How did the sites auto-update to have this plug-in removed/replaced? Are your sites set up to just automatically take push updates from WordPress central command or something and auto-modify themselves?!
Wordpress has a (highly effective) auto-updates mechanism for security patches.
It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.
(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)
The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.
IDK if WordPress plugins respect SEMVER, but shouldn't this auto-update thingy update only patch versions, or minor versions at most? Idk, breaking changes like these is definitely not something you want your CMS to do overnight when you won't notice until you receive complaints that your site is broken
WP and/or A8C took over the existing plugin, so that sites that have auto-update on were automatically bumped to the SCF version instead of the historical ACF which obviously had a different team of maintainers
sgdfhijfgsdfgds|1 year ago
It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.
(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)
The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.
And in fact, very little has changed.
arielcostas|1 year ago
mldevv|1 year ago