Secure Custom Fields by WordPress.org

So WordPress-the-org — which is effectively Matt, as far as I can tell — just Sherlocked a developer's plug-in using the developer's own code, ostensibly as retribution for a security issue that the developer had already fixed. https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

What am I missing?

This release fixes a separate security vulnerability from the original update.

Unfortunately you have no proof of that, because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues. The only thing done is removing a LOT of references, links, and instructions that would remind of WP Engine, as well as all compatibility with the POR features.

Then, you added a few irrelevant changes that to the inexperienced eye look like security fixes https://plugins.trac.wordpress.org/changeset?old_path=%2Fadv...

However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST

Unless you show proof of a security fix - which you could have pushed to users WITHOUT renaming the plugin, WITHOUT removing original, non-security related code, and WITHOUT breaking compatibility with the PRO features - you have LIED and STOLEN code in the name of WP.ORG

This will hopefully be recognized by WP Engine and if god wills, remove you from the equation once and for all legally speaking.

> However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST

While this whole takeover thing is completely ridiculous, it's you who displays an "inexperienced eye" here. What do you think the $original_post variable (which was already there) is doing, huh?

The same. Nothing. The “security” issue here would be that the user callback can access post and request data. Tell me one place in the entire wp code base where that is NOT possible?

Security issues can be fixed WITHOUT renaming the plugin or removing links and text even if the original author has no access anymore

And that “fix” is ridiculous. If anything it breaks code of users who were actually adding callbacks using that data. It’s the nature of php that you can access those details - it’s up to the caller to know what to do with it. If anything, the usage of user callback is an issue here.

And in any thinkable case this ain’t a security fix that was done. A security fix would include that and only that change.

For some context how you MIGHT actually “fix” the true security concern in this code: $allowed_callbacks = ['some_function', 'another_function']; // Example of allowed functions if ( in_array($original_cb, $allowed_callbacks, true) && is_callable($original_cb) ) { $return = call_user_func($original_cb, $post); } else { // Log or handle invalid callbacks safely $return = false; }

Tampering with global variables or else is NOT a fix, and this one in particular is like pointing out a crumb on the child’s mouth and grounding it for not brushing its teeth.

You could apply a filter to allow filtering the allowed callbacks, if you really want to allow more than the hardcoded whitelist.

In the end it still boils down to “do not use user callbacks” as the better security fix, which again shows how “they” didn’t fix a thing here. This is a blatant excuse for legal CYA.