6.3.10
Release Date 29th October 2024- Security - Setting a metabox callback for custom post types and taxonomies now requires being an admin, or super admin for multisite installs
- Security - Field specific ACF nonces are now prefixed, resolving an issue where third party nonces could be treated as valid for AJAX calls
- Enhancement - A new “Close and Add Field” option is now available when editing a field group, inserting a new field inline after the field being edited
- Enhancement - ACF and ACF PRO now share the same plugin updater for improved reliability and performance
- Fix - Exporting post types and taxonomies containing metabox callbacks now correctly exports the user defined callback
6.3.9
Release Date 15th October 2024- Security - Editing an ACF Field in the Field Group editor can no longer execute a stored XSS vulnerability. Thanks to Duc Luong Tran (janlele91) from Viettel Cyber Security for the responsible disclosure
- Security - Post Type and Taxonomy metabox callbacks no longer have access to any superglobal values, hardening the original fix from 6.3.8 further
- Fix - ACF fields now correctly validate when used in the block editor and attached to the sidebar
6.3.8
Release Date 7th October 2024- Security - ACF defined Post Type and Taxonomy metabox callbacks no longer have access to $_POST data. (Thanks to the Automattic Security Team for the disclosure)