Plugin hijacked on weekend, required update triage

  • Anonymous User

    (@anonymized-23151805)


    1 month, 2 weeks ago

    This plugin was hijacked without consent from the existing authors/maintainers on a Saturday without advanced notice to users – this has caused an incident requiring unschedule maintenance on a weekend. I use this plugin on a couple hundred sites I help maintain, so this has been a very bad experience for me as a site maintainer.

Viewing 4 replies - 1 through 4 (of 4 total)

  • ACF/SCF is part of wordpress core now, nothing was hijacked.

    What incident has the update caused? Where you by any chance using the $_REQUEST global variable in metabox callback configured from [Edit Post Type] / Advanced Settings / Visibility / Custom Meta Box Callback? If so then that is no longer possible as it is a security issue, read more about the CVE on Wordfence

    Thread Starter Anonymous User

    (@anonymized-23151805)

    ACF is absolutely not part of core as of time of writing this review.

    Can you tell us more about what incident the update caused?

    @adrianlambertz I’m not defending anyone and I’m not affiliated with any of them, I ended up here after receiving update notifications from my clients websites and entered panic mode right away after reading the fake titles that the plugin was hijacked bcz that means something completely different eg hackers taking over websites after updating the plugin.

    So after reading thar WP has taken the maintenance of the ACF plugin as SCF I was relieved in the context of “hijacking”, but that not imply that I defend or support this move from them as this shouldn’t have happened.

    WP has the right to fork the code but does not have the right to use acf branding and their reputation built from years of reviews, they should have started clean and nobody is saying otherwise.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this review.