18 Oct

ACF 6.0.3 Release – Security Changes to the ACF Shortcode and UI Improvements

By Liam Gladdy

Advanced Custom Fields version 6.0.3 is now available! 🚀🎉

This release includes some additional enhancements and fixes to the new UI released in ACF 6.0, and some important security changes to where the ACF shortcode can be used, and introduces new settings and filters to control the ACF shortcode. Read on to find out how it might affect you.

The ACF Shortcode

The purpose of the ACF shortcode is to display ACF field data across your website. The ACF shortcode is often used by third-party page and theme builders, as their way to expose ACF fields in their template system.

Currently, the ACF shortcode ensures that the ACF data being accessed is valid data that has been entered into ACF fields, but depending on your site configuration, it may allow contributors to access data which isn’t intended, such as data stored in options pages – if they know (or guess) the ACF field name or key.

Disabling the ACF shortcode altogether

For the many developers who don’t use the ACF shortcode across their sites, we’ve added a new ACF setting which will disable the ACF shortcode altogether. We recommend users disable the ACF shortcode where possible using the following code in their themes. This will ensure your ACF data can only be output via your theme template code, rather than via content added in the editor or potentially via user submitted content:

add_action( 'acf/init', 'set_acf_settings' );
function set_acf_settings() {
    acf_update_setting( 'enable_shortcode', false );
}

We recommend theme and plugin developers who rely on the ACF shortcode explicitly set this setting to true. We’ll be reaching out to the main page builder plugin developers to ask them to enable this setting too should they require it for their users to make sure there are no issues in the future if we change this setting by default.

Contributors

To prevent contributors being able to view ACF data before publish, in ACF 6.0.3, only users with the publish_posts capability will be able to view the results of an ACF shortcode while previewing a post – meaning that an editor must publish the post before the data can be viewed by users with lesser permissions. This mostly affects contributors, or custom roles without the publish_post role.

For developers who trust their contributors, the default role can be changed from publish_posts using the new acf/shortcode/preview_capability filter:

add_filter(
    'acf/shortcode/preview_capability',
    function( $role ) {
        return 'edit_posts';
    }
);

The message shown to users affected by this change will default to “[ACF shortcode value disabled for preview]”, although it can be filtered with the new acf/shortcode/preview_capability_message filter:

add_filter(
    'acf/shortcode/preview_capability_message',
    function( $message ) {
        return 'The value of this ACF shortcode will be visible on publish.';
    }
);

Block Themes

ACF 6.0.3 also limits the block types which are allowed to render the ACF shortcode. By default, only core blocks which render content using the the_content filter will be allowed to display ACF shortcodes – this covers the shortcode block, and standard core paragraph blocks which are the two most common places the ACF shortcode is used.

This change only applies to block themes, and can be disabled using the new filter acf/shortcode/allow_in_block_themes_outside_content as shown below, which will enable the ACF shortcode to be rendered in any block which allows shortcode rendering.

add_filter( 'acf/shortcode/allow_in_block_themes_outside_content', '__return_true' );

ACF v5 Users

For those users holding off on upgrading to ACF 6, we’ve released ACF 5.12.4 which includes all the shortcode security changes listed above. Automatic upgrades to this version are not supported, it will need to be manually updated.

PRO customers can download it from their account, and users of the free plugin can download it from the WordPress plugin directory.

Once the 5.12.4 zip has been downloaded, you can update the plugin using your normal deployment system or manually on a site by logging into the site admin and navigating to ‘Plugins’ > ‘Add New’ > ‘Upload plugin’ then choosing the 5.12.4 zip file. WordPress will ask you if you want to overwrite the existing plugin version to upgrade.

Changelog

  • Security Fix – ACF shortcode security fixes detailed here
  • Improvement – Field names and keys now copy to clipboard on click, and do not open a field
  • Fix – The field type input now has default focus when adding a new field
  • Fix – ACF no longer publishes h1, h2 or h3 CSS classes outside of the ACF admin screens
  • Fix – Conditional field settings now work correctly across different tabs
  • Fix – The field list for sub fields are now full width
  • Fix – ACF admin notices now display with correct margin
  • Fix – Admin CSS improvements when using ACF in an RTL language
  • Fix – Clone fields now have the presentation tab for setting wrapper properties when in group display mode
  • Fix – Appended labels on field settings will now be displayed in the correct place
  • Accessibility – The move field modal is now keyboard and screen reader accessible

For questions and help about this release, please contact our support team.

About the Author