> There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.
Anything to prop up their position and throw the company they are attacking under the bus. What a jerk.
The support notice got deleted[1]. The plugin developer got banned. Blocking access from certain ip. Shady or problematic hosting term[2]. I think hosting your code on wordpress.org is considered dangerous.
The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].
I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.
Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:
Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org
I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.
ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?
righthand|1 year ago
Anything to prop up their position and throw the company they are attacking under the bus. What a jerk.
None4U|1 year ago
hadad|1 year ago
1. https://wordpress.org/support/topic/future-updates-for-acf-a...
2. https://github.com/wordpress/wporg-plugin-guidelines/blob/tr...
unknown|1 year ago
[deleted]
0cf8612b2e1e|1 year ago
smarx007|1 year ago
What is the actual issue? CVE number?
jorams|1 year ago
I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.
Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:
[1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security...Sebguer|1 year ago
Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org
mananaysiempre|1 year ago
ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?
[1] Discussed at the time: https://news.ycombinator.com/item?id=41752289
[2] https://www.advancedcustomfields.com/blog/acf-6-3-8-security...
[3] https://news.ycombinator.com/item?id=41821829
kristofferR|1 year ago