Yesterday, WordPress co-founder Matt Mullenweg announced the forking of the Advanced Custom Fields (ACF) plugin into a new plugin called Secure Custom Fields.
In the announcement, he stated: “On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.”
Point 18 of Plugin Directory Guidelines
The post went on to explain, “This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch. Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”
The ACF plugin is popular among web developers for its capabilities in customizing edit screens and managing custom field data. However, it has become embroiled in a dispute between Automattic and WP Engine, its owner. Following WP Engine’s ban, the ACF team was blocked from accessing WordPress dot org on October 03, 2024.
Next, Automattic tweeted about a vulnerability in the plugin. The tweet was later deleted. In response, the ACF team released ACF 6.3.8, a routine security release stating, “WP Engine remains blocked from accessing our plugins on the .org plugin repository and therefore this update has been shipped to WP Engine’s repository and to the ACF website.”, they said.
The ACF team also provided a copy of this update to the WordPress.org Security team, which posted it to the plugin repository.
On October