WordPress Advanced Custom Fields plugin change affects embedded content

Advanced Custom Fields (ACF) is a popular WordPress plugin that’s used by a lot of WordPress themes. A recent ACF security fix has affected the way that the plugin handles HTML that’s been inserted by users, and that can cause embedded content to not work as expected. If you’ve embedded one of Light Blue’s contact forms or online scheduling calendars into a WordPress site that uses ACF, this update might mean that it has stopped being displayed. If this affects your website, you should contact your web designer and ask them to fix this for you.

If you’re not using WordPress and the Advanced Custom Fields plugin on your website, you can stop reading: this does not affect you. If you’re using both WordPress and ACF, please read on.

What’s changed?

ACF is trying to protect against the possibility of WordPress users inserting malicious HTML code into websites. In most cases, this isn’t a concern for photographers because the only WordPress users you’ve set up are for people that you trust. It’s more likely to affect websites that have lots of contributors.

To mitigate this risk, ACF is now escaping “unsafe” HTML, including iFrame and script tags. This change breaks a lot embedded content, causing it to be displayed as HTML instead of the content you would expect.

This change affects a lot of embeddable content (not just ours!) and is not something that we can do anything about. For example, a lot of Light Blue subscribers use Gravity Forms on their WordPress site, and that will also be affected by this change.

How can I tell if I’m affected?

  1. Are you using WordPress? If not, you are not affected.
  2. Are you using the Advanced Custom Fields plugin? If not, you are not affected.
  3. If you are using WordPress and Advanced Custom Fields, please check the pages that you have embedded content into. e.g. Light Blue contact forms, Light Blue online scheduling calendars, or GravityForms forms.
  4. If all your embedded content loads correctly, you are not affected: you’re using ACF, but it’s not being used in the places where you’ve embedded content.
  5. If any of your embedded content shows up as HTML (e.g. “<iframe>example</iframe>”) then you are affected.

What should I do if I’m affected?

Contact your web designer, or whoever you bought your WordPress theme from. Tell them that you use embedded content on your website and that it’s affected by the recent Advanced Custom Fields security fix. They should either know what they need to change to fix this for you, or be able to use the information on this ACF blog post to do so.

Main Menu