←back to thread

172 points ValentineC | 1 comments | | HN request time: 0.205s | source
Show context
discostrings ◴[] No.41821577[source]
Blog post on wordpress.org concerning this: https://wordpress.org/news/2024/10/secure-custom-fields/
replies(5): >>41821660 #>>41821693 #>>41821701 #>>41823726 #>>41825054 #
smarx007 ◴[] No.41821701[source]
> This update is as minimal as possible to fix the security issue.

What is the actual issue? CVE number?

replies(4): >>41821713 #>>41821766 #>>41821803 #>>41821830 #
1. mananaysiempre ◴[] No.41821803[source]
I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.

ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?

[1] Discussed at the time: https://news.ycombinator.com/item?id=41752289

[2] https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

[3] https://news.ycombinator.com/item?id=41821829