Welcome to Kiluvai Tech’s blog! In this post, we delve into the recent updates of Advanced Custom Fields (ACF) version 6.2.5, specifically tailored for WordPress developers. These changes bring crucial security enhancements, and it’s paramount for developers to understand and adapt. We’ve also prepared a detailed video guide for those who prefer a visual walkthrough.

Empowering WordPress Developers for a Secure Future. Learn about the modifications to Advanced custom fields 6.2.5.

Understanding Advanced Custom Fields (ACF) 6.2.5 Changes

WordPress’ developers, brace yourselves for the latest in ACF advancements! ACF version 6.2.5 introduces critical security fixes, primarily impacting the ACF Shortcode, the_field(), and the_sub_field(). These changes are a proactive response to a security vulnerability that could be exploited by users with the role of contributor or higher, posing a risk of injecting malicious HTML.

Starting from this version, the ACF Shortcode’s output will be escaped by the WordPress HTML escaping function wp_kses. In addition to security enhancements, ACF 6.2.5 prepares for upcoming changes in the output of the ACF the_field(), and the_sub_field().  This is a strategic move to prevent the unsafe output of HTML, especially in scenarios where potentially harmful HTML elements like scripts or iframes are involved.

Navigating the Notice and Logging Mechanism

One of the noteworthy features is the logging mechanism that ACF employs to detect and log modifications. As you embark on working with ACF 6.2.5, you may encounter notices about modifications.
Notice about the field get affected by the update

These notices serve as a proactive approach to identify instances where potentially unsafe HTML is being altered during output. The system logs data about the affected function call, stored as an option in the wp_options table. Admins can view full details, aiding in a quick diagnosis of affected fields and functions.

Leveraging Debugging Options

For developers seeking more in-depth insights, ACF provides powerful debugging options through actions like acf/removed_unsafe_html and acf/will_remove_unsafe_html. These actions offer parameters like $function, $selector, $field, and $post_id, enabling developers to trace back to the root of modifications using tools like debug_print_backtrace or Xdebug’s xdebug_break.

Conditionally Disabling Automatic Escaping

ACF introduces filters like acf/shortcode/allow_unsafe_html and acf/the_field/allow_unsafe_html. These filters empower developers to conditionally disable automatic escaping for specific field types, pages, or field names. Real-world scenarios are covered through practical examples, showcasing the flexibility this brings to your development workflow.

Early Adoption of the New Behaviour

For developers confident in their current security practices, ACF provides an option to opt in early to the new behaviour using the filter acf/the_field/escape_html_optin. Enabling this filter immediately strips unsafe HTML, triggering notifications in the WordPress admin for quick issue resolution.

Recommendations and Conclusion

Before bidding adieu, we strongly recommend upgrading to ACF 6.2.5 for enhanced security. Additionally, consider disabling the ACF Shortcode if it isn’t in use.

FAQ: Frequently Asked Questions

Q1: Why should I upgrade to ACF 6.2.5?

Upgrade to ACF 6.2.5 to implement crucial security fixes, safeguarding your WordPress projects against potential vulnerabilities.

Q2: How can I disable the ACF Shortcode if I’m not using it?

Consider disabling the ACF Shortcode by following the steps outlined in the ACF documentation.

Q3: Can I opt out of the automatic escaping behaviour introduced in ACF 6.2.5?

Yes, developers have the flexibility to conditionally disable automatic escaping using filters like acf/shortcode/allow_unsafe_html and acf/the_field/allow_unsafe_html.


As we wrap up, mastering ACF 6.2.5 changes is crucial for WordPress developers committed to building secure, efficient websites. The provided video guide supplements this blog, offering visual insights into the changes. Stay tuned for more updates and tips on Kiluvai Tech’s blog! Happy coding! For more practical tips read the ACF blog here.

Ready to elevate your WordPress development game? Dive into the transformative changes of ACF 6.2.5 now! Implement enhanced security and harness the full potential of Advanced Custom Fields. Let’s revolutionize your web development journey together! Please reach out to us.

Message us