Secure Custom Fields by WordPress.org

172 pointsposted a year ago
by ValentineC
(wordpress.org)

209 Comments

akira2501

a year ago

> This update is as minimal as possible to fix the security issue.

> This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.

So.. is this fixing a security issue.. or is this because of WP Engine?

> and are forking Advanced Custom Fields (ACF) into a new plugin

And stealing their place in the plugin store. A fork generally implies that you are going to set off on your own, and not inhabit the dead flesh of the project you just killed.

Matt Mullenweg is the biggest child I have ever seen in operation.

throw16180339

a year ago

> So.. is this fixing a security issue.. or is this because of WP Engine?

AFAIK, here's the timeline.

1. Automattic announced that there was a security issue in ACF.

2. WP Engine fixes it immediately.

3. Automattic bans the WP Engine developers from Wordpress.org, so they can't deploy the fix. This places millions of users at risk, but that's how they roll.

4. Automattic forks ACF, removes the commercial upgrade, and renames it.

benmarks

a year ago

Not a fork. They just took over the account/listing, which preserves 1200 reviews, etc. As fascinating as it is deplorable.

claudiulodro

a year ago

> So.. is this fixing a security issue.. or is this because of WP Engine?

It's fixing a security issue WP Engine cannot fix because they are banned from wordpress.org.

Sebguer

a year ago

*Has fixed, but can't post the fixed version to wordpress.org, to be clear

mthoms

a year ago

Not just "stealing their place in the plugin store" but also blatantly committing trademark violations. https://imgur.com/a/D7YHn4e

Pot... Kettle... Something, something.

CharlesW

a year ago

So WordPress-the-org — which is effectively Matt, as far as I can tell — just Sherlocked a developer's plug-in using the developer's own code, ostensibly as retribution for a security issue that the developer had already fixed. https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

What am I missing?

sureIy

a year ago

> Sherlocked

The verb you're looking for is stole

Sherloking is when a Walmart is built next to a cornershop. Here the dude tore open the corner shop while claiming to be a victim.

CharlesW

a year ago

When I posted, I was under the impression that ACF was open source. But the GitHub repo doesn’t list one, so if it’s not open source…WTF.

sureIy

a year ago

Forking isn't the issue. Here they just took the whole ID/address from which existing installations will continue to be updated from. This is theft. I have no doubt it will be added to the lawsuit.

While technically they own the platform and can do whatever they want, there is clearly ill intent here and it'll be used against them.

danillonunes

a year ago

I think being GPL is a requirement to host plugins in wp.org, so yes, that free version available there is (was?) open source.

ValentineC

a year ago

> When I posted, I was under the impression that ACF was open source. But the GitHub repo doesn’t list one, so if it’s not open source…WTF.

Isn't it here?

https://github.com/AdvancedCustomFields/acf

If you mean the licence, it's in readme.txt:

https://github.com/AdvancedCustomFields/acf/blob/master/read...

forrestthewoods

a year ago

Clearly AdvancedCustomFields should have filed a trademark to prohibit Wordpress from fully stealing it.

GPL code, trademarked branding. If you want to fork then you have to actually fork.

Oh the irony.

ValentineC

a year ago

> Clearly AdvancedCustomFields should have filed a trademark to prohibit Wordpress from fully stealing it.

They did:

Advanced Custom Fields — https://tsdr.uspto.gov/#caseNumber=98321164&caseSearchType=U...

ACF — https://tsdr.uspto.gov/#caseNumber=98321135&caseSearchType=U...

forrestthewoods

a year ago

Oh nice. Then WordPress shouldn’t be able to take over without renaming, right?

prettymuchnoone

a year ago

they renamed to "secure custom fields"

everforward

a year ago

They kept the permalink afaik, which is probably still likely to cause confusion in the marketplace and may still be a trademark issue.

Without knowing this drama, if I found and clicked an ACF link on a 2 year old Reddit post and ended up at Secure Custom Fields, I’m not sure I’d know it wasn’t by the ACF folks. Just their branding for the v2 or whatever. I think customers have a reasonable expectation that permalinks won’t take them to unrelated products.

mthoms

a year ago

Yep. And the string 'acf' is used throughout the plugin and the plugin download page (in reviews, etc). And 'acf' is indeed a pending trademark registration.

Not good.

saaaaaam

a year ago

Very much doubt they will be able to trademark “acf”.

snapetom

a year ago

Or, more blatant and accurate, Sherlocking is when Apple literally named their search product "Sherlock" when a popular third party shareware app named "Watson" already existed.

user

a year ago

[deleted]

user

a year ago

[deleted]

photomatt

a year ago

This release fixes a separate security vulnerability from the original update.

DanielLestrange

a year ago

Unfortunately you have no proof of that, because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues. The only thing done is removing a LOT of references, links, and instructions that would remind of WP Engine, as well as all compatibility with the POR features.

Then, you added a few irrelevant changes that to the inexperienced eye look like security fixes https://plugins.trac.wordpress.org/changeset?old_path=%2Fadv...

However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST

Unless you show proof of a security fix - which you could have pushed to users WITHOUT renaming the plugin, WITHOUT removing original, non-security related code, and WITHOUT breaking compatibility with the PRO features - you have LIED and STOLEN code in the name of WP.ORG

This will hopefully be recognized by WP Engine and if god wills, remove you from the equation once and for all legally speaking.

seba_dos1

a year ago

> However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST

While this whole takeover thing is completely ridiculous, it's you who displays an "inexperienced eye" here. What do you think the $original_post variable (which was already there) is doing, huh?

DanielLestrange

a year ago

The same. Nothing. The “security” issue here would be that the user callback can access post and request data. Tell me one place in the entire wp code base where that is NOT possible?

Security issues can be fixed WITHOUT renaming the plugin or removing links and text even if the original author has no access anymore

And that “fix” is ridiculous. If anything it breaks code of users who were actually adding callbacks using that data. It’s the nature of php that you can access those details - it’s up to the caller to know what to do with it. If anything, the usage of user callback is an issue here.

And in any thinkable case this ain’t a security fix that was done. A security fix would include that and only that change.

DanielLestrange

a year ago

For some context how you MIGHT actually “fix” the true security concern in this code: $allowed_callbacks = ['some_function', 'another_function']; // Example of allowed functions if ( in_array($original_cb, $allowed_callbacks, true) && is_callable($original_cb) ) { $return = call_user_func($original_cb, $post); } else { // Log or handle invalid callbacks safely $return = false; }

Tampering with global variables or else is NOT a fix, and this one in particular is like pointing out a crumb on the child’s mouth and grounding it for not brushing its teeth.

You could apply a filter to allow filtering the allowed callbacks, if you really want to allow more than the hardcoded whitelist.

In the end it still boils down to “do not use user callbacks” as the better security fix, which again shows how “they” didn’t fix a thing here. This is a blatant excuse for legal CYA.

user

a year ago

[deleted]

seba_dos1

a year ago

If the codebase was built on the assumption that user callbacks will execute in a context where POST data is sanitized (which is evidenced by the code that was already there), then failing to sanitize $_REQUEST in addition to $_POST is certainly a security issue.

Of course, relying on such simplistic measures is still brittle and inelegant, but that's another matter. Reworking it would likely be quite invasive to that codebase and far beyond the scope of a security patch.

(also, frankly, the entire WordPress ecosystem isn't particularly known for its high quality codebase... this kind of "fix" is exactly what you'd expect there even without all that drama around)

> Security issues can be fixed WITHOUT renaming the plugin or removing links and text even if the original author has no access anymore

Not sure who you're arguing with there, but certainly not with me.

You have plenty of shitty behavior to call out there, so not sure why you decided to announce that there's no security issue being handled at all instead. It only makes your point weaker for no good reason.

DanielLestrange

a year ago

If anything, the problem here is call_user_func, which when an attacker HAS ACCESS TO THE CODE, can be dangerous.

How on earth does emptying POST or REQUEST solve anything at all in regards? How on earth does, no matter what crap ACF added BEFORE the takeover, this "Fix" justify a hostile takeover? If or not there is a security issue with this code (which there IS, but not with POST or REQUEST data) is not even the matter anymore - it was and is posed and defended as a "urgent action to fix a security issue in a plugin the author has no access to"

And I repeat - there has not been any security fix!!

Read my root comment: > because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues.

And I stand by that. Anyone reading this code can see it.

seba_dos1

a year ago

> How on earth does, no matter what crap ACF added BEFORE the takeover, this "Fix" justify a hostile takeover?

You can continue arguing with yourself, but I don't need to be there.

DanielLestrange

a year ago

Why do you not actually provide some researched facts? I mean, I am all ears to stand corrected. Yet it appears all you (and other automatticians, and/or else employees) can do is deflect and talk down pretending you know better. Do you? Then teach your fellow humans where they are wrong. So far, I still have not been proven wrong about this pretended fix, which fixed nothing at all.

seba_dos1

a year ago

I don't intend to defend Automattic's shitty behavior at all, it's indisputably shitty and I take offense at your suggestions that I may think otherwise, as I never gave you any reason to believe that.

That said, you clearly seem to be confused about the nature of the issue being fixed there. It's clear from the existing code that the contract between this function and the callback getting executed is that the callback is expected to execute in a kind of a sanitized environment with restricted execution abilities.

You can argue that it's a really weak sandbox and that the whole design is smelly, and I'll agree with you. However, that's how this code was designed and that's what users are running on their servers, and that's how they expect it to behave. It prevents the callback from calling functions with `wp_` prefix and it disallows it from reading or making changes to user's POST data.

Now, if you find a way to circumvent those restrictions, it's an obvious security issue. Someone may have deployed some code that relied on that contract, and now that contract is known to be invalid (it always had been, but it wasn't known before). Therefore, stopping that from happening is a security fix.

It may be a poor fix - and in fact, this one is, as it's incomplete. But it's a fix. The upstream project recognized that and applied a similar, but a bit more thorough approach in its repo:

https://github.com/AdvancedCustomFields/acf/commit/a60034f8a...

It does exactly what the change we're discussing does, plus a bit more.

You still wouldn't convince me that it's a bulletproof sandbox and I already have some other ideas in my head on how it could potentially be circumvented after reading that code (though my PHP is so rusty I may very well be wrong), but the change in question is clearly a security fix, recognized and applied by both Automattic and WP Engine and I really can't understand why you're so keen on implying otherwise. As I already said, it only made your other (good) points seem weaker.

DanielLestrange

a year ago

Thanks for the reply. Actually that code (I mean the one where they started clearing POSTed data) was the "fix" WPE rushed into during the "grace period". The contract existing before, was that you throw in a user callback in a backend input and it executes that. It still did that after the rush fix (which was committed by Otto, but supposedly delivered to him by WPE), but with some more clearing: - POST is cleared - registered functions with wp_ are cleared

call_user_func was still called. Clearly, the idea behind is is not "some kind of sanitized env" since the start. The idea was "the user can throw in a callback and it will be executed". Then someone said "but that is unsafe" (And it is!) But the unsafely thing here is not "You have access to POST data or wp_ functions". That is the default in ANY code attached to WP anyway, and while being part of the danger here, the real danger is that an arbitrary POST EDITOR can throw in a callback and it executes that.

Which is why, yes, somehow, clearing posted data and excluding already existing methods like wp_ stuff is sort of a "fix" for that, since before the Post Editor did not even need to write the callbacks code: he could just have called a eventually bad (in context) registered method in core. So the "fix" does somehow mitigate, but not fix the issue.

I can see upstream builds on that idea even more. However the code still uses user callbacks, and those user callbacks can still be unsafe. You just need to throw in a callback that does something malicious, which does not even be an obvious malicious code. It could be a callback registered elsewhere, where the else context makes sense and is not flagged, but in conjunction with this ACF feature, would be malicious.

It should be clear that the security issue here is not what you can access during that callback - the security issue is that the callbacks are not whitelisted, and/or allowed at all (which can be considered a problem too, but would break potency of the features of course if removed)

Not putting my hands in fire for this, but I believe there is reason I Could not find a CVE yet for this alleged security issue, only a reserved one. I suspect that is, because the issue is still there, and publishing it, would immediately render it more dangerous. I again would love to learn that I am wrong here.

I do stand by my original post that said: > because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues.

This stands true: the security issue was not fixed. If we start to call incomplete fixes a fix, then we can as well call anything anywhere a fix. Heck, I moved around some lines and cleared some of the data. It's fixed! That would never hold true. In all and every case, plugin review team would immediately review the FIX before you can even say "but", and they would immediately throw it back at you, asking for an _actual_ fix. Especially with call_user_func. This has not happened here at all, which just adds to the fun of the day.

I feel the discussion should evolve around this, and The Guys who yelled "Security" should come forward and explain to the public what they actually fixed, if they truly believe this fixes the issue, if they truly believe that ACF (sorry, SCF) is now _safe_, or not.

My point stands that it (the core issue) has not been fixed.

Sorry if it got a long post.

seba_dos1

a year ago

You also said "you added a few irrelevant changes that to the inexperienced eye look like security fixes", and that was the part I objected to. "You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back" causes more confusion to an inexperienced eye than that code could ever do.

The real danger is that an arbitrary post editor can throw in a callback and it gets executed unsanitized. Having a proper sandbox would be a perfectly valid solution - in the end, that's the whole modus operandi of the web browser you're using to write these comments. And yes, I also have doubts whether the implemented measures are nearly enough to actually sanitize the input; I'm also not sure whether you can sandbox that feature properly without making it effectively useless - and while neither of those justify Automattic's behavior, it's a different accusation.

DanielLestrange

a year ago

Hey, sorry I was offline a while

I think we might agree - and my original wording was tainted by emotions.

- indeed, there was changes in code that can be sold as “attempted security fix” - indeed, as I think we both agree, the main security issue still needs attention to this very day

NeonNautilus

a year ago

Can anyone else prove this security vulnerability actually existed?

mirzap

a year ago

It doesn't matter. Matt didn't have the right to hijack ACF.

jnwatson

a year ago

I'm not on Matt's side, but anyone has the right to fork a GPL project and call it something else.

mirzap

a year ago

This is not a fork. He stole the original project plugin space, its reviews, download statistics, SEO traffic, etc. It has nothing to do with GPL.

ankleturtle

a year ago

Wow. I will never contribute anything to WordPress again.

ImPostingOnHN

a year ago

That isn't what happened here.

user

a year ago

[deleted]

ankleturtle

a year ago

You are abusing the community for your own gain. Stop!

bigiain

a year ago

So far as I can tell, when Matt talks about "the WordPress Community", he means:

  - Matt
  - the people who didn't quit Automattic last week
  - _maybe_ the WP core developers who don't work at Automattic, so long as they keep their criticisms to themselves
And the community of people who _use_ WordPress to run their websites, and the people who help them to do that, and the 3rd party plugin and theme developers who make WP work for so many different kinds of websites - can all go and get fucked.

geerlingguy

a year ago

What is he gaining at this point?

bigiain

a year ago

Avoiding the embarrassment of backing down and admitting he is wrong.

Apparently that's worth burning down his life's work and legacy for.

throw16180339

a year ago

It gives him an excuse to behave the way he's always wanted to.

user

a year ago

[deleted]

ankleturtle

a year ago

Harm of WP Engine.

kuschku

a year ago

Harming WPEngine is not even beneficial to Wordpress anymore.

With the level of revenge matt is applying you'd think WPEngine murdered his dog or something.

It just makes no sense.

acherion

a year ago

At the cost of also harming WP. Well done Matt. clap clap (these are sarcastic claps)

minimaxir

a year ago

There's a reason mutually-assured destruction is abbreviated MAD.

gg-plz

a year ago

The maintainers [1] and the Wordpress project’s core security team lead [2] said that the fix was already published, despite your blocking them from publishing it directly and irresponsibly disclosing the issue out of spite [3].

Was that not true?

[1] https://x.com/wp_acf/status/1843376378210857441

[2] https://x.com/johnbillion/status/1843750679141331039

[3] https://x.com/johnbillion/status/1842627564453454049

gg-plz

a year ago

Sorry, I misread, disregard. I’d delete the comment but HN won’t let me.

RobotToaster

a year ago

Wordpress banned forks from the plugin directory a while ago, so they're doing what they ban everyone else from doing. https://make.wordpress.org/plugins/2021/02/16/reminder-forke...

sureIy

a year ago

Rules are for thee, not for me

batuhanicoz

a year ago

ACF isn’t a premium plugin (linked post only concerns those).

The linked post also might not reflect the current policies. This update was a security update and was done due to the unique circumstances around the original publisher.

throw16180339

a year ago

There are a lot of other employers that won't make you lie for them.

batuhanicoz

a year ago

If you point to any lies told by me, I would love to correct them.

No one has told me to come here and defend anyone. I work at a part of Automattic that is isolated from anything WordPress — I don’t have to be here.

I am defending values I believe in. I am trying to make sure correct information is out there.

You are free to not believe that of course.

DonnieBurger

a year ago

If Microsoft took over an existing GitHub repo, would those values be the same?

throw16180339

a year ago

The correct information is that your employer created the security problem as part of their shakedown attempt. They then banned the WP Engine developers from Wordpress so that they couldn't update the plugin. Now they've forked the plugin, removed the commercial upgrade, and renamed it.

I'm not sure where values come into it. I'd be ashamed to work there.

dmvdoug

a year ago

What values are those, exactly?

bombcar

a year ago

US dollar values deposited into the accounts every paycheck, I assume.

bigiain

a year ago

"It is difficult to get a man to understand something, when his salary depends upon his not understanding it." -- Upton Sinclair (probably, may be apocryphal)

throw16180339

a year ago

Automattic is an open source company, albeit one controlled by a melodrama villain.

albedoa

a year ago

[flagged]

labster

a year ago

Some people have better things to do with their life than win internet arguments, man.

CrimsonRain

a year ago

You're values are doing open source dirty.

user

a year ago

[deleted]

Sebguer

a year ago

The mental gymnastics you keep doing to defend your boss are impressive, and I'm sure will reflect well on your next perf cycle!

rasso

a year ago

Exactly. ACF is free and open source. ACF Pro is not. Secure Custom Fields is based on the free version (ACF, without "Pro").

luckylion

a year ago

It still uses trademarks from ACF, those are obviously not "open source", which also has been Matt's & wordpress.org's stance since forever: the _code_ is GPL, but the assets are not.

If you "fork" the assets, you're not covered by GPL.

Obviously it's nonsense to discriminate between the free version of a freemium plugin and a commercial plugin and this is simply a stupid way to lash out.

maxloh

a year ago

Because WordPress is licensed under the GPL, all plugins must be licensed under GPL-compatible licenses. This applies to ACF Pro as well.

xenago

a year ago

Spamming nonsense isn't a good look...

Kye

a year ago

Related: the main developer on the Fields API proposal is calling it quits on involvement with WordPress.

https://github.com/sc0ttkclark/wordpress-fields-api

I'm not entirely sure what it is but it has over 350 stars and quite a few forks so it's probably important.

taikahessu

a year ago

Now resigned maintainer Scott is also lead dev of Pods, awesome ACF-like plugin.

Lines have been crossed when stealing other people's code, what happened in the case of ACF to SCF, IMHO.

bullenweg

a year ago

If anyone from Automattic is reading this and would like to confidentially leak any internal information about this behaviour from Matt, please email admin@bullenweg.com and I will publish it on bullenweg.com.

ivanmontillam

a year ago

This is excellent!

Is there a repo of this website?

It would be good to have for preservation purposes.

photomatt

a year ago

It actually is an excellent website, and the repo is here: https://github.com/bullenweg/bullenweg.github.io

onnimonni

a year ago

Matt you propably don't remember me but we met briefly on WordCamp Vienna 8 years ago. I was hugely inspired by you for many years and still was until few weeks ago.

It's not too late to stop this madness.

bullenweg

a year ago

I have been unable to convince Jason Bahl to share the ~threats~ ~coercion~ terms you used to convince him to join Automattic. Your contribution via GitHub of the terms that you used to ~coerce~ persuade him into defecting would be appreciated.

mthoms

a year ago

People are concerned about you, my dude. Very concerned. From one human being to another - please consider taking a step back to get some perspective.

myst1c

a year ago

Hey Matt, you're behaving like a normal abuser who's successfully managed to mask up to this point. None of your behavior is clever. If you continue down this path, it's not going to be good for you.

partiallypro

a year ago

This is one of the sleaziest things I've ever seen. I fear a hard fork of WordPress is now inevitable and unfortunately, it's possibly going to kill the platform, all over one man's ego. How can I now sell my clients on using WordPress for mission critical things if on a whim the owner of WordPress can break my site or lock out my security updates, just because I chose the "wrong" host or plugin? I don't see how the Board can sit by and let this all unfold like this, it's practically business suicide.

mnau

a year ago

TBF WordPress was also created by two men and one of them was Matt. Of course it only achieved it's success through efforts of countless others, but it's not just some person. Shame, it came to this.

We had hard forks of very popular systems before, e.g. xfree86 turned into x.org, LibreOffice vs OpenOffice.org, Hudson to Jenkins and others and basically everyone switched (nearly) overnight.

Fork will likely have a much better direction structure to avoid precisely this problem, at least it seems to be the pattern.

righthand

a year ago

If anyone is interested in the extended controversy surrounding Wordpress, there is a site that has been tracking everything.[0]

[0] https://bullenweg.com

kristofferR

a year ago

Wow, I hadn't heard about the nosebleed incident. Absurd, even if he ain't snorting coke, it's deeply weird to continue an interview while profusely bleeding as if nothing is happening.

shermantanktop

a year ago

I have no stake in any of this but some people have nosebleeds without anything nefarious or bad going on. This guy doesn’t need any help looking bad, suggesting that his nosebleed is important is stupid.

kristofferR

a year ago

It's not the nosebleed in itself, it's the ignoration of the blood streaming down the face during a video interview that is the most curious. And it wouldn't be as relevant if the subject hadn't acted increasingly erratic and self-destructive at the same time period.

It's not "important", it's just deeply weird, because it tracks.

leoedin

a year ago

I sometimes get nosebleeds. There's no pain involved - it just feels like a slightly runny nose until either you wipe it or blood starts dripping into your frame of view. I get them a lot in low humidity.

I haven't watched the video, but if it's a small amount of blood it's perfectly possible he just didn't notice.

corobo

a year ago

Him being in the middle of a mad coke bender would explain so much. I'm accepting this as canon until we find out WP Engine slept with his wife or something

0cf8612b2e1e

a year ago

Link to the delta from the latest code revision where they replaced “ACF” with “SCF”.

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph...

Not a lawyer, but since WPE sells ACF services, can WP redirect users away? That is directly impacting a competitor’s bottom line.

everforward

a year ago

I think tortious interference would be the relevant allegation, but I have no idea what the likelihood of it sticking is.

discostrings

a year ago

Blog post on wordpress.org concerning this: https://wordpress.org/news/2024/10/secure-custom-fields/

righthand

a year ago

> There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.

Anything to prop up their position and throw the company they are attacking under the bus. What a jerk.

None4U

a year ago

Which, by the way, previously ended with "We expect others will defect as well." before the post was edited

user

a year ago

[deleted]

0cf8612b2e1e

a year ago

  This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.
Yeah, that is not how trust works.

smarx007

a year ago

> This update is as minimal as possible to fix the security issue.

What is the actual issue? CVE number?

jorams

a year ago

The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].

I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.

Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:

    filter_input(INPUT_POST, 'name');
[1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

Sebguer

a year ago

Details haven't been made public yet: https://www.cve.org/CVERecord?id=CVE-2024-9529

Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org

FireBeyond

a year ago

I wonder how many Automattic resources Matt threw at ACF to find a vulnerability to catalyze this situation?

ImPostingOnHN

a year ago

Same, I was imagining Gavin Belsom and his warehouse full of Hooli employees scouring over the Pied Piper demo.

Similarly, this is all to resolve the personal grudge of an exceedingly rich dude who wants even more money.

mananaysiempre

a year ago

I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.

ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?

[1] Discussed at the time: https://news.ycombinator.com/item?id=41752289

[2] https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

[3] https://news.ycombinator.com/item?id=41821829

kristofferR

a year ago

I think they mean that it's developed by WP Engine and that's the security issue.

chx

a year ago

According to https://make.wordpress.org/plugins/2021/02/16/reminder-forke... this is piracy.

Let's look at newer documentation:

https://developer.wordpress.org/plugins/wordpress-org/detail...

> The use of trademarks or other projects as the sole or initial term of a plugin slug is prohibited unless proof of legal ownership/representation can be confirmed

The plugin is at https://wordpress.org/plugins/advanced-custom-fields and advanced custom fields filed for trademark last December https://trademarks.justia.com/983/21/advanced-custom-9832116...

Also

https://developer.wordpress.org/plugins/wordpress-org/plugin...

> We also don’t accept 100% copies of other people’s work

There's a clause which looks applicable https://developer.wordpress.org/plugins/wordpress-org/plugin...

> What happens to a plugin if the plugin owner gets blocked?

however the page says "Last Updated: 12 October 2024" and https://github.com/WordPress/developer-plugins-handbook/blob... (permalink at the time of writing this) doesn't have this section. So it really looks someone manually edited the page on wordpress.org without editing the source. Now, who has such permissions and has the motive to do this?

geerlingguy

a year ago

I feel so bad for all the Wordpress devs and shops right now. This is not the kind of community turmoil I'd want to deal with leading up to holidays/new years!

It makes Drupal 8/Backdrop seem like a pleasant and wonderful experience, in comparison.

chx

a year ago

I don't think there was any bad blood between Drupal 8 and Backdrop, was there? It was forked in 2013 and look https://www.drupal.org/u/jenlampton Jen was still doing BADCamps and went to DrupalCons and all that. My memory is fuzzy a little but I do remember we were making huge progress on migrate at BADCamp 2014 and I do not remember a single tense moment with Jen or Nate. Or was that 2013? But even if it was, that was after the fork. Nate also went to DrupalCons look https://www.drupal.org/u/quicksketch

In short, I know I considered Backdrop futile but I don't think there was any significant controversy or is my memory failing me? http://www.drupal4hu.com/node/380 here's my post from the time.

Truth to be told there was significantly more controversy between me and the rest of the Drupal community than Backdrop and Drupal. You can not imagine how much I regret that.

geerlingguy

a year ago

True; I'm just thinking back to the absolute worst drama I can think of in Drupal land, it all pales in comparison. Most of it was misunderstandings that were subsequently sorted, or like Backdrop just a friendly fork with community connections still intact.

chx

a year ago

I'm glad but slightly surprised neither Crell nor me counts as worst drama for you. Good? I guess.

geerlingguy

a year ago

Well instances were both painful but in my mind mostly affected a few core groups of devs, and a lot of the community was oblivious to anything going on. The Drupal 8 migration and subsequent forking of D7 into Backdrop caused a lot more consternation with smaller agencies especially.

I mostly did Drupal stuff with local and regional camps at the time, I was hired at Acquia slightly after, so I remember a lot of pain back then, especially as Wordpress and Drupal were often considered in the same meetings when building small local sites for nonprofits, small businesses, etc.

Nowadays it seems Drupal isn't part of the conversation unless there's a C-suite at the place building the website, it's moved upmarket quite a bit.

chx

a year ago

It sure did. Dries cashed out thanks said upwards movement and then he realized this move destroyed the contributor pipeline (make a personal/charity/etc small website-tinker Drupal-contribute to Drupal) and also market share so he now tries to move it back down with Starshot. I wish him the best.

mthoms

a year ago

Good catches. Also note that "ACF" is trademarked by WPEngine and is used throughout the source code and reviews.

delichon

a year ago

As a builder of a small specialized CMS for which WordPress is a large generalized competitor, thanks Matt. Refugees welcome.

ivanmontillam

a year ago

I'm rooting for this to happen. Best of luck to the new king of the market.

DonnieBurger

a year ago

I'm interested. Please do share.

delichon

a year ago

Thanks but I'm going for pseudonymity on this account. Just a few dozen clients.

DonnieBurger

a year ago

Perhaps you should edit out "refugees welcome" then.

user

a year ago

[deleted]

asmor

a year ago

I thought there weren't any hinges left for Matt to unhinge. He dug for that minior vulnerability to be to able to justify that takeover.

Who can ever trust this guy and his company, ever again?

notamy

a year ago

Good lord, why?? That’s such a petty move and is just doing further damage to the WordPress ecosystem.

dylan604

a year ago

scorched earth is always so successful

sureIy

a year ago

This gets better by the day.

I'm so rooting for WPE and I hope the judge will lay it heavy.

mirzap

a year ago

Pathetic. Matt banned one of the most popular WordPress plugins. Then, he forked the code and hosted it on WP.org, which is against the Terms of Service. He also hosted it in the plugin directory on the same path as ACF, stealing its SEO traffic. Wow!

Matt's state of mind is clearly not good. If I were an investor in WordPress, I would start thinking about cutting my losses. WordPress will not recover from this self-inflicted destruction

*Update* Oh, it's worse than that. He just renamed the ACF to SCF and claimed all the installations and reviews from ACF. I still can't believe this happened. This can't be legal!

photomatt

a year ago

Have you read the GPL?

Sebguer

a year ago

Eventually you are going to have to confront that the distance between 'technical correctness' and 'moral correctness' is vaster than you apparently think it is.

DonnieBurger

a year ago

Parent does not mention GPL, nor is this a GPL issue. It's about the takeover of an existing plugin and it's reviews/installs.

ankleturtle

a year ago

I am not a lawyer, but I am really curious if this would amount to tortious interference.

rpgbr

a year ago

The problem isn’t GPL or code, it’s a trademark and trusting issue.

user

a year ago

[deleted]

kristofferR

a year ago

What kind of response is that? Does that mean you approve of sites like GPLDL then?

user

a year ago

[deleted]

chx

a year ago

Have you read https://trademarks.justia.com/983/21/advanced-custom-9832116... and https://trademarks.justia.com/983/21/acf-98321135.html ?

s1ds

a year ago

Have you read them? Both are in pending status and not registered. "Advanced Custom Fields" most recent update before a last minute extension to respond to final notice was for: "Merely Descriptive Refusal - Registration is refused because the applied-for mark merely describes the function of applicant’s goods and/or services."

So far even USPTO attorneys think it's a generic mark not worthy of being registered: https://tsdr.uspto.gov/documentviewer?caseId=sn98321164&docI...

sgdfhijfgsdfgds

a year ago

OK so:

1) WordPress clearly lacks functionality like ACF that belongs in core

2) Many developers clearly like ACF

3) Many do not (it's messy in the DB, if you ask me)

4) Core functionality that was if not API-compatible, at least API-familiar with ACF would be welcomed by many

5) Creating a new plugin that did this, that was transitioned into core (like other functionality has been), would be a good plan

6) Commandeering the slug for a decade-old commercial plugin like this, to replace it with a fork, is so obviously fucking bad form that it's still hard to believe it is happening even given all the other whatthefuckery that has been happening.

ETA: 7) "Secure Custom Fields"? Really? The difference is what?

What the fuck, Matt?

ETA: personally I understand many of the frustrations with WP Engine's positioning. I have experienced exactly the trademark confusion issues that the lawsuit has been about, where clients have assumed WP Engine is WordPress itself. I don't use them after some iffy customer service and technical issues early on. But this is absurd behaviour.

Sebguer

a year ago

The fucked thing is that per the article, they're not even dedicating any resources to maintain it going forward, they've just made this one fix and are throwing it to other people to maintain if they want:

> Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.

photomatt

a year ago

We have taken on stewardship of this code going forward, and will dedicate engineers to it. Probably more than Silver Lake does.

ceejayoz

a year ago

So, the ACF plugin is a useful contribution to the WordPress ecosystem? Significant enough to warrant bringing it in-house now? Is work on it included in your assessment of what WPE contributes?

saaaaaam

a year ago

Your shift of signifier here from WP Engine to Silver Lake is interesting. Clever tactic, private equity money is BAD! Unless it’s… I dunno? Black Rock p/e money?

Sebguer

a year ago

Why don't you mention this in the post at all?

user

a year ago

[deleted]

xenago

a year ago

So, wordpress is being burnt to the ground by Matt. Just great. :/

mattbee

a year ago

I can't even follow what's going on here, and I used to be an expert in software licensing drama. All I see is a bunch of unilateral actions driven by Matt Mullenweg that breaks so many implicit promises of how a free software steward should behave.

Wordpress sites quite often seen to be a hodge-podge of plugins, each with their own UI and conventions, and (as a host) I'm never an expert in anye one of them. Has one of the site designers used a plugin that has offended Matt? Or that might offend him in the near future? How do I even audit for that?

I don't need much of a push to move my position on this. Before: "eh, use Wordpress if it's cheaper" Now: "please don't, that decision will probably cost me".

Scaevolus

a year ago

Theoretically WPE might be a bad actor-- perhaps even more than any commercial competitor naturally is-- but they're smart enough to not smear it around with absurd moves like this that radiate a lack of professionalism or ability to predict reactions.

cendyne

a year ago

It is as if Wordpress [1] is asserting that the original author is a danger to public safety. Their terms read: ...

To that end, we reserve the following rights: ... to make changes to a plugin, without developer consent, in the interest of public safety.

[1]: https://x.com/WordPress/status/1845179613783142426

butz

a year ago

ProcessWire CMS (https://processwire.com/) is a neat alternative if one requires quite complex set of custom fields on a website.

johnchristopher

a year ago

So, is the next step to capture wp-migrate (or another prominent WPEngine plugin) or to update the core to degrade ACF pro ?

butz

a year ago

I wonder what will happen to old websites I built with ACF and did not touch for years? Are they vulnerable now, as owners cannot get updates for ACF?

martin_a

a year ago

I had to login to several sites and make sure that the plugins would not auto-update. This is pretty much like a rogue actor taking over a plugin.

johnchristopher

a year ago

The slug hasn't changed so it will receive updates (from SCF repository, now under the control of Automattic).

If you used ACF pro then the plug-in is downloaded from ACF website.

But.

The obvious next move is to put code in the core that would degrade ACF pro.

getcrunk

a year ago

Posted this in the other thread:

A lot of the comments seem to call out Matt (right or wrong). But that’s the easy thing to do.

No one dares address the systemic issue of for profit corporations exploitatively (ab)using open source software.

There is a social contract that people should contribute back, and while it’s largely unenforceable, as it should be, when it’s happening on a systemic level something has to be done. And we are all complicit if we don’t at least say that much and spare some good will towards the guy actively in that fight at least superficially

*Following is a response to some replies on the other thread, that clarifies my points *

Matt being a poor steward of gpl is by definition not a systemic issue … unless ur claim is that many people in positions like him do what he does which is in turn caused by invariant factors?

The systemic issue is companies the world over not giving their fair share back in terms of contributing to foss.

I might agree with most of your points, I’m just trying to get people to realize there’s the local issue of Matt/wp and then there’s this global issue of companies building businesses off foss and not giving back.

throw16180339

a year ago

> A lot of the comments seem to call out Matt (right or wrong). But that’s the easy thing to do.

It's also productive. If there's enough of an uproar, then the board will remove him. They're pretty much the only people who can stop him.

> There is a social contract that people should contribute back, and while it’s largely unenforceable, as it should be, when it’s happening on a systemic level something has to be done. And we are all complicit if we don’t at least say that much and spare some good will towards the guy actively in that fight at least superficially

You don't speak for me. Contributions to my OSS projects are appreciated, but all I ask is that users comply with the license terms.

If you feel that contributions are an unwritten obligation, he's made them much harder to ask for. Everyone else who asks for them in the future will be tarred with the same brush.

Matt is burning down the WordPress ecosystem because his shakedown attempt failed. He's prevented at least 2.5 million users from receiving security updates. He's earned my contempt, not my goodwill.

> I might agree with most of your points, I’m just trying to get people to realize there’s the local issue of Matt/wp and then there’s this global issue of companies building businesses off foss and not giving back.

Drew said it best. (https://drewdevault.com/2021/01/20/FOSS-is-to-surrender-your...) If you want to require contributions, pick an appropriate license.

mmsnowsniff

a year ago

I don't know how much goodwill we owe somebody currently being sued for extortion and who lied to a community about ownership of a trademark for over a decade in an attempt to take a whole community hostage when he feels like it's time to cash in. The writing was on the wall when he sold user intellectual property from WordPress.com and Tumblr to OpenAi. Was that fighting for open source?

geerlingguy

a year ago

A number of people have dealt with the maker/taker issue, for example Dries, the founder and BDFL of the Drupal project: https://dri.es/solving-the-maker-taker-problem

I think we're pretty far removed from the original issue of WP Engine and WordPress and people are just trying to deal with the fallout from Matt's nuke-the-entire-ecosystem approach he's elected to take.

getcrunk

a year ago

Hey Jeff! :)))))

That was a great article from drupal. It’s a great idea and really goes along way to help, but we still need more.

This only addresses foss projects that are hosted as an offering. It wouldn’t address how for example the pgp guy basically went broke or just the general amount of pressure maintainers of “critical” foss packages are under and are spread so thin, that it’s always a triage fire and there’s never any room to “level up” with rewrites or full code base audits. And a lot of it comes at a huge personal cost but it just so happens the people often times in those shoes end up being super noble.

Maybe this is a cynical take but year after year it really does seem the software we rely on for modern life is just a house of cards where most cards are solo devs or a handful each doing the task of atlas cus the worlds corporations just don’t give back!

My words will ring true in 10-20 years when most of these people kick the bucket or retire and all we have left will be google’s next android| fuchsia and windows server.

user

a year ago

[deleted]

martin_a

a year ago

Just stealing plugins right now? Or is this some kind of "eye for an eye" situation?

I'm really turned down from the whole ecosystem by this total shitshow. Seems like everything could be pulled from under running sites if some clown decides he doesn't like it anymore.

At this point I just hope that WP Engine wins whatever lawsuit happens and Matt Mullenweg (and everybody who was involved besides him) has to pack his things and leave everything WP-related forever.

wkirby

a year ago

We no longer do custom WordPress work --- it turned out to never be worth the hassle --- but when we did, our company used ACF extensively. High quality plugin with responsive support and very fair licensing terms.

This --- to me --- smacks of complete bullshit.

xenago

a year ago

Forking it is whatever, but to take over their namespace and thus break trust across the ecosystem is a dealbreaker. All devs will have to move.

luckylion

a year ago

It is complete bullshit, but calling ACF high quality is also pretty out there.

It's one of those giants in WP that is stuck in the past, arguably much like a lot of core.

bigiain

a year ago

It's certainly "high quality" in the sense of "it solves a huge number of requirements that WP core doesn't, in a way that's better that alternative plugins". It's a high quality WP Admin user experience. Just don't try looking too deeply into the database mess it creates.

For WordPress _users_, as in the people who log into the WordPress dashboard to run their website, 'stuck in the past' is often an advantage and not a bad thing. You'll be able to find blog posts and tutorials and youtube showing you how to use in, unlike the "new shiny" where there's no easily found example or support for.

luckylion

a year ago

I'm not arguing against its usefulness, not at all. The sites I work on use it as well (and abuse, you really shouldn't do complex things with it), though we're looking into replacing it with something custom because the dev experience is bad and the performance isn't great. But for the average small to medium site, it's great, especially because of what you mention: the standard use cases are super well documented by a million people having gone through them before you.

I wouldn't call it high quality though. 200k LOC even for the free version (I use pro), no OOP, global variables, bugs get no attention unless they're major. It was amazing when it first came out, but it has fallen behind even compared to core + other plugins (and the WP average is a very low bar).

It clearly belongs in core, just like 90% of Yoast's (or AIOSEO's, Rank Math') functionality, Redirection and permalinks, and they should have focused on getting that done instead of gutenberg. But also clearly this isn't the way to bring it into core.

wkirby

a year ago

To be fair we haven’t worked with WP in 4 years; our experience with ACF was always positive.

rasso

a year ago

4 years ago it was still great. I had one contact with WPE support since they bought the plugin last year or so and it was the most frustrating support interaction I ever had. It felt like I was writing with an AI that was prompted to drive me crazy so that I would leave them alone.

jrflowers

a year ago

This whole saga is surreal because I thought myself to be constitutionally incapable of rooting for a private equity firm to win a fight, but this is like watching a guy violently strain to shit his pants while yelling “Look what they made me do!”

Also the guy is in a hot tub with all of his friends and employees

trog

a year ago

If you were an insider deliberately trying to tank WordPress, it is hard for me to imagine anything you could do that would be more effective than this.

JBiserkov

a year ago

Perhaps he shorted the Automattic stock... no, wait, Automattic is privately held... make it make sense!

user

a year ago

[deleted]

stefanos82

a year ago

The URL though says "advanced-custom-fields"; Matt...I can't find the words to comment; I just shake my head -_-

unsnap_biceps

a year ago

If you look at the reviews, they took over the advanced-custom-fields plugin and modified the owner to be Wordpress.org and renamed it to Secure Custom Fields.

What a terrible look

They also modified it by ripping out the pro features, so if people update their ACF Plugin and they had pro features enabled, it'll just break their install

https://plugins.trac.wordpress.org/changeset/3167679/advance...

Scaevolus

a year ago

So they forked some open source software and "hacked it up" to remove notices from the original creators? Fascinating.

cyral

a year ago

Yup, removing post revisions which I think is single line change is hacking it up when WP Engine does it, but this is totally okay apparently.

joe_hills

a year ago

What a choice, and what poor timing.

Companies that make breaking changes on holiday weekends aren’t going to earn much goodwill from developers.

photomatt

a year ago

Nothing has broken. Perhaps WP Engine should have consider that before suing us.

clessg

a year ago

I'd normally never say something like this, but: seek therapy, man. Seriously. This is not normal. It will end badly for so many people, including yourself. It may not be too late.

maxbond

a year ago

I've vouched this comment. I don't think we should be flagging this comment; it's not particularly out of line, and there's a significant interest in the community seeing Mullenweg's comments.

mmsnowsniff

a year ago

Can't wait for Matt to read this in a deposition. At this point, the dude seems to be intent on running up the highest tab possible.

taikahessu

a year ago

Business is war, I get it. But you chose to make innocent bystanders (your users) life difficult and you crossed a line by stealing code with an excuse that everyone sees through. This looks now more and more of a personal vendetta.

throw16180339

a year ago

There won't be a Wordpress community left if you continue as you have. What does the board think of your actions?

yard2010

a year ago

There must be a timeline in which this is de-escalated, compromises are being made and everyone's happy.

In your perspective - what does it look like? What could be done to go the opposite way and keep going?

Also, I'm surprised to see people only siding with WP Engine here. Usually the discussions here are much more balanced.. What do you think could be the reason for it?

Kye

a year ago

Guy who started a fight tells target to stop hitting themselves

bombcar

a year ago

These are clearly the actions of someone who is sure they'll win the lawsuit.

(not)

wongogue

a year ago

Please proceed, governor.

NeonNautilus

a year ago

I don't think punishing people for suing you typically plays well in court. Especially not if you, you know, publicly announce that's what you're doing.

everforward

a year ago

This was my reaction as well. This sounded like tortious interference before, but to blatantly announce that he’s trying to kill someone else’s business, for exercising their legal rights no less, sounds like a summary judgement waiting to happen.

There is no dispute over the facts here if Matt is just going to announce his intents.

I cannot imagine his rage when not only does WPE not have to pay him, but now he’s paying them.

user

a year ago

[deleted]

user

a year ago

[deleted]

jorams

a year ago

The pro version of the plugin is a separate install, this just rips out the upgrade notices.

skhr0680

a year ago

AFAIK the free version never included “pro features” in the first place

yard2010

a year ago

This is a human being, making a mistake, only to be bullied by literally the whole internet?

Never have I ever witnessed a lynch with any positive consequence whats so ever in my entire life.

Empathy all the way. We all make mistakes. Stay kind and positive.

throw16180339

a year ago

Most of the world's 8+ billion people managed to go through the last months without shaking down a competitor, preventing users for receiving security updates, conducting a harassment campaign, or destroying an ecosystem because they feel like it. That's not just a mistake. He deserves contempt, firing, and a substantial fine at the very least.

everforward

a year ago

I don’t think anyone wants to lynch him in the sense of harming him for the sake of it, or even retributive justice.

People want him removed from Wordpress leadership to protect Wordpress. The harm to him is really orthogonal to the greater goal of not destroying the software that runs 40% of the internet or whatever, triggering man-centuries of pointless labor to replace it across all those installs.

Given the options of letting Matt tear the ecosystem apart or letting the ecosystem tear Matt apart (figuratively, not literally), the ecosystem should win. It sucks for Matt, but wasting cumulative lifetimes of human effort to migrate all these installs is stupid and not worth saving one man’s ego over.

jeltz

a year ago

Actively running a harassment campaign against a competitor is not "making a mistake".