←back to thread

ACF Plugin no longer available on WordPress.org

(www.advancedcustomfields.com)
221 points michaelcampbell | 6 comments | 13 Oct 24 15:44 UTC | HN request time: 0.001s | source | bottom
Show context
system2 ◴[13 Oct 24 19:15 UTC] No.41830709[source]
Oh god, this gave me a minor heart attack. We are using over 20 ACF fields for 150+ sites. I thought it was completely out of the WordPress ecosystem. I am glad they have the zip download and continuing auto updates.

EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...

EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.

replies(13): >>41830770 #>>41831019 #>>41831125 #>>41831219 #>>41831312 #>>41831371 #>>41831420 #>>41831589 #>>41831598 #>>41831645 #>>41832233 #>>41833738 #>>41835660 #
luckylion ◴[13 Oct 24 20:43 UTC] No.41831420[source]
> it broke our snippets because we are using prepend and append texts to wrap our field values

Did they also rename filters and functions? I thought it was only the name and mentions of ACF in the docs. What did you rely on?

replies(1): >>41831734 #
1. system2 ◴[13 Oct 24 21:22 UTC] No.41831734[source]
We use ACF with WP Code auto insert. ACF has prepend and append (in presentation tab) and this can be used to wrap the value with classes or other tags such as IDs, JS or others. When the ACF name changed, the prepend and append broke because prepend/append text showing must be configured in functions.php like this:

add_filter('acf/format_value/name=mysnippet1', 'mysnippet1acf', 20, 3);

function mysnippet1acf ($value, $post_id, $field) {

   if(!empty($value)){

  $value = trim($field['prepend'].''.$value.''.$field['append']);

   }else{

  $value='';

 }

 return $value;
}

Long story short, if you are using ACF with advanced features, including logic and presentation, this hostile takeover breaks it.

Doesn't even matter if you use prepend/append for the fields, our logic-based ACF fields are also broken.

replies(1): >>41832050 #
2. luckylion ◴[13 Oct 24 21:59 UTC] No.41832050[source]
Right, but why did that break? As far as I can tell that part hasn't been touched in the hostile takeover.

https://plugins.trac.wordpress.org/browser/advanced-custom-f...

It's still $this->add_field_filter( 'acf/format_value', array( $this, 'format_value' ), 10, 4 );

The file was last changed 7 weeks ago by deliciousbrains/wpengine and specifically the filter part is the same on their github.

replies(1): >>41832785 #
3. system2 ◴[13 Oct 24 23:51 UTC] No.41832785[source]
Whatever they did, it didn't work. Maybe we are over-custimizing it but it is not unheard of to use ACF with multiple other plugins such as WP Code and custom scripts.
replies(2): >>41832838 #>>41833291 #
4. batuhanicoz ◴[13 Oct 24 23:59 UTC] No.41832838{3}[source]
The initial release of SCF only applied security fixes, changed the plugin name and removed upsells. I don't think there is any change that might cause the issue you are having.

If you can share the problem you are experiencing on Making WordPress Slack (#secure-custom-fields channel), I'm sure relevant people would love to help out ASAP.

I work at Automattic and I can get you in touch with people from WordPress.org if that's easier. You can email me at batuhan@a8c.com.

If there are any bugs, regressions or any issues with the fork, it's in the interest of everyone to quickly find and resolve them, so I'm sure your help would be appreciated.

replies(1): >>41833353 #
5. wpinsider ◴[14 Oct 24 01:22 UTC] No.41833291{3}[source]
Strongly recommend installing the genuine ACF from www.advancedcustomfields.com - the WP Engine and ACF teams have provided timely updates (even fixed Automattic’s spurious security issue in less than a day) and have uploaded a permanent fix to MM’s malicious hack of ACF to create SCF.
6. ChallengeEup237 ◴[14 Oct 24 01:30 UTC] No.41833353{4}[source]
So you guys don't get sued any further for essentially hijacking a distribution channel and pushing an unauthorized version?

If I were an employee of A8C I wouldn't be touching this code with a ten foot pole - employees can still be found guilty of criminal wrongdoing even if their employer told them to do something.