ACF Plugin no longer available on WordPress.org

Oh god, this gave me a minor heart attack. We are using over 20 ACF fields for 150+ sites. I thought it was completely out of the WordPress ecosystem. I am glad they have the zip download and continuing auto updates.

EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...

EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.

As someone who doesn’t use it, were those features removed into the patch?

If they’re actively breaking people’s sites I’d hope they can get an emergency injunction ASAP, and maybe someone can start a CFAA investigation.

this is my nightmare

This should be the top comment. It's already scary for a package manager to take control of a community package, even more so when sites auto-update to new code... but to break existing sites by completely changing the code that is provided in an auto-update is beyond the pale.

Not a lawyer, but I imagine many consultancies will be talking to lawyers about this one; there are entire sections of law about interfering with other companies' contracts with each other. At minimum it's an appalling breach of trust.

How did the sites auto-update to have this plug-in removed/replaced? Are your sites set up to just automatically take push updates from WordPress central command or something and auto-modify themselves?!

pass the bill to matt when you finish fixing those broken wp.

Photomatt aka Matt mullenweg hangs out on HN.

I’d love to hear how he justifies taking away this engineers’ Sunday? I doubt this person is the only person working this weekend due to Matt’s theft of ACF

He will reply that go has just “contributed their fair share of man-hours” /s

> it broke our snippets because we are using prepend and append texts to wrap our field values

Did they also rename filters and functions? I thought it was only the name and mentions of ACF in the docs. What did you rely on?

Install the official free plugin from the advanced custom fields website and remove the SCF version. You won’t need to change any existing code then, and future updates will come from the plugin dev for ACF.

(community member, not affiliated with WP, WPE, or A8C)

I can confirm this has been escalated internally in the WP slack.

I can also provide this context which I found concerning, given the way this was taken over and rolled out on a Saturday afternoon, of which I have also been dragged into now as a fellow site maintainer.

- Matt Mullenweg "in a few days we'll have a Github where people can get involved, and we can also set up proper build systems, etc"

So its all in flux obviously. I let them know the same thing, that I find this as a malicious supply chain attack that is affecting the community.

> I’d love to hear how he justifies taking away this engineers’ Sunday?

His posts on slack [1] show that he sees it as "either with us or against us", and he's willing to harm users to force them to choose a side instead of staying neutral. He probably hopes that people will blame WP Engine for it.

I think his real goal is tortious interference. Hurting devs who use ACF is just a bonus.

[1] https://threadreaderapp.com/thread/1843963052183433331.html

Wordpress has a (highly effective) auto-updates mechanism for security patches.

It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.

(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)

The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.

And in fact, very little has changed.

WP and/or A8C took over the existing plugin, so that sites that have auto-update on were automatically bumped to the SCF version instead of the historical ACF which obviously had a different team of maintainers

That's where the Sunday goes. I am trying to create an FTP script to mass update all wp-content plugins for this single package. It was on my mind but I was not expecting to have something bizarre happening from WordPress for one of the most crucial plugins in WordPress' existence.

We use ACF with WP Code auto insert. ACF has prepend and append (in presentation tab) and this can be used to wrap the value with classes or other tags such as IDs, JS or others. When the ACF name changed, the prepend and append broke because prepend/append text showing must be configured in functions.php like this:

add_filter('acf/format_value/name=mysnippet1', 'mysnippet1acf', 20, 3);

function mysnippet1acf ($value, $post_id, $field) {

   if(!empty($value)){

  $value = trim($field['prepend'].''.$value.''.$field['append']);

   }else{

  $value='';

 }

 return $value;

}

Long story short, if you are using ACF with advanced features, including logic and presentation, this hostile takeover breaks it.

Doesn't even matter if you use prepend/append for the fields, our logic-based ACF fields are also broken.

“Advanced Tortious Interference”

Right, but why did that break? As far as I can tell that part hasn't been touched in the hostile takeover.

https://plugins.trac.wordpress.org/browser/advanced-custom-f...

It's still $this->add_field_filter( 'acf/format_value', array( $this, 'format_value' ), 10, 4 );

The file was last changed 7 weeks ago by deliciousbrains/wpengine and specifically the filter part is the same on their github.

Have you ever looked into wp-cli? It was made for this kind of task.

Can't wait for Matt to jump in and blame this on you.

"Secure Tortious Interference"

IDK if WordPress plugins respect SEMVER, but shouldn't this auto-update thingy update only patch versions, or minor versions at most? Idk, breaking changes like these is definitely not something you want your CMS to do overnight when you won't notice until you receive complaints that your site is broken

Yeah.

I don't know off-hand what the rule is for plugin updates, actually; I'd have to look it up.

As far as WordPress itself is concerned, the updater definitely does not auto-push updates to major WP versions by default [0], and they continue to patch older versions for a long time.

But at any rate, whether the plugin updates respect SEMVER or not, Matt/WP.org pushed this bullshit out as the most minor of minor version number changes over the previous ACF version: 6.3.6.2.

https://wordpress.org/plugins/advanced-custom-fields/advance... (scroll down to the bottom and you can download the previous version to diff it)

So as far as the poor benighted plugin updater is concerned, it's just a change to the display name, which is inconsequential.

[0] WP Engine do, ironically, on a pretty short timescale!

We use the wp-cli with cron jobs such as indexing when we post with API or database-related things. Even with wp-cli we must login to SSH individually. And this doesn't give us the wp-cli option since it is 3rd party zip file. We possibly can get the file, extract, and delete the old plugin with cli, and then enable the last updated plugin with with cli again with a script. Either way, we must create a script or suck it up, go into each wp individually, and take care of it from the backend...

Whatever they did, it didn't work. Maybe we are over-custimizing it but it is not unheard of to use ACF with multiple other plugins such as WP Code and custom scripts.

The initial release of SCF only applied security fixes, changed the plugin name and removed upsells. I don't think there is any change that might cause the issue you are having.

If you can share the problem you are experiencing on Making WordPress Slack (#secure-custom-fields channel), I'm sure relevant people would love to help out ASAP.

I work at Automattic and I can get you in touch with people from WordPress.org if that's easier. You can email me at batuhan@a8c.com.

If there are any bugs, regressions or any issues with the fork, it's in the interest of everyone to quickly find and resolve them, so I'm sure your help would be appreciated.

As an agency dev, this is the shit they don't think about. In my case, all that would have to be billed or go through pro-bono approval process.

"Just update it!" Until it all goes to shit, and we have to triage the whole mess.

Sorry you are dealing with this, I have spent the better part of the weekend trying to get them to understand this was inevitable.

Devs: "Don't deploy on Fridays" A8C/Matt: "We will deploy on SATURDAYS"

Strongly recommend installing the genuine ACF from www.advancedcustomfields.com - the WP Engine and ACF teams have provided timely updates (even fixed Automattic’s spurious security issue in less than a day) and have uploaded a permanent fix to MM’s malicious hack of ACF to create SCF.

So you guys don't get sued any further for essentially hijacking a distribution channel and pushing an unauthorized version?

If I were an employee of A8C I wouldn't be touching this code with a ten foot pole - employees can still be found guilty of criminal wrongdoing even if their employer told them to do something.

I've been monitoring the SCF forums as well on WPorg, and there have been no reports of issues since moving to SCF.

It would be fantastic if people could open a topic there or a thread on Slack if they face any issues.

I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.

If it's a bug, our bad and we'll fix ASAP. If it's a bug, it's a very rare one. There have been 225k downloads of the SCF plugin in the past 24 hours, implying a lot of updates. I would estimate at least 60% of the sites with auto-upgrade on and using .org for updates have done so already. https://wordpress.org/plugins/advanced-custom-fields/advance...

That said, I'm happy to pay system2 whatever he thinks his time was "spent" on a Sunday is worth. Just let me know an amount and where to send. You can contact me here: https://ma.tt/contact/ .

Matt, you say that you've had no other reports and this is the only claim on the Internet.

That's not true. You have users on the support forums reporting issues with SCF.

"this has caused an incident requiring unschedule maintenance on a weekend. I use this plugin on a couple hundred sites I help maintain, so this has been a very bad experience "

https://wordpress.org/support/topic/plugin-hijacked-on-weeke...

Yes and that is a huge deal - I made this point to others that it shouldn't be considered a minor version change

We finished nearly half. Urgent ones are done but I need to spend another 5-10 hours tomorrow. Today really sucked.

No one should risk an unknown entity taking illegal control of a key plugin on their site. I can't imagine anyone wanting WP.org to weaponize more plugins on their site.

Update ACF and stay secure against this latest threat. https://www.advancedcustomfields.com/blog/installing-and-upg...

Thanks for improving on ACF. The plugin went downhill after the creator stepped away, IMO.

A while back, I bought a lifetime "Pro" license for ACF. It worked great for years. The last few times I tried ACF though, the admin experience felt degraded. My impression was their early customers had become an afterthought.

Looking forward to trying SCF. I have higher hopes for the plugin now.

PLugin theft FAFO moment, doing bad QAs, what a joke

Hi account with no other comments, no submissions, and no favorites, after registering 5+ years ago

My time has come, I will not lurk anymore. Where are the pitchforks btw?

Right. And actually this small detail is emblematic of the whole problem.

When you roll out an auto-updates mechanism you're saying to the people who enable it "you can trust us to do the right thing with your project while you are elsewhere -- this is a risk but it's one we manage for your benefit".

If you roll out a change for purely political/commercial reasons that are ultimately not your end user's concern -- we're not a party to that lawsuit -- then you're undermining the trust in that mechanism entirely.

It was a stupid, arrogant, underhanded thing to do.

Matt is removing negative comments and reviews.

Are you being sarcastic or a jerk? No issues? At least 50 deleted reviews spoke for themselves!

Yeah, you didn’t produce any “technical” issues other than now maintaining a plugin that isn’t yours to start with, gathering thousands of positive reviews that aren’t yours, and selling it as a security fix which you didn’t fix.

I don’t understand how you can even show your face in public. You and your fellow matticians are a shame to the entire open source community.

Wot. Everyone has an old throwaway?

> I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.

Don't gaslight us. You've been removing negative reviews.

For the future — this use case screams "Ansible!"

> I don't think

No, you just act and screw everyone else.

There's no justification for this whatsoever - it was your actions which meant that the ACF team couldn't manage the plugin on dotorg, and the issue you fixed was unbelievably minor.

IF you even had a point in the beginning, you've fatally undermined it. Hell, WPE's motion for a preliminary injunction even now notes that your actions here have potentially fallen into CFAA territory - https://storage.courtlistener.com/recap/gov.uscourts.cand.43...

Given you've been banning dissenters from Slack, I wonder "why" people might not be reporting issues where you can see them?