A security fix was released for ACF Pro v 6.1.8 on 8/3. Latest update for 6.2.0 was pushed out on 8/9. Any chance we can get updated to one of those asap? The security vulnerability is related to XSS and the current TC versions of ACF are all 6.1.7 and under which fall into that vulnerability zone.
I have sent another request for the security patch update, and we will probably just straight to 6.2. Can’t wait for ACF to be on 6.3, WP to be on 6.3, and Pro to be on 6.3! Have a great weekend!
5 Likes
@charlie - Hah! That will be nice when they all align (briefly :p)
Thank you sir! Very much appreciated.
To give some background: Outside of the actual security issue itself (which is of utmost importance) my biggest secondary pain point with the security related updates is that I provide realtime security monitoring on my client monthly reports. So this ACF issue is being marked as a known / open issue on the reports as of of today and the reports show time to remedy. 
I vote for this too - two sites showing an XSS security vulnerability with ACF Pro. 617
@charlie, out of curiosity… who do you send that request to? ACF directly, or do you have an internal team that has to review each update?
Just curious if there might be a way these could get out a bit quicker, especially when there’s a vulnerability like this.
Thanks for all you do! It’s been so great having you in our corner 
2 Likes
100% agree here…
If you want to give a feedback on this you could use the poll they provided in the last status update! The first question is about the release speed of new updates for extensions.
Just have to be careful with these types of polls. This is what got Theme.co into trouble around about the time of the original Pro release. Released it too early because of the community.
The average person often don’t understand the consequences of these types of things. ACF is baked into Pro and a critical part of many peoples sites. Imagine the auto updates causes an incompatibility with Pro. Nice to know the plugin is tested before being released to us.
That said, I do think a faster turn around on plugins that have critical vulnerabilities is essential.
3 Likes
It’s been a few days now - if clients got a report from a security scan they’d be demanding a fix ASAP. Hey @charlie can we fast-track this please? Many thanks, Bill.
I’m getting it updated today. I send requests to an internal teammate. It’s something we’re trying to improve. The question placed in poll was around the direction we would possibly go, but yes I agree critical updates could be expedited.
2 Likes
Just received ACF 6.2.0 through wordpress update.
2 Likes