|
|
|
|
|
|
by jorams
616 days ago
|
|
|
The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1]. I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox. Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed: filter_input(INPUT_POST, 'name');
[1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security... |
|
|