ACF vulnerability deep-dive, plugin-check plugin updates and WPackagist support
|
Hey Reader! On Monday I posted a few tweets, toots and threads that could be interesting to you as a developer. Below is a summary of them: After hearing about the ACF "fork" (more like takeover) due to an unresolved security issue, I immediately went looking at the changesets to find the actual issue (what could be so critical?). Turns out (see the Twitter thread) ACF now allows you to register custom post types and taxonomies from the WP admin and one of the settings to configure is the "Custom Meta Box Callback" which is forwarded to the core WP register_post_type() function and called after rending the default metaboxes in the admin. The fix in SCF is to clear out the $_REQUEST global similar to how it does it for $_POST when calling that callback function. So the vulnerability relies on (1) the admins setting the callaback to a function that could somehow harm other users or leak data, and (2) that function already being present in the codebase. What do you think — should plugins allow such user input? Then I tweeted about how that the plugin-check plugin (used as part of plugin submission reviews to WP.org) has introduced a check that restricts the use of the custom plugin headers used by Git updater and similar plugins. Fortunately, that has now been reverted as the intention appears to have been to prevent the inclusion of the Git updater code in the plugins submitted to WP.org repository. Finally, I learned that the WPackagist.org project providing access to WP.org hosted plugins and themes via Composer, and used by the majority of enterprise projects has $0 of incoming donations out of the $150/month required to keep the servers running. This is a good time to recognize the value they offer to the community and see if your business or employee could support it through a GitHub sponsorship (which are now available to organizations as well!). With so much going on in the WP community these days it is definitely hard to focus on the tasks at hand and continue building the courses. Hope you have a great week! |
Subscribe to WP Elevator
Hey Reader! I’ve been diving deep into some exciting WordPress topics over the past month, and I wanted to share some key insights and updates with you. 🏹 Better search with AI embeddings in WordPress Curious about AI embeddings in WordPress? I put together a guide explaining how they can power better search results and retrieval-augmented generation (RAG) systems. If you’re looking to enhance search functionalities in WP, this is worth checking out! (Tweet) Illustration of the content...
Hey Reader! I hope you had a wonderful holiday season and are ready for an exciting year ahead. While publishing an update to the Native SSO plugin (still in development), I decided to record a video of the process in case you might find it useful. In the video, I demonstrate a GitHub workflow that: Prompts for a version to tag for release, Extracts the plugin directory from the monorepo using git subtree, Automatically generates the changelog, and Tags a version release in the distribution...