6.3.8
Release Date 7th October 2024- Security - ACF defined Post Type and Taxonomy metabox callbacks no longer have access to $_POST data. (Thanks to the Automattic Security Team for the disclosure)
6.3.7
Release Date 2nd October 2024- Security - ACF Free now uses its own update mechanism from WP Engine servers
6.3.6
Release Date 28th August 2024- Security - Newly added fields now have to be explicitly set to allow access in the content editor (when using the ACF shortcode or Block Bindings) to increase the security around field permissions. See the release notes for more details
- Security Fix - Field labels are now correctly escaped when rendered in the Field Group editor, to prevent a potential XSS issue. Thanks to Ryo Sotoyama of Mitsui Bussan Secure Directions, Inc. for the responsible disclosure
- Fix - Validation and Block AJAX requests nonces will no longer be overridden by third party plugins
- Fix - Detection of third party select2 libraries will now default to v4 rather than v3
- Fix - Block previews will now display an error if the render template PHP file is not found