ACF developers at WP Engine have patched a vulnerability affecting both the free and Pro versions of the popular plugin after Automattic broke with established security reporting practices and disclosed the issue on X.
ACF 6.3.8 patches an arbitrary code execution vulnerability involving Post Type and Taxonomy metabox callbacks where a user with ACF admin permissions could potentially exploit another admin user’s permissions. This scenario, although unlikely, could occur either when an admin user attacks another with permissions to create or modify posts or in a Multisite setup where a site admin attempts to exploit a super admin to modify or add posts.
Patchstack published an advisory about the vulnerability in its database today, noting that the issue poses a low-severity risk and is unlikely to be exploited.
With over 2 million active installations, ACF is a popular tool among WordPress developers and has been caught in the crossfire as the conflict continues between Automattic and WP Engine. WP Engine remains blocked from accessing WordPress.org, and ACF developers are unable to access their accounts to push updates to the free version that’s hosted in the plugin repository.
Despite the controversy, ACF developers moved quickly to release patched versions of the free and Pro plugins directly to users via a new update mechanism, announced last week, that avoids reliance on updates via WordPress.org.
A patched copy of ACF was also provided to the WordPress Security Team, and it was uploaded to WordPress.org today. Core committer Aaron Jorbin posted on X that he was “Happy to see that a fix for the security issue with @wp_acf has been committed to WordPress.org and is flowing out to sites.”
The vulnerability came to light on Saturday when Automattic posted on X that the company’s security team had reported a vulnerability in ACF to the plugin’s developers and owner, WP Engine. Automattic also warned that the rival hosting company had 30 days to issue a fix before public disclosure.
Matt Mullenweg, Automattic’s CEO, reshared the post and asked his followers for suggestions on the best alternatives to ACF, adding, “I suspect there are going to be millions of sites moving away from it in the coming weeks.”
The posts prompted an immediate backlash from security experts, including WordPress Core Security Team lead John Blackbourn, who said that while Automattic had responsibly disclosed the vulnerability in ACF, the company has breached cybersecurity company Intigriti’s code of conduct by “irresponsibly announcing it publicly.” Blackbourn promised to “work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF.”
WP Engine works with Intigriti as its vulnerability disclosure program (VDP) provider.
Both Automattic and Mullenweg’s posts were quickly deleted, but not before a further backlash in Post Status Slack, where Blackbourn and Patchstack CEO Oliver Sild criticized Mullenweg for publicly disclosing the existence of the vulnerability in ACF before a patch was available.
“Disclosing the existence of a vulnerability mid-process is not part of a responsible disclosure ethos. In the infosec community, such a leak is considered a TI (threat intelligence) leak, which hackers are often looking for,” posted Sild. He stressed the importance of adhering to responsible disclosure practices, adding that validation and verification should occur before a coordinated disclosure—typically after a patch is released.