Advanced Custom Fields 6.8.2 Security Release
Patch ACF to 6.8.2 immediately to fix frontend form security.
Patch ACF to 6.8.2 immediately to close the frontend form vulnerabilities.
Summary
Advanced Custom Fields (ACF) version 6.8.2 has been released today, addressing critical security issues in the plugin’s frontend form handling. The update fixes two vulnerabilities in acf_form(), ensuring that the post_title and post_content options are honored only when explicitly enabled in the form configuration, preventing unintended data writes. It also restricts form submissions to only the fields defined via the fields or field_groups parameters or the form’s location rules, closing a potential vector for arbitrary field injection. Both the free ACF and the paid ACF PRO editions receive these patches, and the release was prompted by a responsible disclosure from Sarawut Poolkhet (MisterHelloz).
The developers recommend that all users upgrade immediately to mitigate the risk. ACF maintains a dedicated Security page for vulnerability reporting and offers support through their contact form. The changelog highlights the two security fixes and notes the responsible disclosure. Users can follow the ACF team on Twitter for ongoing updates.
Key changes
- Version 6.8.2 released
- acf_form() now respects post_title and post_content only when configured
- acf_form() now only saves fields defined via fields, field_groups, or location rules
- Security fixes apply to both ACF and ACF PRO
- Upgrade recommended ASAP