancedcustomfields.com\/blog\/acf-6-2-5-security-release\/\" target=\"_blank\" rel=\"noopener\">ACF Security Version 6.2.5<\/a><\/p>\n<p>[ad_2]<br \/>\n<br \/><a href=\"https:\/\/www.searchenginejournal.com\/acf-wordpress-plugin-vulnerability-affects-up-to-2-million-sites\/505752\/\" target=\"_blank\" rel=\"noopener\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Advanced Custom Fields (ACF) WordPress plugin with more than 2 million installations announced the release of a security update, version 6.2.5 that fixes a vulnerability, the severity of which is unknown and only limited details about the vulnerability were released. While it&#8217;s not known what kind of exploits are possible or the extent of damage an attacker could cause, ACF did advise that the vulnerability requires contributor-level access or higher, which to some extent&#8230; <\/p>\n","protected":false},"author":1,"featured_media":20351,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-20350","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-seo-news"],"_links":{"self":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/20350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=20350"}],"version-history":[{"count":1,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/20350\/revisions"}],"predecessor-version":[{"id":20352,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/20350\/revisions\/20352"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/media\/20351"}],"wp:attachment":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=20350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=20350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=20350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}