ACF Version 6.3.6 Update: Enhanced Security for Content Editor Field Value Access

Field value access in the content editor

ACF shortcodes are a way for content editors to access ACF field values when creating and displaying article content. The latest version of ACF has made significant improvements to the security of ACF shortcodes, and to further improve it, ACF shortcodes are by default secure against ACF 6.3.0 and higher are in thedisabled state. However, allowing site users to access field data in the editor requires trust and always has inherent security risks. This is one of the reasons why recent WordPress features such as the Block Bindings respond in singing Bits(coming soon)) for more questions.

In order to securely support these new features and to increase the security level of existing ACF shortcodes, ACF 6.3.6 introduced a new Field Level setting. This setting marks fields as allowing editors to access and use field values in content.Allow Access to Value in Editor UI

This means, for example, that developers can allow ACF shortcodes to access certain fields, while not allowing content editors to access fields used on internal options pages, which are only accessible to site administrators.

This can be done by editing the field and navigating to the 'Presentation' tab to access field settings:

For any field created before ACF 6.3.6, the same behavior as the existing behavior is enabled by defaultmatchsetting, but it will be disabled for all new fields added afterward. This means that when creating a field, theNeed to explicitly choose to allow content editors to access the field. This does not affect any code-based access to values thatfor example (math.) genusmaybe , and only applies to any existing or upcoming methods of accessing field values in the content editor.the_fieldget_fieldget_post_meta

We recommend that after upgrading to 6.3.6, ACF users revisit their field groups and fields and toggle the setting to "off" for any fields that contain sensitive information, especially fields attached to options pages or users.

Change Log

• Security - newly added fields must now be explicitly set to allow access in the content editor (when using ACF shortcodes or block bindings) to increase the security of field permissions
• Security Fix - Field labels are now properly escaped when rendered in the Field Group Editor to prevent potential XSS issues. Thanks to Ryo Sotoyama of Mitsui Bussan Secure Directions, Inc. for responsible disclosure!
• Fix - Validating and blocking AJAX request nonce will no longer be overridden by third-party plugins
• Fix - detection of 3rd party select2 libraries will now default to v4 instead of v3
• Fix - Block preview will now show an error if the render template PHP file is not found