←back to thread

Secure Custom Fields by WordPress.org

(wordpress.org)
172 points ValentineC | 2 comments | 12 Oct 24 18:38 UTC | HN request time: 0s | source
Show context
CharlesW ◴[12 Oct 24 19:27 UTC] No.41821726[source]
So WordPress-the-org — which is effectively Matt, as far as I can tell — just Sherlocked a developer's plug-in using the developer's own code, ostensibly as retribution for a security issue that the developer had already fixed. https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

What am I missing?

replies(5): >>41821790 #>>41821829 #>>41821872 #>>41821880 #>>41823351 #
photomatt ◴[12 Oct 24 19:41 UTC] No.41821829[source]
This release fixes a separate security vulnerability from the original update.
replies(5): >>41821983 #>>41822001 #>>41822749 #>>41823899 #>>41825727 #
1. gg-plz ◴[12 Oct 24 19:59 UTC] No.41822001[source]
The maintainers [1] and the Wordpress project’s core security team lead [2] said that the fix was already published, despite your blocking them from publishing it directly and irresponsibly disclosing the issue out of spite [3].

Was that not true?

[1] https://x.com/wp_acf/status/1843376378210857441

[2] https://x.com/johnbillion/status/1843750679141331039

[3] https://x.com/johnbillion/status/1842627564453454049

replies(1): >>41822028 #
2. gg-plz ◴[12 Oct 24 20:02 UTC] No.41822028[source]
Sorry, I misread, disregard. I’d delete the comment but HN won’t let me.