Skip to content

Prepare 6.8.6 Release#434

Merged
cbravobernal merged 14 commits into
trunkfrom
prepare/6.8.6-release
May 27, 2026
Merged

Prepare 6.8.6 Release#434
cbravobernal merged 14 commits into
trunkfrom
prepare/6.8.6-release

Conversation

@cbravobernal

@cbravobernal cbravobernal commented May 27, 2026

Copy link
Copy Markdown
Contributor

Release Date 27th May 2026

Security

  • Hardened authorization on the oEmbed field's AJAX search endpoint. The endpoint now requires an authenticated user with content-authoring capability; the legacy unauthenticated entry point is deprecated and will be removed in a future release.
  • Hardened front-end submission processing so the and form options are respected on save, and the save pipeline only accepts values for fields the rendered form exposed. A new filter is available for sites that legitimately extend a form at runtime.

cbravobernal and others added 13 commits May 27, 2026 21:14
@cbravobernal
Remove unauthenticated oEmbed AJAX hook and enforce capability (code-…
1c47f16 
…writer)
@cbravobernal
Add hook-registration tests for oEmbed AJAX (code-writer)
1739e41
@cbravobernal
Add handler-level authorization tests for oEmbed AJAX (code-writer)
49dca9c
@cbravobernal
Document authenticated-only oEmbed AJAX availability (doc-writer)
46db4eb
@cbravobernal @claude
Deprecate nopriv oEmbed AJAX hook instead of hard-removing it
40b64f3 
Re-registers wp_ajax_nopriv_acf/fields/oembed/search so anonymous
callers receive a predictable JSON error envelope (and a
_doing_it_wrong() notice in development environments) instead of
the silent 0 an unregistered action would return. The handler's
combined acf_verify_ajax() || ! current_user_can( 'edit_posts' )
guard is still the authorization gate; the deprecation only affects
how unauthenticated callers learn the endpoint is going away.

The deprecation notice fires exclusively when is_user_logged_in()
returns false, so authenticated low-privilege callers still get a
quiet JSON error.

Updates tests to assert (a) the nopriv hook is registered during
the deprecation window, (b) anonymous calls trigger exactly one
_doing_it_wrong() notice naming the deprecated action and the
6.8.5 version, and (c) authenticated subscriber calls do not.

Updates the readme.txt changelog wording to reflect deprecation
rather than removal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cbravobernal @claude
Backport ACF Pro 6.8.2 acf_form() submission hardening (code-writer)
12e32da 
Ports the two acf_form() security fixes from Advanced Custom Fields 6.8.2
(2026-05-26), credited upstream to Sarawut Poolkhet (MisterHelloz).

Fix 1 — pre_save_post() now only applies $_POST['acf']['_post_title']
and $_POST['acf']['_post_content'] to the saved post when the form was
rendered with the corresponding option enabled. A submitter can no longer
inject post_title / post_content into a form that did not expose those
fields. The keys are still extracted from $_POST['acf'] so they cannot
leak into acf_update_values() downstream.

Fix 2 — submit_form() now restricts $_POST['acf'] to the top-level field
keys the form actually rendered, derived from the same field discovery
render_form() uses. A submitter can no longer have the save path persist
values for fields the form did not expose.

To support the second fix, the field-discovery logic in render_form() is
extracted into a new protected get_form_fields() method, and a new public
get_allowed_field_keys() method exposes the derived allowlist. A new
acf/form/allowed_field_keys filter lets sites that legitimately inject
fields via JavaScript extend the allowlist. The filter return value is
defensively normalized so a misbehaving callback cannot break
array_intersect_key() / array_flip() in the save path.

Adds 6 PHPUnit cases in test-form-front.php covering: post_title /
post_content suppression when disabled, post_title regression when
enabled, the allowed-keys derivation from `fields` config, and the
extend / normalize behaviour of the new filter. Full suite green
(2243 tests, 4270 assertions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cbravobernal @claude
Fix phpcs Yoda + MissingUnslash on new code paths (code-writer)
5b8157f 
Addresses CI feedback on the 6.8.2 backport:

- Convert four equality comparisons in the new get_form_fields(),
  get_allowed_field_keys(), and render_form() code paths to Yoda
  style (WordPress.PHP.YodaConditions.NotYoda).
- Extend the existing phpcs:ignore on the pre_save_post() extraction
  of \$_POST['acf']['_post_title'] / \$_POST['acf']['_post_content']
  to also cover WordPress.Security.ValidatedSanitizedInput.MissingUnslash;
  the extracted values are passed to wp_insert_post() / wp_update_post()
  which expect slashed input.

No behaviour change. 43 / 43 form-front tests still green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cbravobernal @claude
Revert defensive guards in get_form_fields() for strict upstream pari…
3dc9974 
…ty (code-writer)

Drops the SCF-specific defensive accessors (?? 0, ! empty()) on
$args['post_id'], $args['post_title'], $args['post_content'],
$args['fields'], $args['field_groups'], $args['new_post'], and
$args['honeypot']. The function now matches the ACF Pro 6.8.2
implementation byte-for-byte (excluding text-domain / @SInCE
markers that already differ across the file).

Production callers (check_submit_form -> get_form -> submit_form ->
get_allowed_field_keys -> get_form_fields) always receive an $args
that has been through validate_form(), so the defaults are
guaranteed and the defensive guards were unnecessary in real flow.

The three pre-existing Test_Form_Front submit_form tests that
constructed $form arrays by hand are updated to call
validate_form() explicitly, mirroring what production does. The
six new security tests added in the previous commit already
construct fully validated form configurations.

43 / 43 form-front tests green; full suite 2243 / 2243 green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cbravobernal
Add 6.8.6 security changelog block
e147dc3 
Inserts the 6.8.6 release block above the existing 6.8.5 block with
two embargo-safe entries covering the oEmbed AJAX endpoint
authorization hardening and the front-end acf_form() submission
hardening. Release date left as TBD; the maintainer flow assigns
it.
@cbravobernal
Build assets, documentation, and translations
d6d5fb3
@cbravobernal
Update readme
2947d56
@cbravobernal
Update version to 6.8.6
9a7be5c
@cbravobernal
Update stable tag to 6.8.6
02c91c6
@github-actions

github-actions Bot commented May 27, 2026

Copy link
Copy Markdown

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props cbravobernal.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@cbravobernal
Fix phpcs CI on new code paths
f7b9265 
- Declare render_form() visibility as public.
- Restructure four new test-method docblocks: short description on a
  single line (capitalized), followed by a long description with the
  detailed assertion. Avoids
  Generic.Commenting.DocComment.ShortNotCapital on continuation lines.

No behaviour change.
@cbravobernal cbravobernal merged commit c717730 into trunk May 27, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cbravobernal