←back to thread

Secure Custom Fields by WordPress.org

(wordpress.org)
172 points ValentineC | 1 comments | 12 Oct 24 18:38 UTC | HN request time: 1.67s | source
Show context
discostrings ◴[12 Oct 24 19:09 UTC] No.41821577[source]
Blog post on wordpress.org concerning this: https://wordpress.org/news/2024/10/secure-custom-fields/
replies(5): >>41821660 #>>41821693 #>>41821701 #>>41823726 #>>41825054 #
smarx007 ◴[12 Oct 24 19:23 UTC] No.41821701[source]
> This update is as minimal as possible to fix the security issue.

What is the actual issue? CVE number?

replies(4): >>41821713 #>>41821766 #>>41821803 #>>41821830 #
1. jorams ◴[12 Oct 24 19:41 UTC] No.41821830[source]
The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].

I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.

Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:

    filter_input(INPUT_POST, 'name');
[1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security...