Deploying version 6.3.8

acf.php

@@ -9,7 +9,7 @@
  * Plugin Name:       Advanced Custom Fields
  * Plugin URI:        https://www.advancedcustomfields.com
  * Description:       Customize WordPress with powerful, professional and intuitive fields.
- * Version:           6.3.7
+ * Version:           6.3.8
  * Author:            WP Engine
  * Author URI:        https://wpengine.com/?utm_source=wordpress.org&utm_medium=referral&utm_campaign=plugin_directory&utm_content=advanced_custom_fields
  * Update URI:        false
@@ -36,7 +36,7 @@ class ACF {
 		 *
 		 * @var string
 		 */
-		public $version = '6.3.7';
+		public $version = '6.3.8';
 
 		/**
 		 * The plugin settings array.

includes/class-PluginUpdater.php

@@ -124,10 +124,13 @@ public function filter_plugin_update_transient( $transient ) {
 			return $transient;
 		}
 
+		$res = $this->parse_plugin_info( $result );
+
 		if ( version_compare( $this->properties['plugin_version'], $result->version, '<' ) ) {
-			$res                                 = $this->parse_plugin_info( $result );
 			$transient->response[ $res->plugin ] = $res;
 			$transient->checked[ $res->plugin ]  = $result->version;
+		} else {
+			$transient->no_update[ $res->plugin ] = $res;
 		}
 
 		return $transient;

includes/class-acf-site-health.php

@@ -287,6 +287,11 @@ public function get_site_health_values(): array {
 				'debug' => $is_pro ? 'PRO' : 'Free',
 			);
 
+			$fields['update_source'] = array(
+				'label' => __( 'Update Source', 'acf' ),
+				'value' => __( 'ACF Direct', 'acf' ),
+			);
+
 			if ( $is_pro ) {
 				$fields['activated'] = array(
 					'label' => __( 'License Activated', 'acf' ),

includes/post-types/class-acf-post-type.php

@@ -528,9 +528,9 @@ public function get_post_type_args( $post, $escape_labels = true ) {
 				$args['supports'] = $supports;
 			}
 
-			// Handle register meta box callbacks if set from an import.
+			// Handle register meta box callbacks safely
 			if ( ! empty( $post['register_meta_box_cb'] ) ) {
-				$args['register_meta_box_cb'] = (string) $post['register_meta_box_cb'];
+				$args['register_meta_box_cb'] = array( $this, 'build_safe_context_for_metabox_cb' );
 			}
 
 			// WordPress doesn't register any default taxonomies.
@@ -619,6 +619,45 @@ public function get_post_type_args( $post, $escape_labels = true ) {
 			return apply_filters( 'acf/post_type/registration_args', $args, $post );
 		}
 
+		/**
+		 * Ensure the metabox being called does not perform any unsafe operations.
+		 *
+		 * @since 6.3.8
+		 *
+		 * @param WP_Post $post The post being rendered.
+		 * @return mixed The callback result.
+		 */
+		public function build_safe_context_for_metabox_cb( $post ) {
+			$post_types = $this->get_posts();
+			$this_post  = array_filter(
+				$post_types,
+				function ( $post_type ) use ( $post ) {
+					return $post_type['post_type'] === $post->post_type;
+				}
+			);
+			if ( empty( $this_post ) || ! is_array( $this_post ) ) {
+				// Unable to find the ACF post type. Don't do anything.
+				return;
+			}
+			$acf_post_type = array_shift( $this_post );
+			$original_cb   = isset( $acf_post_type['register_meta_box_cb'] ) ? $acf_post_type['register_meta_box_cb'] : false;
+
+			// Prevent access to any wp_ prefixed functions in a callback.
+			if ( apply_filters( 'acf/post_type/prevent_access_to_wp_functions_in_meta_box_cb', true ) && substr( strtolower( $original_cb ), 0, 3 ) === 'wp_' ) {
+				// Don't execute register meta box callbacks if an internal wp function by default.
+				return;
+			}
+
+			$original_post = $_POST; //phpcs:ignore -- Only used as temporary storage to prevent CSRFs in callbacks.
+			$_POST         = array();
+			$return        = false;
+			if ( is_callable( $original_cb ) ) {
+				$return = call_user_func( $original_cb, $post );
+			}
+			$_POST = $original_post;
+			return $return;
+		}
+
 		/**
 		 * Returns a string that can be used to create a post type in PHP.
 		 *

includes/post-types/class-acf-taxonomy.php

@@ -423,7 +423,7 @@ public function get_taxonomy_args( $post, $escape_labels = true ) {
 			$meta_box = isset( $post['meta_box'] ) ? (string) $post['meta_box'] : 'default';
 
 			if ( 'custom' === $meta_box && ! empty( $post['meta_box_cb'] ) ) {
-				$args['meta_box_cb'] = (string) $post['meta_box_cb'];
+				$args['meta_box_cb'] = array( $this, 'build_safe_context_for_metabox_cb' );
 
 				if ( ! empty( $post['meta_box_sanitize_cb'] ) ) {
 					$args['meta_box_sanitize_cb'] = (string) $post['meta_box_sanitize_cb'];
@@ -504,6 +504,46 @@ public function get_taxonomy_args( $post, $escape_labels = true ) {
 			return apply_filters( 'acf/taxonomy/registration_args', $args, $post );
 		}
 
+		/**
+		 * Ensure the metabox being called does not perform any unsafe operations.
+		 *
+		 * @since 6.3.8
+		 *
+		 * @param WP_Post $post The post being rendered.
+		 * @param array   $tax  The provided taxonomy information required for callback render.
+		 * @return mixed The callback result.
+		 */
+		public function build_safe_context_for_metabox_cb( $post, $tax ) {
+			$taxonomies = $this->get_posts();
+			$this_tax   = array_filter(
+				$taxonomies,
+				function ( $taxonomy ) use ( $tax ) {
+					return $taxonomy['taxonomy'] === $tax['args']['taxonomy'];
+				}
+			);
+			if ( empty( $this_tax ) || ! is_array( $this_tax ) ) {
+				// Unable to find the ACF taxonomy. Don't do anything.
+				return;
+			}
+			$acf_taxonomy = array_shift( $this_tax );
+			$original_cb  = isset( $acf_taxonomy['meta_box_cb'] ) ? $acf_taxonomy['meta_box_cb'] : false;
+
+			// Prevent access to any wp_ prefixed functions in a callback.
+			if ( apply_filters( 'acf/taxonomy/prevent_access_to_wp_functions_in_meta_box_cb', true ) && substr( strtolower( $original_cb ), 0, 3 ) === 'wp_' ) {
+				// Don't execute register meta box callbacks if an internal wp function by default.
+				return;
+			}
+
+			$original_post = $_POST; //phpcs:ignore -- Only used as temporary storage to prevent CSRFs in callbacks.
+			$_POST         = array();
+			$return        = false;
+			if ( is_callable( $original_cb ) ) {
+				$return = call_user_func( $original_cb, $post, $tax );
+			}
+			$_POST = $original_post;
+			return $return;
+		}
+
 		/**
 		 * Returns a string that can be used to create a taxonomy in PHP.
 		 *

readme.txt

@@ -4,7 +4,7 @@ Tags: acf, fields, custom fields, meta, repeater
 Requires at least: 6.0
 Tested up to: 6.6
 Requires PHP: 7.4
-Stable tag: 6.3.7
+Stable tag: 6.3.8
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -94,6 +94,11 @@ From your WordPress dashboard
 
 == Changelog ==
 
+= 6.3.8 =
+*Release Date 7th October 2024*
+
+* Security - ACF defined Post Type and Taxonomy metabox callbacks no longer have access to $_POST data. (Thanks to the Automattic Security Team for the disclosure)
+
 = 6.3.7 =
 *Release Date 2nd October 2024*