Wordpress ACF Encourages Insecure Theming

Recently, I’ve been doing a fair amount of WordPress work, which all but requires the use of the popular Advanced Custom Fields plugin. This plugin, which boasts 1+ million active installs, provides the ability to attach fields to content.

ACF provide two functions to render a field’s value: get_field() and the_field(). The former function returns the field’s value, and the latter function prints the field’s value. Neither function sanitizes user input before render, which results in a critical security vulnerability.

ACF Will Print Anything a User Inputs

A user with access to store input in an ACF field can render anything client side – iframe, javascript, etc. In Anchorman, Ron Burgundy will read anything on the teleprompter. In WordPress, ACF will print anything a user inputs.

ACF Encourages Insecure Theming

At the theme level, it’s certainly possible to sanitize user input; however, ACF doesn’t even mention this as an option in its documentation. Take a look at the documentation for get_field() and the_field(). Themers are plainly being instructed to print unsanitized user input.

Sanitize User Input

It’s straightforward to address this vulnerability. Instead of this:

<?php echo get_field('text'); ?>

Do something like this:

<?php echo filter_var(get_field('text'), FILTER_SANITIZE_STRING); ?>

Add new comment