Nation’s WordPress Admins Gently Place Foreheads On Desks As ACF Announces Another Security Patch
In what experts are calling “Wednesday,” Advanced Custom Fields has released version 6.8.4, once again reminding site owners that the most important field type is apparently “existential dread.”
The update includes a security fix ensuring ACF AJAX field handlers validate that a request nonce was created for the expected field type — a sentence so deeply WordPress that reading it automatically adds three transients to your database.
ACF PRO also now satisfies plugin dependencies declared against advanced-custom-fields, meaning plugins that require ACF can finally activate when only ACF PRO is installed — a breakthrough previously thought impossible by top scientists and at least four agency developers screaming into Slack.
Additional fixes include preventing acf_form() from fatal-erroring when WordPress hasn’t finished building the main query, stopping multiple forms from silently eating field values like a raccoon in a dumpster, and resolving an issue where duplicated V3 blocks displayed corrupted previews, which many users had mistaken for “the client’s final approved design.”
The update also fixes a bug where switching tabs containing WYSIWYG fields could pin the admin menu against a shorter page and lock scrolling, giving developers the authentic sensation of being trapped inside wp-admin forever.
At press time, WordPress site owners were calmly updating ACF, clearing cache, checking staging, refreshing production, checking error logs, and whispering, “Surely this is the last one,” despite everyone in the room knowing it was not.