Blog

Auditing the hostile takeover: ACF 6.3.6.1 to Secure Custom Fields 6.3.6.2

Matt Mullenweg, the founder of Automattic and co-creator of WordPress, has garnered a reputation for erratic and often controversial business decisions. Over the years, Automattic has steadily acquired and absorbed popular plugins and services within the WordPress ecosystem, raising concerns about monopolistic control and the future of open-source contributions. From WooCommerce to Tumblr, Mullenweg’s aggressive business strategy has not been without its detractors. Some developers have criticized his willingness to consolidate Automattic’s influence by taking over popular projects and then reshaping them to fit his vision, often at the expense of the original creators or the broader community.

In the world of WordPress plugins, Advanced Custom Fields (ACF) has long been a go-to tool for developers looking to extend their site’s functionality. Originally developed by Elliot Condon and later acquired by WP Engine, ACF became an integral part of many WordPress-powered websites. However, when Automattic (recently) took over the plugin, it sparked concerns about control and direction.

This takeover is part of a broader pattern of consolidation within the WordPress ecosystem. WP Engine’s acquisition of ACF was seen as a way to enhance its premium offering, while Automattic’s move to rebrand ACF as Secure Custom Fields (SCF) in version 6.3.6.2 signals an attempt to bring the plugin under its umbrella of core WordPress offerings.

But what does this rebranding mean for ACF’s functionality? Are there grey-area changes or hidden practices that reflect Automattic’s growing influence? In this post, we dive deep into the differences between ACF 6.3.6.1 (WP Engine) and SCF 6.3.6.2 (Automattic), focusing on any ethical or suspicious changes.

Key Findings in Version 6.3.6.2

1. Renaming and Rebranding

In version 6.3.6.2, Automattic rebranded Advanced Custom Fields to Secure Custom Fields, signaling a shift in ownership and strategy.

// ACF 6.3.6.1 (WP Engine)
* Plugin Name: Advanced Custom Fields
* Plugin URI: https://www.advancedcustomfields.com
* Author: WP Engine

// SCF 6.3.6.2 (Automattic)
* Plugin Name: Secure Custom Fields
* Plugin URI: http://wordpress.org/plugins/advanced-custom-fields/
* Author: Automattic

This rebranding represents Automattic’s effort to consolidate control over key plugins, raising concerns about future updates and the plugin’s open-source integrity.

2. Pro Features Removed

In ACF 6.3.6.1, users were prompted to upgrade to ACF Pro via built-in notices in the admin interface. However, in version 6.3.6.2, this functionality was completely removed:

// ACF 6.3.6.1
public function include_pro_features() {
if (!acf_is_screen('edit-' . $this->post_type)) {
return;
}

if (acf_is_pro() && acf_pro_is_license_active()) {
return;
}

acf_get_view('acf-field-group/pro-features');
}

This removal hints at a shift in how Automattic plans to monetize the plugin, likely moving away from WP Engine’s business model, which relied heavily on promoting the pro version.

3. Direct Database Queries: Security Concerns

A review of SCF 6.3.6.2 revealed that no new database queries were introduced in the rebranded version. However, the following queries remain unchanged from version 6.3.6.1, and potential security risks still exist:

  • acf-meta-functions.php:
    • Query: $wpdb->get_results()
    • Risk: This query remains unsanitized, and without $wpdb->prepare(), it could be vulnerable to SQL injection attacks if it handles user input.
  • upgrades.php:
    • Queries: $wpdb->get_results(), $wpdb->insert()
    • Risk: Like in 6.3.6.1, these queries still lack $wpdb->prepare(), making them vulnerable to potential SQL injection if user input is involved.
  • wpml.php:
    • Query: $wpdb->update()
    • Risk: The absence of input sanitization in this query remains a concern.

Although no new security risks were introduced in version 6.3.6.2, the lack of sanitization and use of $wpdb->prepare() in these queries is still an issue that should be addressed.

4. File Handling via file_get_contents()

The frequent use of file_get_contents() remains a point of concern in version 6.3.6.2, with no changes between the two versions. This function is used in files like local-json.php to read files, but without proper input validation or sanitization, it could lead to unauthorized file access.


Conclusion

Automattic’s takeover of Advanced Custom Fields and its rebranding to Secure Custom Fields is more than just a name change. While no new security issues were introduced in version 6.3.6.2, pre-existing concerns—such as unsanitized database queries and frequent use of file_get_contents()—remain. These issues should be addressed to ensure that websites using SCF remain secure.

For developers and website owners, it’s important to stay vigilant, review the plugin’s codebase, and apply best practices for database queries and file handling.ecurity risks. Reviewing the plugin’s codebase and ensuring best practices for database queries and file handling will be key to maintaining a secure WordPress environment.


What’s Next?

As Automattic continues to shape the future of Secure Custom Fields, it’s crucial to monitor these updates closely. Whether you’re concerned about pro feature removals or security vulnerabilities, keeping your site secure should always be a top priority.